Cyber Security Challenges in the Pharma Industry
Posted 19th February 2018 by Jane Williams
In general, the pharma industry has not been cutting-edge in terms of maturity in information security practices. There has been an increase in security practices in the last few years, as a result of the increasingly harsh environment and global incidents such as Wannacry or Petya, good security practices are being implemented more effectively and with a stronger support from the boards. However, apart from the big corporations where big investments have been made, the health sector is behind the banking industry and critical infrastructure services providers, where there is obviously a different risk profile.
Here are some comments that may help you to understand the challenges we face, what lies ahead, what should be determined, what you do in terms of cyber security and how many resources you devote to it.
Most security vendors overwhelm us with market trends, forecasts and outlooks into what is to come, creating an increasingly aggressive environment. It is perhaps easier to look at your own figures and monitor the attacks on your web environment and network. How many alerts do you receive from your detection and prevention technologies? How do they evolve over time? Look at the frequency in which you are forced to patch and the frequency in which software vendors release urgent patches.
Mergers & Acquisitions
The pharma industry, with periodic ups and downs, has always been active in terms of mergers and acquisitions. These operations often involve a large amount of strictly confidential data. This interests hackers because they know they can get substantial sums of money overnight, or they can steal and sell information on the dark net. Protecting this information is a challenge. The liabilities with which a company could be charged if found that due care was not in place, are too high to just accept the risk.
There is a point in time where molecules are not protected by a patent yet. How does an organisation manage that information? What protection level is applied to the information that could determine the company’s strategy in the coming 15 or 20 years?
Relating to this, the various phases of research and development (particularly clinical essays) produce information that also determines strategic business decisions that the companies make regarding investing. This is the information that drives decisions on which therapeutic areas to invest in, or what molecules should be dropped from further development. Companies don’t normally do this just by themselves, which is where clinical research organisations come into play. For risk-practitioners, this is about third-party assurance and security controls on third parties. In addition, data leakage prevention in our industry may not follow the same practices applied in other industries where looking for patterns may be more easily implemented (credit card patterns on emails). This is something to take into consideration when trying to mitigate data leakage risks.
Internet of Things
The proliferation of devices collecting health data, sending them over to process them where proper processing capabilities are available (which is in most cases is the Cloud), and exploiting it with the proper tools (big data), introduces new risk components to take care of. Let us not forget that this is info about health and depending on where you operate, privacy will be, fortunately, an increasing attention point in the coming months thanks to the new Privacy Regulations.
Making “security by design” and “privacy by design” a reality won’t be easy, and the growing internet of things (IoT) is extending the possibilities of how data is collected, where and how it is stored, how it is transmitted and where it is processed. If the traditional IT environments already implied relevant risks, the IoT is increasing these risks by extending the uncertainty we have on the controls all along the chain, from where the data is generated or created, up to where it ends up.
An industry which has not been fighting with cyber-threats as much as others, cannot claim to have security in its DNA. People remain a challenge. You would sooner keep up with your personnel awareness plans so that you minimise the chances that an employee puts the company at risk due to a careless click or gives away his or her credentials on a fake login page.
Managing the benefits and challenges brought about by new technologies like blockchain will again be on the agenda. Blockchain is trying to find its way in the industry, looking for the right use cases where it can add value, apart from the well-established bitcoin technology. Once this becomes a solid thing, there will be challenges to manage, that today are more in a blurred zone.
Finally, orchestrating everything is a matter of governance. Having a security program in place, and a security operations process in place is a necessity. This requires an operating model, roles and responsibilities, contracts, third-party integration, service monitoring, escalation, communication and maturing the role that information security should play in the organisation. The whole system must be consistent in all its governance enablers, and work smoothly with the rest of the IT organisation. This is a major challenge in all companies, no matter their size.
Ramón Serres is Head of Information Security, Risk Management and Quality at Almirall in Spain. He presented at last year’s Global Cyber Security in Healthcare & Pharma Summit on information security strategy executions.
The agenda for CybSec and Blockchain Health is now available to download. Take a look now.
5 Responses to “Cyber Security Challenges in the Pharma Industry”
Leave a Reply
I think in addressing General Environment a lot more attention needs be be spent on understanding whether the existing controls are working as planned. Its more than just vulnerabilities its exposed identity, physical access and the lifecycle processes around these that needs to be included. The total attack surface needs to be understood.
Thank you for your comment. What do you think needs to be done to understand the total attack surface?
To put it simply..You need to implement a “Multi-layered Defense mechanism”
Apologies for the late entry. I speak to my clients about what I call the “Will to Protect”. Ask one question: “Would you be willing to interdict an anomalous activity at the risk of interrupting a business service?” If the answer is “No”, then the “Will to Protect” is not where it needs to be in today’s digital world. Those organizations that have this will, have not been breached. They do exist. They are big corporations. And, they are under constant attack from all vectors.
Thanks for your great feedback. I’m seeing this issue for the last 10 years. I’m totally convinced that having an Information Risk management approach helps by understanding what are the critical information (via an information classification) for the organisation and how they are protected (technical and organisational point of view). The investment in people, process and technology should be aligned with the company strategy and risk appetite.