Open package of oral birth control pills.
Credit – Bryancalabro, CC SA 3.0.
Not that long ago, most pharmaceutical companies were probably more concerned about the physical security of their labs and offices than digital security. Now, as the industry, like so many others, has become increasingly digitised, the threat of cybercrime has risen.
Cyberattacks targeting healthcare organisations increased 74 percent from 2021 to 2022. It’s hardly coincidental that such attacks occurred at a peak in global COVID-19 vaccination programmes. The money being pumped into the development, refining, and rollout of vaccines made the pharma companies a natural target for cybercriminals, particularly those making use of ransomware.
As digital technologies continue to grow in importance for the sector, it will likely face new and increasingly potent cybersecurity threats. As such, it’s critical that players in the sector do everything they can to bolster their cybersecurity efforts, says Mark Clark, VP Sales EMEA North, Onapsis.
IoT, invisible attacks, and costly breaches
According to Clark: “People outside the pharmaceutical and cybersecurity industries may be surprised to learn how rapidly attack incidents have grown, but they should also be aware that the variety of those attacks has grown too. While massive incidents such as the 2017 malware attack on Merck grab all the headlines, smaller attacks that don’t hold much media attention are far more common.”
As such, Clark finds: “The knock-on effects of these attacks are multiple, and expensive, as the pharma industry is home to both sensitive data and expensive technology. It is also highly regulated by the Food and Drug Administration with severe penalties for non compliance. A 2020 report found that the average cost of a breach exceeds US$5 million, and threats take an average of 257 days to be detected and contained. That’s to say nothing of the setbacks to the development of potentially life-saving medicines.”
Clark sees these tendencies as accelerating: “And as the industry continues to embrace digitisation and innovate, especially around Internet of Things (IoT) technologies, the available avenues for attacks will keep growing too. Remember, many IoT devices aren’t designed with security in mind. While things have improved since cybercriminals leveraged IoT devices to take down large portions of the web in 2016, they remain a potentially serious point of vulnerability.”
A growing need for cybersecurity investment
Against that backdrop, it’s critical that pharmaceutical companies and organisations make the requisite investments in cybersecurity, Clark observes.
He states: “An incident-response approach simply will not cut it either. Companies need to have a proactive, top-down approach to protection, putting in place protections for all business-critical applications. Additionally, with the amount of data stored in the cloud increasing, and the need to share information and collaborate across departments and indeed care providers and universities, it is critical that companies manage identity and permissions to effectively protect sensitive data.”
There will be a learning curve, notes Clark: “Of course, organisations in the sector can’t be expected to build up the expertise necessary to implement those things themselves. Their focus is, and should always be, on the business of drug development.”
In terms of addressing the challenges, Clark recommends: “Instead, they should look to use cybersecurity providers with deep sector expertise, particularly when it comes to protecting business-critical applications. These applications impact everything from R&D, supply chain, to manufacturing and finance. That vendor should also have a strong track record when it comes to research, with its team able to proactively identify the latest threats and how to nullify them. The vendor should additionally be open about sharing research with customers, ensuring that their own cybersecurity teams are able to deal with any new threats, identify any gaps across the attack surface and shore up any vulnerabilities.”
In addition, says Clark: “The cybersecurity vendor should be able to help shore up an organisation’s response to a successful breach, ensuring business continuity. The better an organisation is able to respond to a successful attack, the lower the damage and fallout will be.”
Adapting cybersecurity to a changing industry
In terms of the future, more change will be needed: “As the pharmaceutical industry continues on its path of rapid digitisation (one which comes with significant rewards, including faster breakthroughs and increased efficiency), cybersecurity will only become more important.”
Clark concludes: “As such, organisations in the sector must invest in cybersecurity, fortify critical applications, and manage data permissions. In doing so, especially in concert with the right vendors, pharmaceutical organisations can safeguard their assets and effectively mitigate the impacts of cybercrime in an increasingly digital landscape.”