Life Sciences, Pharmaceutical and Medical Device Companies Need to Trust Less and Question More to Keep High-Value Data Safe

 

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Scot Glover, Managing Director
San Francisco Life Sciences Practice Leader

 

Life sciences, pharmaceutical and medical device companies possess sensitive, high-value data that cybercriminals, hacktivists, unscrupulous competitors and other malicious actors aim to steal or otherwise expose. Personally identifiable information (PII), such as employee data and information about clinical trial participants, is a prime target for compromise. So, too, is intellectual property (IP), like drug formulas, proprietary software and manufacturing processes.

Adversaries are finding success with their campaigns: According to a 2016 study by the Ponemon Institute, which included pharmaceutical and medical device businesses, 90 percent of healthcare organizations (an all-inclusive category for all sectors participating in the survey) have suffered a data breach in the past two years. Ponemon estimates that those incidents cost the healthcare industry US$6.2 billion.

There are other cyber risks, too, that can be even more damaging. The recent, massive WannaCry ransomware attack, for example, shows how the interconnectedness of healthcare systems, and weak security practices, can put both organizations and patients at risk. The malware also affected Windows-based radiology devices at two U.S. hospitals, according to reports. The attackers took advantage of known vulnerabilities in the devices’ software. Many devices across the healthcare system use old software that is difficult to update, which means they are ripe for malicious actors to exploit.

Time to move cybersecurity from “top concern” to “top business priority”

Although cybersecurity is, and has been, a top concern for leadership at life sciences, pharmaceutical and medical device companies and their stakeholders, most of these businesses aren’t doing enough to ensure PII, IP and other vital data, and their critical systems and devices, are protected. There are several reasons for this, including:

  • Too much trust: Companies often outsource key critical functions, such as research and development, marketing studies and patient data analysis. Unfortunately, many companies feel that the risk of a data breach or hack is also outsourced to the business partner, and that the collaborative agreements they’ve established with their commercial or academic partners or contracted research organizations somehow guarantee security.
  • Lack of insight: Businesses may not dig deeply enough into their collaboration networks or supply chains when conducting cyber assessments to identify security gaps and other risks.
  • Too few resources: Many organizations in the industry are small and in startup mode, and therefore operate very lean. They devote most of their time and budget to research and development, which leaves them with little or no funding to put toward enhancing their cybersecurity. Also, many of these businesses rely on cost-effective and easy-to-access technology tools to store and share information, which means information could be exposed to malicious hackers if the tools are not configured and secured properly.

To improve cybersecurity, life sciences, pharmaceutical and medical device companies must stop viewing the issue as a top concern and treat it as a top business priority. As a starting point, these organizations should seek to answer the following questions:

  1. What information do we share with our strategic partners electronically and how is that data protected while in transit or stored? More companies than ever before, big and small, are now working with contract resource organizations (CROs). These CROs exchange sensitive and confidential data over electronic networks continuously, and the potential for loss, compromise or theft of PII or IP is high. Cybercriminals often will target the security weaknesses of third parties to gain access to a targeted company, using tactics such as phishing. Another risk area: Many businesses are relying on third-party vendors, i.e., cloud providers, to manage and store their data.
  2. How are our strategic partners handling our information physically at the research site? This question relates to the earlier point about companies’ lack of insight into their collaboration network. Organizations must understand how their information might be exposed in a lab environment or at a research site. The theft, by an insider, of a researcher’s notebook with details about a new drug formula or a medical device in development could spell the end for a company whose entire value is tied up in that irreplaceable IP.

Medical device companies have a third question they should consider (although, so too should the organizations and patients relying on these devices):

  1. What is the risk that our products could be hacked and/or controlled by malicious actors? The potential for medical device compromise is no longer in the realm of science fiction. And there were warnings that this would become a reality even as the Internet of Things was emerging. Back in 2014, for instance, the U.S. Federal Bureau of Investigation (FBI) issued a report warning that cyber attacks against healthcare systems and medical devices were likely to increase as more healthcare records were digitized and more medical devices were connected to the Internet.

Life sciences, pharmaceutical and medical device companies must think more critically about, and build a better understanding of, their cyber risk exposure and know what digital assets malicious actors would be most likely to target. When it comes to cybersecurity, these businesses would do well to trust less and question more. Failure to do so can put not only their brands and reputations at risk but their entire business — as well as, potentially, the lives of their patients.

Data-Rich Manufacturing Demands Cybersecurity of the Supply Chain, Too

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Tony Abel, Managing Director
Supply Chain

 

Few manufacturers would disagree with the view that the Internet of Things, big data integration and other advances in technology are boosting productivity, streamlining supply and distribution channels, and improving product support. But the WannaCry ransomware attack unleashed on businesses, governments and hospitals across the globe last month and the most recent attack this week delivered a sobering reminder that those digital-driven innovations carry very real risk.

That’s especially true for supply chains. Competition and efficiency demands increasingly compel manufacturers to enlist third-party vendors to produce components for an end product, meaning proprietary information and specification data is sent digitally across the globe, ready for cybercriminals to steal and exploit. One recent survey of 1,400+ supply chain professionals found that data security/IT incidents ranked as the most critical risk to supply chains.

Cyber attacks are likely to grow in frequency and severity, according to our recent Flash Report discussing the WannaCry ransomware event. In the report, we highlighted the need for companies to not only adopt a cyber defense, but also to continuously evaluate and improve it to protect against evolving threats. We noted, again, that many organizations continue to ignore cybersecurity – or at best are inadequately addressing it.

