Cyber Security Challenges in the Pharma Industry
Posted 19th February 2018 by Jane Williams
In general, the pharma industry has not been cutting-edge in terms of maturity in information security practices. There has been an increase in security practices in the last few years, as a result of the increasingly harsh environment and global incidents such as Wannacry or Petya, good security practices are being implemented more effectively and with a stronger support from the boards. However, apart from the big corporations where big investments have been made, the health sector is behind the banking industry and critical infrastructure services providers, where there is obviously a different risk profile.
Here are some comments that may help you to understand the challenges we face, what lies ahead, what should be determined, what you do in terms of cyber security and how many resources you devote to it.
Most security vendors overwhelm us with market trends, forecasts and outlooks into what is to come, creating an increasingly aggressive environment. It is perhaps easier to look at your own figures and monitor the attacks on your web environment and network. How many alerts do you receive from your detection and prevention technologies? How do they evolve over time? Look at the frequency in which you are forced to patch and the frequency in which software vendors release urgent patches.
Mergers & Acquisitions
The pharma industry, with periodic ups and downs, has always been active in terms of mergers and acquisitions. These operations often involve a large amount of strictly confidential data. This interests hackers because they know they can get substantial sums of money overnight, or they can steal and sell information on the dark net. Protecting this information is a challenge. The liabilities with which a company could be charged if found that due care was not in place, are too high to just accept the risk.
There is a point in time where molecules are not protected by a patent yet. How does an organisation manage that information? What protection level is applied to the information that could determine the company’s strategy in the coming 15 or 20 years?
Relating to this, the various phases of research and development (particularly clinical essays) produce information that also determines strategic business decisions that the companies make regarding investing. This is the information that drives decisions on which therapeutic areas to invest in, or what molecules should be dropped from further development. Companies don’t normally do this just by themselves, which is where clinical research organisations come into play. For risk-practitioners, this is about third-party assurance and security controls on third parties. In addition, data leakage prevention in our industry may not follow the same practices applied in other industries where looking for patterns may be more easily implemented (credit card patterns on emails). This is something to take into consideration when trying to mitigate data leakage risks.
Internet of Things
The proliferation of devices collecting health data, sending them over to process them where proper processing capabilities are available (which is in most cases is the Cloud), and exploiting it with the proper tools (big data), introduces new risk components to take care of. Let us not forget that this is info about health and depending on where you operate, privacy will be, fortunately, an increasing attention point in the coming months thanks to the new Privacy Regulations.
Making “security by design” and “privacy by design” a reality won’t be easy, and the growing internet of things (IoT) is extending the possibilities of how data is collected, where and how it is stored, how it is transmitted and where it is processed. If the traditional IT environments already implied relevant risks, the IoT is increasing these risks by extending the uncertainty we have on the controls all along the chain, from where the data is generated or created, up to where it ends up.
An industry which has not been fighting with cyber-threats as much as others, cannot claim to have security in its DNA. People remain a challenge. You would sooner keep up with your personnel awareness plans so that you minimise the chances that an employee puts the company at risk due to a careless click or gives away his or her credentials on a fake login page.
Managing the benefits and challenges brought about by new technologies like blockchain will again be on the agenda. Blockchain is trying to find its way in the industry, looking for the right use cases where it can add value, apart from the well-established bitcoin technology. Once this becomes a solid thing, there will be challenges to manage, that today are more in a blurred zone.
Finally, orchestrating everything is a matter of governance. Having a security program in place, and a security operations process in place is a necessity. This requires an operating model, roles and responsibilities, contracts, third-party integration, service monitoring, escalation, communication and maturing the role that information security should play in the organisation. The whole system must be consistent in all its governance enablers, and work smoothly with the rest of the IT organisation. This is a major challenge in all companies, no matter their size.
Ramón Serres is Head of Information Security, Risk Management and Quality at Almirall in Spain. He presented at last year’s Global Cyber Security in Healthcare & Pharma Summit on information security strategy executions.
The agenda for CybSec and Blockchain Health is now available to download. Take a look now.
Leave a Reply