The pharmaceutical industry faces growing pressure from cyber threats. Attacks on manufacturers and organizations involved in pharmaceutical logistics, like the COVID-19 vaccine cold chain, are becoming more frequent. In many cases, attempted attacks are successful.
Here, Emily Newton looks at what the pharmaceutical industry can do to keep information safe from hackers.
Cyberattacks pose a serious risk for the industry and could disrupt the production of essential medicine and medical devices, expose confidential information, or result in the release of sensitive consumer data.
The right approach to cybersecurity can help keep the pharmaceutical industry’s information safe from hackers. These three ingredients are essential for any organizational cybersecurity strategy.
1. Employee Training
Technical standards and new processes can only go so far in securing a business’s network. Oftentimes, the best place to start is with employee knowledge of cybersecurity best practices.
Typically, cyber-attackers will target the weakest link of a business’s cyber-defenses. In many cases, this is the employees themselves.
In the 2020 attack on the COVID-19 vaccine cold chain, for example, hackers were able to gain access to the networks of organisations involved in the vaccine rollout by targeting executive accounts in phishing attacks, according to security research from IBM.
These phishing attacks use communications that appear to be from trusted sources and encourage recipients to download malicious files or divulge sensitive information, like passwords.
Even if the permissions of accounts and devices are carefully managed, unauthorised access is still possible if hackers can successfully breach the right accounts using a phish or similar social engineering-based attacks.
Training employees in basic cybersecurity practices — like how to recognise a phish and how to secure loaned devices while traveling — is essential for an effective cybersecurity strategy.
While successful breaches aren’t always caused by phishing attacks, they’re common enough that every organisation should assume they will be targeted by a phishing attack eventually. According to data from Proofpoint, around 74% of U.S. organizations have fallen victim to a successful phish.
Because these attacks allow cyber-attackers to circumvent conventional network defenses to gain direct access to important data — like trade secrets and consumer financial information — they’re likely to remain popular well into the future.
2. Data Governance
All the data that an organisation stores is data that can be compromised in a breach. Thinking about what data the organisation is holding on to and how it’s being stored will help you protect this data in the event of unauthorized network access.
Pharmaceutical businesses already need data governance to stay in line with regulatory expectations around data integrity. Effective governance practices can also help businesses ensure data integrity is ensured while also protecting data against attackers.
Data review and retention policies, for example, can help ensure the integrity of data related to pharmaceuticals manufacturing and R&D. Encryption of sensitive data can help ensure any data, if stolen during a breach, may not be useful to hackers.
Regularly reviewing the data a business has stored can also help reduce the potential impact of a breach. Reducing stored essential information can be a good way of protecting that data from hackers.
Customer billing information and historical sales data, for example, can be necessary to predict the impact of policy changes, like the recent 2021 CMS payment modifications in pathology, which affected a large number of labs in the U.S. Finding ways to reduce the amount of stored data, however, can simplify data governance and improve lab security.
3. Trust and Access Management
Organisations should also closely manage the trust and network access granted to all users on a network.
The zero-trust approach to network security, for example, helps reduce the potential for successful breaches by eliminating trust from an organisation’s network architecture.
By using techniques like network segmentation — which divides a business’s network into smaller parts — it’s possible to adopt what’s often called the “never trust, always verify” approach.
With this model, it’s understood that you can’t always assume a device or account hasn’t been compromised. Instead, you limit the access that network users have by default and create opportunities to verify their identity, ensuring they are who they claim to be.
A business with a zero-trust model will define a “protected surface,” made up of the organisation’s most essential data, services, and resources.
A segmentation gateway mediates traffic between the protected surface and the rest of the network, creating what is called a micro-perimeter.
This micro-perimeter allows the organization to focus on defending the easier-to-track protected surface, rather than the much larger, potentially shifting, and difficult-to-define attack surface the organization’s network will have.
The company’s zero-trust policy determines what traffic can move through this segmentation gateway, along with when, why, and how that traffic will move.
In the event that a single user account or device is compromised, the zero-trust approach helps minimise potential fallout. An industrial sensor, for example, monitoring the manufacturing process of a drug, may communicate with a large number of other systems on the business network.
The micro-perimeter means this sensor will not have direct or unconditional access to the most important resources a business has.
If this sensor is compromised by a hacker, they won’t be able to obtain unauthorized access to the rest of the network right away. In practice, gateway management may be accomplished with a traffic or identity analysis tool that helps to enforce a zero-trust policy and monitors the network for unusual activity.
While zero trust may not be perfect for every organisation, it can serve as one reference point when applying similar trust and access management strategies.
In Defense of Pharmaceutical Cybersecurity
Cyberattacks targeting pharmaceutical companies are likely to increase in the future. Effective cybersecurity practices will become even more important as cyber-threats become more frequent.
Training, data governance, and trust management will all be essential to a business’s cybersecurity strategy. While not all organizations will need the same strategy, these ingredients will almost always help a business develop a more effective cybersecurity approach.
Author: Emily Newton is the Editor-In-Chief of Revolutionized, a magazine exploring innovations in science and industry that shares ideas to promote a better tomorrow.