Opaque Supply Chains

It makes sense that businesses that are underprepared in their own cyber defenses have even less insight into the cybersecurity of their suppliers. But clearly they should. According to a 2016 presentation given by cyber supply chain risk management specialist Jon Boyens, a program manager with the National Institute of Science and Technology (NIST), 80 percent of all information breaches occur within the supply chain, and almost 60 percent of companies do not have processes for assessing the cyber security of their vendors. Similarly, more than seven out of 10 organizations lack full visibility into their supply chains.

Even more alarming, NIST anticipated that cyber attacks and data breaches would cause nearly half of the manufacturing supply chain disruptions in the next couple of years. Such incidents are costly. NIST estimated that 55 percent of the disruptions incur more than $25 million in damages per incident. In addition, supply chain breaches that steal or alter data could result in substandard products, the loss of intellectual property, and backdoor access into the manufacturer’s systems, all of which could further tarnish an organization’s brand and diminish its value.

Samsung’s recent bout with the flawed batteries that sparked fires in its Galaxy Note 7 phones illustrates the potential damage to a company’s reputation and bottom line. Samsung ultimately identified specifications provided to its suppliers as the culprit, but not before the company took a $5.3 billion hit to earnings and lost consumer trust. How much worse would it have been if a cyber criminal altered the specifications intentionally?

Supplier Checklist

The good news is that manufacturers can mitigate supply chain risks by ensuring that their third-party vendors are pursuing similar cybersecurity efforts as their own. Here are a few fundamental questions that we recommend focusing on when assessing supply chain IT risk:

  • Does the supplier’s culture promote cybersecurity and ransomware awareness throughout the organization? What kind of training are its employees receiving to recognize and address threats?
  • What cyber defenses are in place, and are they sufficient to counter the latest malware threats? Is the supplier up to date on indicators of compromise for recent attacks?
  • How frequently does the supplier conduct cyber risk assessments? Is the regimen sufficient to keep up with the rapidly evolving threats, and does it include defenses to block operational disruptions? Does the supplier consider the risks in its own supply chain (e.g., Tier 2 and Tier 3 suppliers)?
  • Does the supplier have an effective response plan? How often is it updated, and how often does the organization conduct threat simulations as part of its cybersecurity training?

Sound Agreements Needed

Manufacturers and suppliers seeking to reduce supply chain risk also should review contracts to ensure compliance. Items for each party to consider include:

  • Are the supplier’s cybersecurity obligations spelled out clearly in the contract, and does the language extend to the supplier’s subcontractors?
  • Does the contract include assurances that the supplier has the infrastructure to uphold its end of the contract?
  • Who are the executives or managers executing the contract for the supplier? Are they the most appropriate personnel in regards to understanding cybersecurity threats and the supplier’s ability to meet its obligations?

As cyber threats continue to escalate, it is important for manufacturers to gain visibility into their supply chains in order to assess their overall risk-mitigation and response capabilities. The ideas outlined here represent basic but critical actions organizations should be implementing as they strive to secure the increasing amount of sensitive data shared in the production and sourcing processes.

Cybercrime, Brand Damage Among Top Risks for Technology, Media and Communications Companies, Executives Say

gordon-tucker-3By Gordon Tucker, Protiviti Managing Director
Technology, Media and Communications Industry Leader

 

 

 

If improving brand protection isn’t a top-line agenda item in the cybersecurity discussions happening at the highest levels in your organization, it needs to be. In today’s era of lightning-quick social media sharing, brand protection has become even more important — and far more challenging — for technology, media and communications (TMC) companies. Two factors play a role:

  • Expanding use of social media and mobile applications by customers and employees: It is all too easy for outsiders to acquire and misrepresent personal and proprietary information.
  • The relentless tide of cyberthreats: The Identity Theft Resource Center (ITRC) reports that the number of U.S. data breaches reached an all-time high in 2016. Several leading TMC companies were among the businesses hit with high-profile, far-reaching, costly and reputation-damaging breaches last year.

In the face of these realities, including growing public disclosures of data leaks and breaches, many TMC companies are beginning to re-evaluate how they interact with other organizations and how they safeguard against breaches. Most C-level executives in this industry group also now realize that they themselves could be targets for hackers and other malicious actors seeking to gain access to personal records and other sensitive data.

There is no doubt that TMC executives, in general, are thinking a lot more about brand protection these days. In the latest Executive Perspectives on Top Risks Survey from Protiviti and North Carolina State University’s ERM Initiative, TMC executives ranked the following risks among the top five for their industry group in 2017:

  • Social media, mobile applications and other internet-based applications may significantly impact our brand, customer relationships, regulatory compliance processes and/or how we do business, and
  • Our organization many not be sufficiently prepared to manage cyberthreats that have the potential to significantly disrupt core operations and/or damage our brand.

On the cyber-risk front, it is important for TMC companies to recognize that the customer and financial data they handle are not the only targets for hackers. An organization’s intellectual property (IP) can be even more valuable to some threat actors, including nation states. The loss or theft of IP not only could undermine a company’s ability to compete but damage its brand and reputation in unanticipated ways.

Without question, loss or theft of any type of high-value data can have lasting, negative effects on an organization from both operational and brand perspectives. Everything negative that happens to a company and becomes public can damage its brand – and cyber breaches and loss of IP are some of the fastest ways for this damage to occur. Given these considerations, management and the board must work together to manage the brand and make brand protection one of the company’s top priorities.

To engage in effective dialogue on this topic, a recent issue of Protiviti’s Board Perspectives: Risk Oversight offers some guidance: Executives should take the lead in deciding what type of interaction they would like from the board and define how they want to involve the board in the brand protection process. And if the executives haven’t done this yet, then the board should waste no time in asking for their input.