Pharma Cyber Security
By Shirley O’Sullivan
The level of cyber threat faced by businesses today is attributable to both the increased sophistication of hackers and the increased use of digital. A recent survey revealed that over half of the pharma companies questioned had suffered from serious data breaches, while one in four had been the victims of hacking. Understanding the types of data that hackers deem as valuable is a perpetual challenge but one that must be undertaken to understand pharma cyber security.
The pharmaceutical industry is a prime target for hackers/cybercriminals, who may look to steal:
- Intellectual property: IP is a major part of the pharmaceutical sector and intellectual property theft can potentially ruin a pharmaceutical company. The IP relating to drug formulation is a global business worth over $75bn.
- Research & Development, & New Products: If hackers access data concerning research & development into new drugs/medicines, this may result in damage to reputation as well as reduced profitability: It may give the perpetrators the opportunity to make a competing product using the same information.
- Trial Data & Participant Info: Trial data can be valuable in the wrong hands. It can show which drugs will be effective and profitable. If personal data is accessed illegally, it can result in loss of trust and potentially mean trials must end abruptly.
- High-Level Company Information: Emails from top-level executives may contain information about financial performance/revenue projections or even discussions over mergers/takeovers. This information can be used to purchase or sell shares in the relevant companies at the most opportune times – allowing money to be made on the financial markets.
- Details of Technologies, Processes, and Expertise: The target may sometimes be the biotechnology, business practices or manufacturing process and supply chain details/costs.
What are the Consequences of a Breach?
Biopharmaceutical firms have become a target for such attacks, as evidenced by recent breaches at Nuance, Heritage Valley Health System, and Merck. When a pharma company suffers a data breach, it can potentially be costly in several ways. The obvious two are reputational damage and lost revenue (caused by delayed product launch or the need to restart trials). In addition, there may be legal action (from individuals or other companies in the supply chain) and potential fines from regulators such as the ICO.
Key Focus Areas for Effective Pharma Cyber Security
- Understanding the risk in relation to your specific organisation and its critical business operations. Pharma cyber security threats have become more complex meaning that organisations must first understand what data they have that hackers may deem valuable; their own level of acceptable risk; and the key areas for investment in terms of their cyber security;
- Integrate your strategy across the organisation including personnel, technical security, information services and physical security. An effective pharma cyber security strategy will encompass the organisation’s IT personnel, infrastructure, security protocols and procedures. It will also mandate the ability for the organisation to make ‘smart’ interventions on an ad-hoc basis when required to enhance overall cyber security;
- Establish Identity & Access Management. Policy – your strategy governing who is authorised to access systems, data or functionality, how they can request access, when their access should be revoked and whether any particular operations should require multiple users to collaborate. Another important feature is Privileged user management and the additional processes and controls you should put in place to safeguard the most sensitive operations in the system. The architectural design of your IdAM solution is also important because it needs to support stable operations whilst enabling the supporting processes and technologies that enable investigation of breaches of policy or controls;
- Establish Protective Monitoring. Protective monitoring gives a coherent view of all cyber-related activity across an organisation and helps to create and foster a positive culture that deters counter-productive behaviour. This process also helps businesses address the threat that can be posed by ‘insiders’ who may perpetrate or facilitate a cyber-attack.
- Plan on the basis that some attacks will breach your defences. Hackers are increasingly sophisticated so organisations should accept that some may be successful and should plan for this eventuality. It is important to make sure that that they have the skills and resources in place to quickly identify, isolate and react to attacks. They should then be able to determine the level of investigation and counter-measures required, whilst enabling business as usual to continue. Whilst doing this and increasing overall resilience, there should be no detrimental effects on the core business.
Ways to reduce exposure to Cyber-Attacks
- Ensure that your firm has effective governance, risk, and compliance processes.
- Make use of internet gateways and boundary firewalls – establish perimeter defences for your network including web proxy, content checking, and web filtering. Ensure that you have firewall policies that can firstly detect and secondly block executable downloads and prevent access to malicious domains.
- Patch management – use a patch management protocol to deal with the threat of sophisticated attacks that make use of known/newly discovered vulnerabilities in software.
- Password policy – ensure that your organisation has an appropriate password policy that is secure and can be followed easily.
- Cloud Security – Assess the security provisions for your cloud applications and ensure that your cloud networks and connections are secure. Also ensure that you manage your security terms in the cloud service agreement, and that the security requirements in any exit process are well understood.
- Malware protection – establish and maintain enough effective malware protection protocols that can detect/respond to identified attack code.
- Secure configuration – this involves set security measures when building and installing new computers or other network devices to reduce vulnerabilities. By restricting the functionality of some devices, security risks can be minimised.
- Whitelisting/execution control – ensure that unknown software is not able to run or install by itself, including disabling Auto Run on external drives (CDs or USBs).
- User access control – limiting users’ execution permissions can prevent malware from being introduced to the network.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.