Life Sciences, Pharmaceutical and Medical Device Companies Need to Trust Less and Question More to Keep High-Value Data Safe

 

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Scot Glover, Managing Director
San Francisco Life Sciences Practice Leader

 

Life sciences, pharmaceutical and medical device companies possess sensitive, high-value data that cybercriminals, hacktivists, unscrupulous competitors and other malicious actors aim to steal or otherwise expose. Personally identifiable information (PII), such as employee data and information about clinical trial participants, is a prime target for compromise. So, too, is intellectual property (IP), like drug formulas, proprietary software and manufacturing processes.

Adversaries are finding success with their campaigns: According to a 2016 study by the Ponemon Institute, which included pharmaceutical and medical device businesses, 90 percent of healthcare organizations (an all-inclusive category for all sectors participating in the survey) have suffered a data breach in the past two years. Ponemon estimates that those incidents cost the healthcare industry US$6.2 billion.

There are other cyber risks, too, that can be even more damaging. The recent, massive WannaCry ransomware attack, for example, shows how the interconnectedness of healthcare systems, and weak security practices, can put both organizations and patients at risk. The malware also affected Windows-based radiology devices at two U.S. hospitals, according to reports. The attackers took advantage of known vulnerabilities in the devices’ software. Many devices across the healthcare system use old software that is difficult to update, which means they are ripe for malicious actors to exploit.

Time to move cybersecurity from “top concern” to “top business priority”

Although cybersecurity is, and has been, a top concern for leadership at life sciences, pharmaceutical and medical device companies and their stakeholders, most of these businesses aren’t doing enough to ensure PII, IP and other vital data, and their critical systems and devices, are protected. There are several reasons for this, including:

  • Too much trust: Companies often outsource key critical functions, such as research and development, marketing studies and patient data analysis. Unfortunately, many companies feel that the risk of a data breach or hack is also outsourced to the business partner, and that the collaborative agreements they’ve established with their commercial or academic partners or contracted research organizations somehow guarantee security.
  • Lack of insight: Businesses may not dig deeply enough into their collaboration networks or supply chains when conducting cyber assessments to identify security gaps and other risks.
  • Too few resources: Many organizations in the industry are small and in startup mode, and therefore operate very lean. They devote most of their time and budget to research and development, which leaves them with little or no funding to put toward enhancing their cybersecurity. Also, many of these businesses rely on cost-effective and easy-to-access technology tools to store and share information, which means information could be exposed to malicious hackers if the tools are not configured and secured properly.

To improve cybersecurity, life sciences, pharmaceutical and medical device companies must stop viewing the issue as a top concern and treat it as a top business priority. As a starting point, these organizations should seek to answer the following questions:

  1. What information do we share with our strategic partners electronically and how is that data protected while in transit or stored? More companies than ever before, big and small, are now working with contract resource organizations (CROs). These CROs exchange sensitive and confidential data over electronic networks continuously, and the potential for loss, compromise or theft of PII or IP is high. Cybercriminals often will target the security weaknesses of third parties to gain access to a targeted company, using tactics such as phishing. Another risk area: Many businesses are relying on third-party vendors, i.e., cloud providers, to manage and store their data.
  2. How are our strategic partners handling our information physically at the research site? This question relates to the earlier point about companies’ lack of insight into their collaboration network. Organizations must understand how their information might be exposed in a lab environment or at a research site. The theft, by an insider, of a researcher’s notebook with details about a new drug formula or a medical device in development could spell the end for a company whose entire value is tied up in that irreplaceable IP.

Medical device companies have a third question they should consider (although, so too should the organizations and patients relying on these devices):

  1. What is the risk that our products could be hacked and/or controlled by malicious actors? The potential for medical device compromise is no longer in the realm of science fiction. And there were warnings that this would become a reality even as the Internet of Things was emerging. Back in 2014, for instance, the U.S. Federal Bureau of Investigation (FBI) issued a report warning that cyber attacks against healthcare systems and medical devices were likely to increase as more healthcare records were digitized and more medical devices were connected to the Internet.

Life sciences, pharmaceutical and medical device companies must think more critically about, and build a better understanding of, their cyber risk exposure and know what digital assets malicious actors would be most likely to target. When it comes to cybersecurity, these businesses would do well to trust less and question more. Failure to do so can put not only their brands and reputations at risk but their entire business — as well as, potentially, the lives of their patients.

Public Breach Disclosure Laws Up the Ante on Security – But Do They Work as Intended?

david-taylorkall-loperBy David Taylor, Managing Director
Technology Consulting, Security and Privacy

and Kall Loper, Director
Technology Consulting, Security and Privacy

 

On January 3, The Massachusetts Office of Consumer Affairs and Business Regulation announced that it will report all data breaches to a publicly accessible state website. Previously, this information could only be obtained with a public record request. The new site includes summary information of the breach and is organized by year. The breached organization’s name, the magnitude of the breach and the type of information exposed (Social Security numbers, credit card numbers, etc.) are included in the summary, among other details.

The Massachusetts office’s decision follows other recent examples of states tightening their breach notification statutes and definitions of what constitutes sensitive information. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted laws requiring companies transacting business with residents of their state to report data breaches.

