Expert view
Key questions about cybersecurity in the pharmaceutical industry: Q&A with GlobalData thematic analyst
Credit: Bert van Dijk/Getty images.
Powered by
Wafaa Hasan, MSc, is a senior digital health and thematic analyst in the pharma team at GlobalData’s London office. Her responsibilities involve writing reports and providing insights on digital strategy across disease areas and channels. Prior to working in the digital health team, Wafaa worked in the Thematic Intelligence team at GlobalData, where she contributed to quantitative and qualitative analysis reports on disruptive themes and technologies, with a focus on pharma, healthcare and medical devices sectors.
Lara Virrey: What are the biggest cybersecurity challenges facing pharmaceutical companies today?
Wafaa Hasan: For biopharmaceutical companies, the primary dangers cyberattacks pose are intellectual property (IP) loss and operational disruption. Losing IP and proprietary information erodes their competitive advantage as innovations are stolen. For example, in December 2020, data related to Pfizer and BioNTech’s Covid-19 vaccine was stolen and released online. Meanwhile operational disruption at any stage of the value chain hinders output and ultimately revenue.
Undefended breaches will always beget reputational damage and litigation risk, and recent regulation punishes the exposure of personal data more severely, so companies involved in handling sensitive personal health data, such as those conducting clinical trials, have to be aware of the dangers.
Lara Virrey: How can pharma companies best defend themselves against cyber threats?
Wafaa Hasan: Due to the sensitive nature of their research, intellectual property and personal data they handle, there are several practices that pharma companies can use to effectively defend themselves against cyber threats. For instance, pharma companies can conduct regular risk assessments that determine and evaluate any potential weakness and dangers in the organisation’s systems, procedures, and infrastructure. Effective resource allocation and security measure prioritisation will be made possible by this review.
Pharma companies can also use role-based access controls (RBAC), multi-factor authentication (MFA), and strong passwords to make sure that only authorised users can access sensitive systems.
Conducting regular training programs for employees is crucial in any pharma organisation to educate employees about common cyber threats, phishing attacks, and encourage employees to report suspicious activities promptly. Another practice is to use security information and event management (SIEM) tools, firewalls, intrusion detection and prevention systems (IDPS), and endpoint protection. These technologies provide proactive defence against cyberattacks by being able to identify and stop threats in real time.
Additionally, DevSecOps has been discussed for several years but will be more broadly implemented in development cycles in the coming years. DevSecOps is a software delivery model that involves introducing cybersecurity early in the software development life cycle. This means security is ingrained in the early stages of app development and involves early collaboration between developers and security teams. DevSecOps has many benefits, including improving security posture and integration, faster delivery of applications as security is already ingrained into the application, and reducing costs by identifying potential vulnerabilities and bugs before deployment.
Lara Virrey: How has the nature of cybersecurity threats to the healthcare industry changed in the past two to three years?
Wafaa Hasan: The rush from office-based work to remote working caused by the Covid-19 pandemic significantly increased cyber risk. The increased use of technology such as collaboration tools increased the potential attack surface for hackers, and the high speed of transition required meant that many IT security teams had insufficient time to install adequate security defences. Companies also moved more sensitive operations and information online than before, making attacks more costly.
Malicious actors took advantage of this environment through cyberattacks such as phishing, ransomware, and supply chain attacks. Companies involved in developing Covid-19 vaccines and therapeutics became targets of cybercriminals looking to steal proprietary information about these products.
Even after the Covid-19 pandemic, cyber risk is higher than ever, for example, in April 2023 generics drug manufacturer Sun Pharmaceuticals disclosed a ransomware attack compromising its file systems, resulting in the theft of both company and personal data.
Lara Virrey: Is the pace of innovation in security technologies keeping up with evolving threats?
Wafaa Hasan: Yes, although it is a constant challenge, the rate of innovation in security technology is generally keeping up with changing threats. Cyber dangers are continually changing, with new attack methods, strategies, and flaws appearing all the time. To counter these growing dangers, security technology vendors diligently create new solutions and updates. It's crucial to remember that the cyber threat landscape is complicated and evolving quickly. Attackers frequently outsmart security systems and develop new ways to exploit weaknesses.
There are several areas where security technologies are evolving. For instance, artificial intelligence (AI and machine learning (ML) are becoming particularly popular for incident response, given the increasing number of cyberattacks organisations must deal with every year. Automating incident response with AI makes it easier to resolve more incidents quickly, reducing the organisation’s downtime and resources required to deal with IT security.
Behavioural analytics tools can also be used to establish baselines of normal user behaviour and identify anomalous activities that may indicate a security breach.
Companies rushed to adopt the cloud when the Covid-19 pandemic pushed employees to work from home, which increased the attack surface area and exposed entry points for bad actors. The misconfiguration of security settings that fail to provide adequate security for cloud data is a growing problem in cloud security. Without strong security measures, cyberattackers can target those misconfigurations to steal cloud data.
Endpoints, or entry points, are end-user devices connected to a network. Examples are laptops, smartphones, or IoT sensors and devices. The need to work remotely during the pandemic caused a proliferation of laptop endpoints connected to the cloud. 5G networks will also increase the proliferation of IoT devices as they provide greater capacity for device connection. However, more endpoints mean more entry points for attackers to exploit. Endpoint protection and zero-trust models help contain attacks and protect the entire network in the event of one endpoint being exploited.
Lara Virrey: Are pharma companies doing enough to protect themselves against cyber threats?
Wafaa Hasan: In comparison to other industries, news of successful cyberattacks on pharma companies are relatively uncommon. Large-scale attacks such as the NotPetya malware attack in 2017 have been a warning for the industry, with Merck & Co’s estimating that damages from NotPetya amounted to $1.4bn as the company’s supply chain backlogged.
However, cyberattacks are still increasing in frequency and intensity, so pharma companies need to keep updating and investing in their cybersecurity capabilities, for example through the adoption of zero-trust architecture.
Companies such as Sanofi and Johnson & Johnson are industry leaders in the theme, investing in comprehensive cybersecurity measures. However, others, such as Shanghai Henlius Biotech and Cadila have been identified as laggards in the cybersecurity theme by GlobalData, and need to do more to protect company operations and sensitive personal data.
GlobalData, the leading provider of industry intelligence, provided the underlying data, research, and analysis used to produce this article.
GlobalData’s Thematic Intelligence uses proprietary data, research, and analysis to provide a forward-looking perspective on the key themes that will shape the future of the world’s largest industries and the organisations within them.