Life Sciences, Pharmaceutical and Medical Device Companies Need to Trust Less and Question More to Keep High-Value Data Safe

 

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Scot Glover, Managing Director
San Francisco Life Sciences Practice Leader

 

Life sciences, pharmaceutical and medical device companies possess sensitive, high-value data that cybercriminals, hacktivists, unscrupulous competitors and other malicious actors aim to steal or otherwise expose. Personally identifiable information (PII), such as employee data and information about clinical trial participants, is a prime target for compromise. So, too, is intellectual property (IP), like drug formulas, proprietary software and manufacturing processes.

Adversaries are finding success with their campaigns: According to a 2016 study by the Ponemon Institute, which included pharmaceutical and medical device businesses, 90 percent of healthcare organizations (an all-inclusive category for all sectors participating in the survey) have suffered a data breach in the past two years. Ponemon estimates that those incidents cost the healthcare industry US$6.2 billion.

There are other cyber risks, too, that can be even more damaging. The recent, massive WannaCry ransomware attack, for example, shows how the interconnectedness of healthcare systems, and weak security practices, can put both organizations and patients at risk. The malware also affected Windows-based radiology devices at two U.S. hospitals, according to reports. The attackers took advantage of known vulnerabilities in the devices’ software. Many devices across the healthcare system use old software that is difficult to update, which means they are ripe for malicious actors to exploit.

Time to move cybersecurity from “top concern” to “top business priority”

Although cybersecurity is, and has been, a top concern for leadership at life sciences, pharmaceutical and medical device companies and their stakeholders, most of these businesses aren’t doing enough to ensure PII, IP and other vital data, and their critical systems and devices, are protected. There are several reasons for this, including:

  • Too much trust: Companies often outsource key critical functions, such as research and development, marketing studies and patient data analysis. Unfortunately, many companies feel that the risk of a data breach or hack is also outsourced to the business partner, and that the collaborative agreements they’ve established with their commercial or academic partners or contracted research organizations somehow guarantee security.
  • Lack of insight: Businesses may not dig deeply enough into their collaboration networks or supply chains when conducting cyber assessments to identify security gaps and other risks.
  • Too few resources: Many organizations in the industry are small and in startup mode, and therefore operate very lean. They devote most of their time and budget to research and development, which leaves them with little or no funding to put toward enhancing their cybersecurity. Also, many of these businesses rely on cost-effective and easy-to-access technology tools to store and share information, which means information could be exposed to malicious hackers if the tools are not configured and secured properly.

To improve cybersecurity, life sciences, pharmaceutical and medical device companies must stop viewing the issue as a top concern and treat it as a top business priority. As a starting point, these organizations should seek to answer the following questions:

  1. What information do we share with our strategic partners electronically and how is that data protected while in transit or stored? More companies than ever before, big and small, are now working with contract resource organizations (CROs). These CROs exchange sensitive and confidential data over electronic networks continuously, and the potential for loss, compromise or theft of PII or IP is high. Cybercriminals often will target the security weaknesses of third parties to gain access to a targeted company, using tactics such as phishing. Another risk area: Many businesses are relying on third-party vendors, i.e., cloud providers, to manage and store their data.
  2. How are our strategic partners handling our information physically at the research site? This question relates to the earlier point about companies’ lack of insight into their collaboration network. Organizations must understand how their information might be exposed in a lab environment or at a research site. The theft, by an insider, of a researcher’s notebook with details about a new drug formula or a medical device in development could spell the end for a company whose entire value is tied up in that irreplaceable IP.

Medical device companies have a third question they should consider (although, so too should the organizations and patients relying on these devices):

  1. What is the risk that our products could be hacked and/or controlled by malicious actors? The potential for medical device compromise is no longer in the realm of science fiction. And there were warnings that this would become a reality even as the Internet of Things was emerging. Back in 2014, for instance, the U.S. Federal Bureau of Investigation (FBI) issued a report warning that cyber attacks against healthcare systems and medical devices were likely to increase as more healthcare records were digitized and more medical devices were connected to the Internet.

Life sciences, pharmaceutical and medical device companies must think more critically about, and build a better understanding of, their cyber risk exposure and know what digital assets malicious actors would be most likely to target. When it comes to cybersecurity, these businesses would do well to trust less and question more. Failure to do so can put not only their brands and reputations at risk but their entire business — as well as, potentially, the lives of their patients.

Critical Condition: Cybersecurity in Healthcare

By Adam Brand, Director,
IT Security and Privacy

 

 

 

On June 2, the Health Care Industry Cybersecurity Task Force issued a draft of its Report on Improving Cybersecurity in the Health Care Industry, an analysis of how to strengthen patient safety and data security in an increasingly connected world.

