Words by Danny Buckland.
The pharmaceutical industry has emerged as a prime target for cyber attackers, as its landscape is riddled with vulnerabilities that entice challenges from organised crime and opportunists. Pharma is awash with M&As, where contact between big companies and smaller start-ups, jostling for attention and investment, can expose security flaws.
Reports of data breaches and cyber incursions — to either steal valuable intellectual property, extort money, or just to disrupt — are growing and hit the headlines with the WannaCry attack across 150 countries in May 2017, which paralysed hospitals and disrupted one-third of NHS Trusts in England. The main prizes are patient data from clinical trials, which can be sold on the dark web to facilitate identity fraud, and trade secrets on drugs in development.
“The main prizes are patient data from clinical trials, which can be sold on the dark web to facilitate identity fraud”
A report from analysts Deloitte recorded that 20% of pharma companies had been attacked between seven and 15 times, while health insurers, who also hold patient data, have come under increasing assault. “Life sciences is among the most threatened industries and needs to step up to this growing challenge”, its Cyber Risk in Life Sciences M&A report stated. “This is an industry built on innovation that has all the characteristics to make it highly attractive for cyber attackers: high revenues, extensive spend on R&D and operations, highly sensitive intellectual property, trade secrets, and an almost total reliance on the underpinning technology to run the business.”
The weak points are increasingly being identified as the interactions between larger firms, which have robust protection, and smaller companies that concentrate their finances on innovation and discovery rather than lock-tight IT systems. Their inherent high exposure to risk makes them first-time targets as well as having a secondary jeopardy when they connect with big pharma.
Companies are being advised to follow the National Cyber Security Centre’s 10 Steps to Cyber Security plan, which has practical advice on how to close chinks in IT’s armour. Experts also advise companies to have regular risk assessments, a framework of accountability, and establish a cyber security incident response protocol.
“By taking the appropriate steps and giving this the attention it needs during the M&A process, organisations can manage the cyber risk effectively”, the Deloitte report concludes. “Equally, if this isn’t given the right level of attention, it may just be a matter of time before senior executives get that dreaded phone call!”