IBM’s 2023 data breach report revealed that healthcare and pharmaceuticals breaches cost on average $4.82m – the highest across any sector.
Some of those breaches have passed into boardroom legend. None more so perhaps than Merck & Co, which lost $1.4bn and suffered costly disruption to its HPV vaccine. But there are many, many more pharmaceutical cyber security breaches that incurred staggering costs, leaked intellectual property, disclosed patient data and saw businesses fall foul of compliance rules.
In this post we’ll cover:
- the vulnerabilities peculiar to the pharmaceutical life sciences and healthcare sector and why attacks are so serious and costly
- the readiness, or otherwise, of the sector
- the kinds of specialised cyber security solutions you must look for if you want to ensure your business is properly protected
If you want a topline takeaway, it’s this: you need to act to ensure you are implementing robust pharmaceutical cyber security measures and the gold standard is a security operations centre (SOC).
Furthermore, the complexity of your sector, the costly implications of a breach and regulatory considerations mean you must work with a provider with expertise in pharmaceuticals, life sciences and healthcare.
What’s at risk? The pharmaceuticals cyber security threat
For criminals, data is the new gold. Breaching virtually any industry is potentially lucrative.
For instance, confidential bank details can be sold on the open market and essential data held to ransom. However, there are a number of factors that make breaches in pharmaceuticals and life sciences particularly damaging – and an attractive prospect to thieves.
Intellectual property loss
The theft of intellectual property, such as drug formulations, research data, and proprietary technologies, is a major concern. Competitors or threat actors may target valuable information for financial gain or to gain a competitive advantage. In 2022, CBS News reported that Chinese hackers seized trillions in intellectual property from about 30 multinational companies, including pharmaceuticals.
Reputational risk and shareholder value
Sensitive data related to patient information is often targeted in breaches. Unauthorised access to this information can lead to reputational damage, legal consequences and financial losses as shareholders lose faith.
We’re entering the world of ransomware here, where criminals demand multi-million payments to reinstate data. In 2023, the Money Message ransomware group announced it had seized 4.7 terabytes of data from PharMerica and parent company Bright Spring Health Services.
The compromised data featured details about two million people. It included names, addresses, birth dates, social security numbers, and health insurance and medical information.
Compliance breaches
Pharmaceutical companies are responsible for protecting vast quantities of highly sensitive, confidential data and must comply with data protection laws and other stringent legislative health standards (more on this later).
If your business is failing to protect your data, you may be breaking laws across several territories.
Catastrophic losses
Value at risk (VaR) is traditionally much higher in life science and pharmaceutical companies than in other industries. When things go wrong – and breaches are on the ‘very wrong’ end of the scale – the cost can be astronomical.
How criminals are breaching pharmaceutical and life sciences companies
As with any other sector, poor life sciences and pharmaceuticals cyber security is going to create vulnerabilities.
If you are not doing the following, you are open to attack: regularly monitoring logs and systems activity; encrypting data and storing it safely; using multi-factor authentication and appropriate log-in security; installing and patching high-quality software; and training users. (See this overview from the UK government for a broad introduction to responsibilities.)
However, there are also particular vulnerabilities that threaten the life sciences and pharmaceutical sectors:
Third-party risk
Increasingly, pharmaceutical companies are working with external organisations in important areas such as research and development, manufacturing (i.e. CDMOs/CMOs), supply chains, trials and more.
This increases the vulnerability to attack because these organisations may have access to areas of your systems. Third-party vulnerability is an ever-present problem. To use the cliché, it takes only one weak link in the chain…
Regulatory requirements
Ironically, the many regulatory requirements in the pharmaceuticals and life science industries – which are designed to mandate best practice – can inhibit cyber security efforts.
Rigid standard operations procedures (SOPs) result in organisations reacting to change very slowly. In a world as fast-moving and slippery as cyber crime, organisations simply aren’t proving agile enough to shore up their defences against new threats.
Insecure supply chains
The internet of things (IoT) revolution has seen barcodes and RFID codes interacting with remote sensors and systems, detailing real-time accounts of supply chain activity. Great for efficiency; not always optimal for security.
Vulnerabilities in unpatched devices can compromise the integrity of supply chains, disrupt the distribution processes or even give bad actors access to your systems.
User errors and phishing attacks
Human error (or plain naivete) isn’t peculiar to pharmaceuticals or life sciences, but it’s worth singling out. 88% of data breach incidents are caused by employee mistakes. With the vast workforces of international pharmaceutical organisations and the tendency to work with more and more third-party suppliers, the ‘opportunity for error’ is vast.
