Pharma cybersecurity challenges: a holistic prescription

The pharmaceutical sector remains a prime target for cyberattacks. As an industry built on innovation, with extensive investments in research and development (R&D), intellectual property (IP) and patient information, it bridges the divide between business and healthcare, becoming a hotspot in the health data threat landscape

According to a study conducted by Deloitte, the pharmaceutical industry is frequently the number one target of cybercriminals around the world as more and more companies move toward increased digitisation and store valuable data online.1

Jack Garnsey, Product Manager, VIPRE SafeSend and Security Awareness Training, explains how the increasing sophistication of cyberattacks has hit the pharmaceutical industry hard in recent years and outlines some essential steps to take to strengthen cybersecurity defence.

The value of pharma data

Pharmaceutical companies are especially attractive to criminals because the data they hold is incredibly valuable.

The information collected by pharmaceutical companies, including proprietary information about drugs, data related to pharmaceutical advances and technologies, as well as patient information, are all sensitive, which means that losing control of that data can have catastrophic consequences.

Additionally, the industry holds strict privacy guidelines regarding the safeguarding of protected health information (PHI), which highlights the need for an effective cybersecurity strategy.

The effect of such breaches goes beyond the direct damage from lost data, it also affects the company valuation and erodes both patient and consumer trust, resulting in regulatory fines and overall operational disruption.

Individuals need to have trust in a pharmaceutical industry to secure their health data; so, when these attacks happen, reputation is one of the main aspects that can become tarnished.

Multinational pharmaceutical company Merck and Co. fell victim to a ransomware attack in 2017 that ultimately crippled 30,000 end-user devices and 7500 servers.2,3

The malware event cost $1 billion in damages, lost sales and resources to recover from the incident. More crucially, the breach crippled Merck’s production facilities for the leading vaccine against human papillomavirus.

The impact of a data breach such as this can be catastrophic; but, the causes of damage in so many differing and complex ways mean that the actual value is almost incalculable.

Increased risk following COVID-19

COVID-19 has created a surge of urgency to enhance cybersecurity posture within all industries — HMRC found scams increased by 337% between March and May 2020 — and the situation is no different for pharmaceutical firms.4

It has never been more important to have the right security measures in place as cybercriminals seek to interfere with, and take advantage of, the research and development of COVID-19 medicine and vaccinations.

Additionally, with pharma companies facing increasing pressures from the likes of the previous US President and accelerated demand to create a COVID-19 vaccine, staff are working faster, harder and longer hours than ever before.

In turn, this can have an effect on their cyber awareness as it falls to the bottom of their priority lists. Distractions and working under pressure can be key contributing factors to mistakes being made that lead to security incidents, such as accidental data leakage for example.

In July last year, the Certified Information Systems Auditor (CISA), the National Security Agency (NSA) and cybersecurity authorities across the United Kingdom and Canada issued a joint warning, accusing Russian intelligence services of targeting COVID-19 research and vaccine development facilities with cyberattacks.5

Any significant delay caused by these cyberthreats and hackers could endanger the lives of millions of people, as well as impact the investment that goes into making the medicines.

A holistic cybersecurity approach

Within the 2020 Cost of a Data Breach Report, the authors found that healthcare and pharmaceuticals experienced an average total cost of a data breach that was significantly higher than less regulated industries such as hospitality, media and research.6

With electronic prescriptions and digital records becoming the norm, it is key to have a comprehensive cybersecurity strategy in place to safeguard those digital assets.

A combination of technology, workforce education and security culture provides a layered defence system to protect pharma organisations from cyberattacks.

Sensitive internal documents that include valuable intellectual property are communicated via email, and tools such as VIPRE’s SafeSend will help to make sure that the recipient is correct, as well as highlighting if the information is appropriate to share with the correct encryption levels.

This email solution can help users to determine the appropriate course of action when sending sensitive information, providing them with a necessary double-check alert.

Implementing a holistic cybersecurity approach can help to reveal potential risks before they can be exploited, all while keeping up to date with the latest cybersecurity threats and continuously re-evaluating the company’s cybersecurity protocols to ensure they are meeting the workforce’s needs effectively.

Securing the pharmacy threat with the workforce

Cybercriminals deploy a wide range of tactics to target the pharma industry and the overall supply chain.

As hackers target valuable data and intellectual property, if this data was to end up in the wrong hands, it would be both an advantage for competitive organisations and an opportunity for the data thief to leverage a ransom for these sensitive resources.

Pharma organisations need to understand what they can do to protect the company’s digital assets, how to avoid staff falling for a phishing attack or an email scam that could expose confidential information, and the best practice to follow within the modern threat landscape.

However, improperly trained employees are a challenge faced by many companies, both inside and outside the pharmaceutical industry.

Security awareness training programmes can offer simulated examples during which pharma companies can review their response to threats, identify where improvements can be made and formulate strategies to address any shortcomings.

This can be used to strengthen current protocols in place and highlight any vulnerabilities. Building a strong security culture within teams and maintaining awareness of cyberthreats will help staff to become more knowledgeable of the risks they pose in their day-to-day job and the unique responsibilities they hold regarding data protection.

Cyberattacks are a never-ending threat and, with pharma organisations being in the spotlight now more than ever before, they must take action to mitigate any risks, both internally and externally.

With the right strategy in place, including a combination of technology, education and awareness, pharmaceutical organisations can implement the right steps to safeguard their information and maintain data privacy.

References

  1. www2.deloitte.com/content/dam/Deloitte/uk/Documents/life-sciences-health-care/deloitte-uk-lshc-cyber-risk-ma.pdf.
  2. https://blogs.sciencemag.org/pipeline/archives/2019/12/13/merck-and-its-ransomware-problems-in-court.
  3. www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war.
  4. www.ftadviser.com/companies/2020/08/18/hmrc-investigates-10-000-covid-scams.
  5. www.meritalk.com/articles/cisas-corman-warns-covid-vaccine-hacks-could-endanger-millions.
  6. www.capita.com/sites/g/files/nginej146/files/2020-08/Ponemon-Global-Cost-of-Data-Breach-Study-2020.pdf.

Companies