Article

Life sciences' fight for cybersecurity

Staying one step ahead of the criminals

June 26, 2021
#
Medtech Life sciences Biopharma Cybersecurity

The act of weaponizing personal data for financial gain, harmful disruption or world domination used to be the stuff of best-selling fictional espionage thrillers. Now, unfortunately, threats are a commonplace fact of life in the business world. There is no rest for weary organizations, including middle market life sciences companies. Given the industry’s wealth of stored and exchanged personal data—whether it’s a biopharma company’s remote clinical trial findings or a medtech’s wearable collected health data—life sciences companies present an especially lucrative threat pursuit for many cyberattackers.

By some estimates, a stolen personal health record can go for thousands of dollars on the dark web. Another criminal lure: life sciences companies hold valuable intellectual property with precious trade secrets that can be captured and sold to the highest bidder.

Indeed, it’s tough out there for companies, and cybercriminals are making it tougher for businesses like life sciences companies.

The data tell the story

According to the RSM US Middle Market Business Index special report on cybersecurity, 28% of middle market executives across industries claimed that their company experienced a data breach in the last year, the highest level since RSM began tracking data in 2015 and a sharp rise from 18% just last year. In addition, 64% of respondents anticipate that unauthorized users will attempt to access data or systems in 2021, another significant increase from 55% in both 2019 and 2020.

And there are plenty of recent cyberattack examples in the life sciences ecosystem demonstrating looming threats, from Bayer’s breach a couple of years ago to French pharmaceutical group Pierre Fabre’s reported ransomware attack demanding $25 million in April this year. The attacks have increased, particularly in the ransomware arena, and have become more brazen.

The reasons for breach increases are plentiful, including an increase in attempts (bad actors have been busy during the pandemic), lack of security awareness, poor network segmentation, pandemic-related remote expansion, and deficient formalized patches and configuration standards. In addition, the use of third parties can accentuate vulnerabilities. Life sciences companies, due to the nature of their operations, often use third parties for a variety of processes like trial management, manufacturing and research. However, this practice can also expose partnering companies to security weaknesses. Middle market life sciences companies, in particular, face challenges in this area due to stretched resources, poor integration or inefficient third-party management.

Counterattack measures

So what must life sciences companies do to mitigate these sorts of risks?

Cyber insurance could be a smart strategy for life sciences companies to lessen the consequences of a breach. According to the RSM special report, 65% of middle market organizations carry a cyber-insurance policy, a slight increase from last year’s 62%.

In addition, utilizing the cloud to increase data security might provide more protection. According to the RSM report, 40% of survey respondents detailed moving or migrating data to the cloud for security concerns in the past year, a 2% reduction from the previous year’s data. More than twice as many larger middle market organizations are moving to the cloud because of security than smaller organizations—53% compared to 26%.

Other security risk management tactics include:

  • Regularly assessing vulnerabilities throughout the drug manufacturing cycle
  • Evaluating software and hardware life cycles and upgrading when needed
  • Reviewing third-party contracts, processes and ongoing relationships for security protections and risks related to clinical trials, recruiting, research and more
  • Updating security protocols, particularly in areas of newly added remote workforce solutions
  • Complying with regulatory needs, like the General Data Protection Regulation, and updating procedures accordingly
  • Engaging security professionals and/or adding new staff to fortify existing security resources

Cyberthreats are here to stay for life sciences companies, but staying a step ahead of the criminals through the use of smart strategies and vigilance can ensure the good guys win the day.

RSM contributors