Hierarchical issues
A common problem we’ve seen is a cultural one. In many fast-emerging economies, strict hierarchical cultural norms mean that employees on the ground have minimal or no agency to improve cyber security practices. Rules come ‘from the top’ and employees further down the chain are discouraged from challenging failing practices and making a difference.
Underinvestment
This is a more general point about vulnerability, but a key one. In our experience, the majority of cyber breaches are a direct result of underinvestment. The outlay for properly protecting businesses in this sector is minimal, even trivial, in comparison to the greater impact and loss of dealing with a breach.
Are companies ready for these pharmaceuticals cyber security threats?
Here’s a fairly typical story from a forum about cyber security in healthcare. The user posted a litany of vulnerabilities. ‘LOTS of shadow IT, LOTS of red tape, LOTS of legacy equipment that is super insecure… you’ll never know everything that’s on the network if you’re in a sprawling healthcare system with satellite clinics and labs… you’re a consumer of a thousand tech products half of which you don’t know exist.’
Is this an isolated incident? Not according to a report from IBM that suggested pharmaceutical and biotech companies suffer more breaches than any other industry. The stakes for companies, and rewards for criminals, are high.
We’ll add a few anonymised cases we’ve dealt with personally or heard about in the pharmaceuticals and life sciences sectors, to illustrate the point. Note that any cases related to Intersys came from clients who had not previously employed our cyber security services.
When we encounter cases similar to the below, our standard response is to limit any ongoing breach and mitigate damage already done, as well as to help collect and secure the evidence for later further investigation.
- A mail protection system implemented during a security audit revealed 1000 emails sent from a single account in a short timeframe, suggesting it had been compromised.
- A TeamViewer file transfer was opened on a PC and evidence of sensitive data extracted.
- CCTV systems were infiltrated and sensitive data stolen.
- A client’s systems were completely open to the internet.
- A laptop with malware provided a pivot point for bad actors to infiltrate systems.
- A ‘whaling attack’ on a CEO’s mailbox with thousands of emails, including those with sensitive commercial information, was compromised.
Note, all of the above would have been avoided by adopting fit-for-purpose cyber security.
So far, so bad. The solution, of course, is robust cyber security. But what exactly does that look like.
The specialist security operations centre solution
A security operations centre (SOC) is the gold standard in cyber security. This centralised facility employs cyber security engineers and automated technologies to monitor, detect and respond to cyber security incidents and threats. It brings a unified and proactive approach to cyber security – offering the highest level of protection.
However, it can be incredibly difficult and costly for regulated industries to bring the right specialist talent in-house and build the IT infrastructure required. Some may be caught in a ‘halfway house’, trying to do their best in-house while not reaching the cyber security maturity demanded by their sector.
Working with a partner can be a quick route to that maturity. An SOC as a service subscription model will have experienced engineers and up-to-date technologies ready to go – and it will cost less than building an SOC in-house.
For many, it’s likely to be the most robust and compliant option but with one important caveat:
Your provider must have specialist knowledge of the pharmaceuticals and life sciences sector.
As we’ve pointed out, your industry has specific pressing vulnerabilities and criminals actively trying to exploit them. For example, it’s crucial your supplier understands EU Annex 11 in the UK and EU and correspondingly FDA 21 CFR Part 11 in the US legislation, which lay down important rules about the data integrity of computerised systems – and in particular healthcare software and data. In the USA, your partner must also have a detailed understanding of The Health Insurance Portability and Accountability Act (HIPAA) for the USA market.
Also, they must understand the intrinsic vulnerabilities of public and multi-cloud environments and act accordingly. At Intersys our SOC as a service for pharmaceuticals cyber security clients includes providing pharma-specific data rooms, a product that provides the highest level of secure storage and management of the most sensitive files.
In conclusion
Life sciences and pharmaceuticals cyber security is high stakes and notoriously complicated. Where you don’t have the talent or infrastructure in-house – or the ability to develop cyber maturity rapidly and plug gaps – a security operations centre can be a robust, compliant and cost-effective option.
If you ensure your provider has a successful track record working with highly regulated industries such as yours, you can secure the highest level of protection possible.
Intersys is an ISO 27001- certified cyber security provider. We provide comprehensive SOC as a service to over a dozen clients in highly regulated industries such as life sciences, pharmaceuticals, and biopharma as well as further cyber security services to many more clients in these sectors. Find out more about our SOC as a service plans here.