The Congressional report, which sums up the state of healthcare cybersecurity to be in “critical condition,” may shock outsiders, but should come as no surprise to those in the industry, who are well-aware of the challenges and have been awaiting the report as a preview of potential future government regulatory action.

The report lists six imperatives, along with several recommendations and action items. The recommendations bring to the forefront several issues facing the healthcare industry — most notably the risk to patient safety. That’s a departure from the traditional focus on privacy and data protection, and suggests a regulatory gap that needs to be addressed quickly.

The release of this report could not have been timelier, coming on the heels of the debilitating worldwide “WannaCry” ransomware attack that forced hospitals in England to cancel surgeries. Last week we published a flash report that takes a deeper look into the Task Force’s document.

We think that organizations should not wait for the government to initiate solutions. Instead, healthcare providers and medical device makers should proactively increase efforts to bolster cybersecurity to avoid potentially overreaching or misaligned legislation.

In our flash report, we recommend that healthcare providers consider the following actions, tied to key themes of the report:

THEME: (providers) Existing efforts are not enough and patient safety is at risk.
ACTION: Expand cybersecurity efforts to include patient safety.

Healthcare leaders should note the emphasis on patient safety and ensure their cybersecurity program has fully addressed risks that could result in patient safety issues, not just a data breach.

THEME: (providers) Legacy devices are a significant problem.
ACTION: Create a concrete plan for legacy devices.

Develop a plan to phase out or update insecure legacy devices and operating systems, ideally over the next five years, and implement compensating controls such as network segmentation, enhanced monitoring and application whitelisting in the next 12 months to help address the near-term risk.

THEME: (providers) Lack of standard cybersecurity practices.
ACTION: Start formally aligning to a cybersecurity framework.

The report recommends that the Department of Health and Human Services (HHS) develop a health-care specific framework based on the minimum standard of security provided by the NIST Cybersecurity Framework and the HIPAA Security Rule. Health care organizations should begin now to think about how they would align their controls to the NIST CSF standard.

THEME: (manufacturers) Lack of cybersecurity focus; software development lifecycle (SDLC) gaps.
ACTION: Expand cybersecurity efforts, focus on SDLC.

Manufacturers should use the report as an opportunity to determine whether their medical device security program is adequate, given the increased attention on this area and the risks highlighted in the report. Specifically, manufacturers should be able to demonstrate clear security inclusion from new product model requirements through product retirement.

THEME: (manufacturers) Legacy systems are a hot-button issue.
ACTION: Increase activities for reducing numbers of in-use legacy devices.

To avoid negative impacts, manufacturers should work with healthcare providers to reduce the number of potentially compromised medical devices, through customer education and incentives.

THEME: (manufacturers) Minimum cybersecurity standards for medical devices.
ACTION: Work with industry peers to develop a standard.

We anticipate that future FDA device approvals will be contingent on meeting minimum cybersecurity standards. With the typical device development process of five to seven years, manufacturers need to collaborate now to get ahead of regulations and avoid business disruption.

The task force took a year to complete its report, and the result is a very thorough look at the challenges facing healthcare security today. Healthcare providers and medical device manufacturers would be well-served by a careful review of the report to determine how the adoption of these recommendations might affect their organizations.

Download the Protiviti flash report here.

Technology, Privacy and Cybersecurity Among Top Risks for Healthcare

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the healthcare industry.

 

Susan Haseley

By Susan Haseley, Managing Director
Healthcare and Life Sciences Industry Leader

 

 

 

A few years ago, several high-profile information security break-ins at banks and other consumer-facing outlets made the public all too aware of the cybersecurity dangers at financial institutions.

These days, it is healthcare organizations in the crosshairs.

When Protiviti and North Carolina State University’s ERM Initiative conducted a survey of directors and executives worldwide to identify the top risks that are on their minds, technology, privacy and cybersecurity figured as three of the top six concerns. When we zoomed in on the responses of our healthcare survey participants, disruptive technology, privacy concerns and cybersecurity figured as the third, fourth and fifth top risk, respectively. Perhaps more important, these risks saw the biggest upward change from last year.

There are several driving factors for these ratings:

With the continuing digitization of healthcare records and just about everything else, a lot of valuable information is online, ready to be hacked into. Not only do health records contain some of the same financial data as financial records, including Social Security and credit card numbers, but they also contain additional personal and highly sensitive information that can be used to forge IDs, obtain prescription medication, or even sign up for health benefits.

This has made health records much more lucrative than financial data. Patients can’t simply change their personal information like they can a credit card number. Once stolen, the information can be sold and resold, or used to inflict personal damage. If the hack is into a medical device, such as a pacemaker or an insulin pump, the personal damage can be fatal. This last issue is so serious that the FDA has issued a draft guidance specifically for medical device manufacturers. As you can imagine, healthcare providers that use those devices are seriously concerned.

