This article in our industry cybersecurity series will discuss the unique threats that plague life sciences in the pharmaceuticals and biotechnology sectors, and why it’s important for the industry to have a solid cybersecurity strategy. The powerful current of advances in digital technology has caused the life sciences industries to be swept up in big disruptive and transformational changes. This is changing the future of cancer treatment, producing life-changing vaccines, and allowing for valuable research efforts that many of us couldn’t even imagine. The impetus of these powerful solutions lies in the research information and personal data allowing these life-changing solutions and the development of life-saving drugs. However, information has never been more valuable and life sciences are one of the most vulnerable industries to data breaches.
What’s at risk?
The cyber risks that plague life sciences can be detrimental. For instance, if biotech research becomes compromised, it goes beyond issues for shareholders, there could be information powerful enough to develop dangerous products and bioweapons. As criminals and other threat actors continue to uncover new ways of monetizing sensitive confidential data, these data assets are in turn, becoming more valuable and sought after targets. Cybersecurity threats in the life sciences industry can directly put people’s health, safety, and security at risk. Many pharma and biotech companies, especially high-profile consumer brands, are high-value targets for cyber attackers.
Among the major threats in pharma and biotech are these three top points of concern:
- Clinical trial data: this includes sensitive patient data that is generated from the clinical trials—this is at-risk information on both a patient level and a commercial level
- Confidential information: regarding the manufacture of biologic drugs, etc.
- Commercially sensitive information: drug pricing and promotion
Cyber Threats in Life Sciences
Information-related risks including fraud, cyber, and security risks are now the areas of greatest concern in the pharma and biotech sectors of life sciences, along with the sophisticated nature of medical devices and their connectivity raising additional risk factors. Commercially sensitive information in all of these areas are at all-time highs and there is no anticipation that these threats will abate in the future.
Physical theft or loss of intellectual property (IP) is currently the most prevalent type of security incident in the life sciences sector. Incidents relating to theft and loss of IP are costly and wide-ranging, affecting employees, customers, the organization’s reputation and bottom line, and putting these important research and development projects at risk.
Interconnectivity of corporate data networks is necessary for life sciences; however, this has made intellectual property (IP) that much more vulnerable to cyber thieves who can monetize this valuable data. Categories of IP within the life sciences and medical devices sectors include pharmaceutical and biotechnology patents, copyrighted data sets and reports, and trade secrets.
Life science organizations should also guard against the loss of personal information such as financial information, personal health information, and medical data that is collected.
6 steps for protecting your sensitive proprietary data and IP assets:
- Identify and data map IP assets within digital and physical systems. This should be done both onsite and in the cloud, including those with access, such as remote vendors and clinical researchers.
- Protect IP assets by implementing contractual, physical and digital security systems
- Stay informed of the most recent cybersecurity risks. Implement basic security rules and create a security policy program that works to protect your IP assets.
- Conduct risk assessments regularly to evaluate and simulate best practices around protecting the company and stakeholders in the event of a system and data breach.
- Gain an understanding of the added risks that the Internet of Things and remote medical devices bring. Expect an exponential increase in cybersecurity risks and be prepared to mitigate.
- Become educated on the legal framework surrounding protection of the confidentiality of IP assets. Additionally, understand the liability and regulatory frameworks impacting cybersecurity in life sciences and medical devices sectors.
Below lists some of the legislation that informs and addresses cybersecurity in the realm of life sciences and medical devices. Any company engaging in this sector should have a thorough knowledge of how these may impact their work:
- Electronic Communications Privacy Act (ECPA)
- Defend Trade Secrets Act (DTSA) and Uniform Trade Secrets Act (UTSA)
- Health Insurance Portability and Accountability Act (HIPAA)
- HIPAA Privacy Rule: Protected Health Information (PHI);
- HIPAA Security Rule: Addresses electronic PHI (ePHI), a subset of what the Privacy Rule covers
- Health Information Technology for Economic and Clinical Health Act (HITECH) and the HIPAA Omnibus Rule
- Computer Fraud and Abuse Act (CFAA)
- FDA guidance
- Federal Trade Commission (FTC) Act—Section 5
- European General Data Protection Regulation (Regulation (EU) 2016/679)
Cybersecurity should be one of the main focuses in almost any organizations’ agenda, especially for those in the life sciences sector. The massive growth rate and use of Big Data and the Internet of Things are just some of the examples of the impetus for a need to be hyper-focused on our privacy and data security. Systems have never been more complex and interconnected, as powerful and sophisticated discoveries continue in pharma, biotech, and medical devices. Vendors, business partners, and third parties related to the development of new research and development of things that undoubtedly change our experience and state of health have the same obligations to prioritize cybersecurity.
You Might Find These Articles Interesting: