Pharmaceuticals and life sciences organisations have some unique challenges when it comes to cyber security. Not only are they faced with some of the strictest regulations, their high-value intellectual property (IP) makes them a highly desirable target for theft. A 2020 IBM report (registration required) found that pharmaceutical and biotechnology companies received more cyber attacks than any other industry. Furthermore, the industry saw a 50% increase in attacks between 2019 and 2020.
Why life sciences industries are particularly vulnerable to cyber crime
The reasons why these industries are so attractive to hackers are numerous. One of the most obvious is the fact that they may contain patient records for potentially millions of people. Most of these records are now stored digitally. Even a single patient’s full medical record can sell for over $1000 on the black market – far more than their credit card details or other personal data.
Second, more and more organisations are relying on smart devices and wearables that give information on their patients’ health and lifestyle. As these are less well protected than phones and computers, they are more vulnerable to cyber attack.
Also, life sciences industries have embraced digital innovations such as cloud computing and automation. These technologies can increase productivity and enable more efficient collaboration and research. However, if not handled carefully, these moves carry risks. For example, there is evidence that over half of cyber breaches happen during the move to the cloud.
Finally, pharmaceutical companies spend millions on research and development; access to that intellectual property – from drug formulations to test results — may provide enormous financial gain to a hacker, or a commercial advantage to a competitor.
IP espionage
Because pharmaceutical companies’ IP is so valuable, it’s not just private individuals who want to access it. There is a growing awareness that cyber attackers are not just small groups of “bad guys” intent on accessing personal data to sell on the dark web, but also organised state-sponsored cyber espionage outfits. While this may sound alarmist or like something out of a cold-war spy film, it’s all too real. For example, in may 2020 the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) announced that cyber attackers affiliated with the People’s Republic of China were actively attempting to access intellectual property related to vaccines, testing and other treatments for Covid-19. This was echoed in the UK by the National Cyber Security Centre (NCSC) which warned that all organisations, including healthcare bodies, pharmaceutical companies, and academia, should take more robust measures to protect their data from password spraying and other attacks.
More recently, with the escalating tensions between the Russian Federation and the West, the NCSC has advised organisations to bolster their cyber resilience. Although there are not currently – as of writing – any specific known threats, the NCSC has expressed concerns about the potential for Russia to target critical infrastructure, such as healthcare.
Among the many recommendations they suggest (which can be read in full here), they recommend that the fundamentals of cyber security are in place at the very least. These include things such as:
- Checking system patching
- Ensuring system defences are working
- Reviewing and testing backups
- Having an up-to-date incident response plan
What this means for pharma and life sciences industries
With valuable IP to protect from theft, as well as confidential patient data, the pharma and life sciences industries already have high-level IT cyber-security needs. Add to that the stringent regulatory requirements required — e.g. those required by the Medicines and Healthcare Products Regulatory Agency (MHRA) — and it’s clear that any industry in this sector needs a comprehensive cyber-security strategy. Most small and medium-sized life sciences companies, and even many large ones, do not have the level of expertise required to anticipate and defend against cyber attacks in-house. While outsourcing to a Security Operations Centre (SOC) is often an efficient, cost-effective strategy, it’s important to ensure that a SOC is au fait with the specific regulatory compliance (e.g. Annex 11 data integrity) required of the industry.
The right IT, whether provided in-house or externally, should provide the following:
A dedicated cyber security executive
A dedicated cyber security executive can provide proactive security, ensuring that new technologies are adequately protected from the get-go. In addition, a cyber security executive will help develop a cyber-security breach-response plan and a disaster recovery plan.
Cyber security prevention and detections services
An inclusive prevention and detection service should ensure that you have expert system monitoring and intrusion protection, on-premises malware and anti-virus, cloud access monitoring, and user education and awareness. It should also include regular reviews and penetration testing to look for potential gaps in your security.
Risk management and business continuity planning
A robust risk management framework will ensure that key risks are recognised and understood. For example, organisations in the life sciences sector frequently need to exchange confidential information with partners and third-party vendors. While this aids research and development, it can open the door for an attack on your IP. Supply chains in the sector are generally global; if just one supplier has poor cyber security, it introduces a weak link into the supply chain. Add in the proliferation of own devices and networks brought into play by the pandemic, and the risk landscape is broader and deeper than ever.
Identifying the risks allows organisations to plan for disruptions to the supply chain, as well as plan for worse-case-scenarios such as it network or data breaches.
Regulatory compliance
The MRHA has stringent expectations for data integrity across organisations involved in any aspect of the pharmaceutical lifecycle. These guidelines are complemented by any other applicable regulations, as well as the general guidance specific to each gxp. This includes factors such as understanding the potential risks to data integrity, data access and data transfer and migration.
Data recovery plan
The final piece of the puzzle is having a data recovery plan in place. This means having a dedicated person responsible for ensuring that regular data back-ups are taking place and testing them. Untested backups are little better than no backup.
These guidelines are by no means comprehensive. Contact us for a more in-depth discussion on how to ensure you have the best fully-compliant cyber security. Intersys are cyber-security experts with substantial experience in the life sciences/pharma sector. We are very familiar with MHRA regulations, and our Director of Enterprise Risk Managament Catherine Geyman is a supply-chain risk-analysis expert and consultant to many biopharma firms.