In the last six months, these topics have been on every agenda of every board in which I participate.

This is not a theoretical concern. Organizations need to consider all the possibilities and potential responses, including:

  • How would the company respond to a cyber incident? What is the incident response plan and policy?
  • What will the company do if a cyber attack brings down the computer network? How will staff handle patients without access to their electronic records?
  • How will the organization handle the adverse publicity?

Given all this, I am not surprised that the concerns about risks surrounding technology and cybersecurity shot up this year, while traditional healthcare worry staples like regulation and healthcare reform costs dropped.

One silver lining is that with risk awareness comes action. And healthcare organizations really don’t have a choice when it comes to technological innovation and digitization. Patients demand it. Other healthcare providers are doing it. Electronic healthcare records are nearly universal, and patients demand access to information and their doctors from anywhere – on their phones, at work, while travelling. If a provider fails to innovate to meet these demands, the patients will go to the provider who does.

Healthcare institutions have another big incentive to continue innovating. The successful healthcare organization of tomorrow is not the one that treats disease but the one that manages the health of its patients. To figure out how to do that, healthcare organizations need to harness data – continuous information about their patients’ health that will help prevent many of the expensive and urgent procedures that keep costs up today. With the increased amount of data comes an increased need to protect the privacy and security of the sensitive information. Advanced technological solutions, data security and data analytics are simply part of becoming a successful healthcare organization.

I am interested in your take on our findings. Access the healthcare-specific findings of our Top Risks survey here.

Medical Devices and Cybercrime: Are Patients at Risk?

Jeff Sanchez By Jeff Sanchez, Managing Director, Information Security and Privacy Practice

 

 

Technology now allows doctors to connect remotely to an array of medical devices, from infusion pumps to CT scanners, improving both speed and quality of care. The miraculous Da Vinci surgical system has even opened the possibility of telesurgery, a process by which a surgeon in one country could perform even the most intricate of operations via a surgical robot.

Connectivity, however, also introduces new risks. What happens, for example, when cyberattackers, maliciously or as a byproduct of a separate attack, compromise patient safety and privacy?

It is a potentially catastrophic scenario, and healthcare organizations must take measures to avert such possibility before it happens.

Historically, medical devices have been viewed as standalone instruments rather than connected computers with software, which, essentially, is what they have become. Thus, it is understandable why medical entities haven’t applied the same security standards to medical devices as they have to other technologies.

Furthermore, medical professionals who use these devices – often from remote locations – are rarely provided with enough information or training to properly educate them about potential cyber risks.

The reality has shifted – the boundary between a medical device and a computer hooked up to a network is no longer clear. It is imperative for healthcare organizations to adjust to the new paradigm and take preventive steps now rather than later. Consider this:

  • More and more medical devices are connected to networks to deliver additional patient care options, but often without appropriate security controls.
  • These devices may have significant vulnerabilities, including hard-coded credentials and insecure communication protocols, which can result in the exposure of protected health information (PHI) and affect patient safety.
  • The FDA, FBI and Department of Homeland Security (DHS) have released multiple advisories on medical device security risks, and the FDA has published formal guidance on addressing the cybersecurity of medical devices.
  • The Office of Inspector General (OIG) at the Department of Health and Human Services has announced that it is including medical device security in its audits.

For many healthcare organizations, meeting regulatory requirements, such as HIPAA or Meaningful Use, has taken top priority – sometimes at the expense of allocating sufficient time and resources to address the risks posed by connected medical devices. But with cyberattacks and security incidents now regarded as common occurrences rather than exceptions, failure or delay to implement appropriate countermeasures is no longer acceptable. Indeed, leaders of healthcare organizations that haven’t prepared or responded to these emerging threats will find it difficult to explain their negligence should a medical device breach cause patient harm or violate patient privacy.

A small amount of preparation now can have a profound impact on ensuring patient safety and privacy. The first step is for an organization’s information security (IS) and biomedical teams to begin discussions to assess risks. It also is vital for key stakeholders – IS, legal, compliance and procurement – to understand what process improvements need to be made to limit the organization’s liability resulting from a medical device incident. Bridging the knowledge gap between these groups may require expert help.

Ultimately, healthcare organizations need to evaluate medical device security from a holistic, lifecycle perspective – from procurement, to implementation, maintenance and decommissioning. Such a comprehensive and proactive approach will not only help prevent the potential occurrence of cyberattacks, but minimize their damage when they do strike.

Is your organization at risk of a medical device cyberattack? Taking the precautions outlined here will not only protect the organization from negative repercussions, but also enable it to stay true to its commitment to patients and the first rule of medicine: Do no harm.