As pharmaceutical companies continue to embrace digital transformation, their highly sensitive and valuable information becomes even more attractive for cyberattacks. Today’s threat actors are better resourced and more capable of achieving their nefarious goals than ever before. In addition to hackers seeking financial gain, pharma companies also contend with the full capabilities of nation-states or other pharmaceutical companies with state sponsorship.
In fact, as the race to bring a coronavirus vaccine to market accelerates, threats are increasing. In July, cybersecurity agencies and authorities in the UK and Canada released a joint warning of attacks targeting COVID-19 research and vaccine development facilities. The concern is that such attacks could cause delays in delivering vaccines, which could put human lives at risk.
To successfully defeat attacks aimed at the pharmaceutical industry, it’s important to understand some of the top threats they are facing. Traditionally, compliance requirements like HIPAA drove cybersecurity strategies in the pharma industry. However, in 2020, pharmaceutical leaders realize that approach is no longer sufficient enough. In addition, pharmaceutical data breaches continue to increase by the day, therefore the need to take action is clear. There are a number of challenges to overcome within the industry.
- A growing threat landscape: Thanks to the Internet of Things (IoT) and Industrial Internet of Things (IIoT) device integration via OT/IT convergence, the attack surface has greatly expanded. A number of other digital innovations are also contributing to the large number of attack targets available in pharma networks. These include cloud migrations, connected medicine and telehealth, the proliferation of endpoints and the massive surge in remote work.
- An increasingly complex network: For years, organizations have “bolted on” security point products needed to meet a specific security or compliance requirements. Consequently, a majority of pharma companies are faced with maintaining very complex security systems. There are a number of high-level problems with this beyond the security gaps inherent with this approach.
- The IT team has to be trained on all the different management and reporting systems
- Because end-to-end visibility is lacking, security events are not detected or understood
- Due to lack of communication between products, threat response cannot be automated and is not fast or effective
- Security teams need more integrated solutions that are woven into the network infrastructure allowing the organization to be agile with organizational growth and digital transformation.
- It is prohibitively resource-intensive to demonstrate compliance
- Companies waste IT resources on the time-consuming task of separately managing all the security controls
- Distributed networks and acquisitions: The growth-by-acquisition strategy can create security challenges because sometimes the acquisition targets do not possess adequate or easily-integrated security infrastructures. Such acquisitions need to consider cybersecurity best practices as part of connecting to an already complex digital web. Intellectual property, electronic protected health information (ePHI) and other sensitive operational data is routinely accessed and transferred. Owing to their disconnected systems, pharma enterprises struggle with challenges of visibility, data control, access auditing and compliance reporting throughout their networks.
- The cyber skills gap: The global shortage of cybersecurity professionals exceeds 4 million today, and the global cybersecurity workforce must grow at 145% annuallyto meet the demand for skilled cybersecurity talent. While pharma companies can be strategic about attracting and retaining top cybersecurity talent, people with these skills will be scarce for the foreseeable future, making it difficult—and expensive—to fill new positions.
- Insider threats: Pharmaceutical companies face risks from insider threats. Damage from insider sources can be hard to detect because these threats encompass a wide range of behaviors and motives. It could be a disgruntled employee attempting to disrupt operations, a staff member looking to earn extra cash by selling customer data, or a well-intentioned co-worker who merely sidesteps a company policy to save time.
- Compliance requirements: As regulatory requirements evolve and become more complex, the difficulty of manually achieving network-wide visibility and enforcing the required security controls only increases. In addition, demonstrating compliance can be time-consuming, especially when networks are composed of disparate point products that don’t share reporting capabilities. Traditionally, pharmaceutical companies have focused their security efforts on meeting compliance requirements. But the reality is that most organizations struggle to demonstrate comprehensive compliance – and data integrity is an important new requirement to address as digitalization takes hold.
- IT/OT convergence and aging OT environments: Legacy software and hardware are typical in pharmaceutical manufacturing. Almost always, these operational technology (OT) devices and systems were not created with security in mind and were dependent on an air gap for separation. As digital innovation and business intelligence gains compel OT networks to converge with IT networks, OT networks are suddenly exposed to the entire threat landscape. These technology advances offer cyber criminals the opportunity to exploit inherited vulnerabilities.
There are multiple and ever-evolving cyber threats facing pharmaceutical companies, including compliance needs, nation-stated sponsored attackers and increasing network complexity. Rather than try to solve each issue separately, a better plan is to take a comprehensive architectural approach to network security. Such an approach provides the automation, visibility, and fast response to threats that easily demonstrate compliance and defeat attackers.
(Rajesh Maurya is Regional Vice President, India & SAARC, Fortinet and the views expressed in this article are his own)