Any law that intends to protect consumers is, on its face, a good one. However, we feel that a direct, pain-stimulus motivation such as Massachusetts’ public breach notification reporting may work against a more effective approach to remediation by forcing short-term, technical responses that do not necessarily ensure security over the long term.

Faced with a public breach disclosure, there is a tendency for companies to seek to end the pain of public exposure as quickly as possible. But rather than encouraging breached companies to address the complex causes of the breach, public breach reporting encourages narrowly tailored investigations and short-term remediations. A quick-to-implement response such as a firewall or an intrusion detection system may remediate the specific problem found, but not the class of vulnerabilities, or any security architecture failings, employee practices or organizational data use patterns.

Often, system-wide vulnerabilities are not addressed for fear of finding more problems that require reporting, potentially causing further erosion of public confidence, brand value or market capitalization. This ostrich-like approach is surprisingly common, and lengthy, expensive lawsuits are often the result. Unfortunately, direct reporting laws, like the recent one from Massachusetts, only intensify the desire to avoid further discovery for fear of immediate penalties.

In addition to the business risks mentioned above, a technical knowledge gap often holds companies back when it comes to remediating the vulnerabilities leading to the breach. Holistic breach recovery requires a broad range of capabilities, from expertise in technical security practices and organization security practices, like identity and access management, to expertise in public relations, legal and electronic discovery processes, project management and information governance policies.

Without an appropriate formulation of goals and planning, a post-breach remediation can be an expensive exercise in seeking psychological comfort and not much more. Vendors will flock to the breached company’s executives with “solutions” that often do not address the root causes of the organization’s failure. Solution-based answers are good if the goal is to show a lot of activity and reportable benefits; however, when the cash stream ends, the solution vendors depart, leaving the company without a long-term plan toward a more secure organization.

Effective post-breach remediation is a planned set of specific activities that ultimately becomes part of the ongoing information security structure. Among these activities are:

  • Organizational change to address the security practices of end users through employee training and implementation of a company-driven plan to grow security awareness
  • Information policies that take into consideration data protection priorities and are designed to eliminate unnecessary risk and minimize unavoidable risk
  • Information governance, to make information available only to those who need it, but also keep it accessible and flexible based on the company’s needs
  • Agile and responsive security through solutions appropriate to the company’s sustainable efforts and long-term goals.

The developments in laws intended to protect consumers’ personal information from exposure point to a trend – there will be more, not less, required of companies in that regard. The sooner and more comprehensively the complex causes of the breach are addressed, the less there is a chance of a repeated event. Only through a comprehensive and thoughtful response will companies lessen the long-term damage to their public image, brand value and bottom line.

A Matter of Trust: Taking a Look at the CISA Controversy

Kurt UnderwoodBy Kurt Underwood
Global Leader of Protiviti’s IT Consulting Practice

 

 

 

Back in October, we issued a Flash Report on a senate move regarding a proposed law that has spurred controversy at home and abroad. The bill is intended to improve cybersecurity in the United States through enhanced sharing of threat information.

Now out of committee, and potentially up for a floor vote in the Senate soon, the Cybersecurity Information Sharing Act (CISA) would allow (but not require) the sharing of Internet traffic information between U.S. government agencies and technology and manufacturing companies, making it easier for companies to share cyber threat information with the government.

The bill provides legal immunity from privacy and antitrust laws to companies that provide threat information from, say, the private communications of users, to appropriate federal agencies and other companies. It also permits private entities to monitor and operate defensive countermeasures to detect, prevent or mitigate cybersecurity threats or security vulnerabilities on their own information systems, and, under certain conditions, the systems of other private or government entities.

Although the bill includes provisions to prevent the sharing of personally identifiable information (PII) irrelevant to cybersecurity, some worry whether those protections are adequate.

The U.S. Chamber of Commerce, National Cable & Telecommunications Association, and other advocacy groups support the measure, on the grounds that the information in question is already flowing freely to spies and criminals around the world. Others, including the Computer and Communications Industry Association and various prominent technology companies, oppose it as a violation of personal privacy.

In the end, it all boils down to trust. Repeated high-profile security breaches of PII and other sensitive data have raised questions regarding the ability of government and large corporations to secure their data. It is interesting to note that the Department of Homeland Security, the designated entry point for all submitted data under the proposed law, is among those opposed to the bill.

The concern crosses international borders. A European court recently struck down an agreement that previously allowed U.S. companies to import the personal information of EU citizens and store that information within the United States. The agreement was called into question over a lawsuit questioning the protection of PII from the U.S. government.

For a more detailed analysis of CISA, you can download the Protiviti Flash Report, Proposed Cybersecurity Information Sharing Act Sparks Controversy. I am interested in your take on the issue in the comments section below.

Mobile Health Apps

Pretty much everyone I know – and I’ll bet everyone you know – uses a mobile device of some kind. In fact, more than 130 million people in the United States own smartphones, and almost half have slept with a phone next to the bed (hopefully they don’t put it under their pillow!). It’s also estimated that half have used them to obtain health-related information, and that about 20 percent have installed a health-related app (so-called mHealth, a term used for the practice of medicine and public health with the help of mobile devices). In fact, I’ve read reports that five years from now, 100 million people will be using mHealth and various mobile fitness apps. And we’re not just talking about application for industrialized nations; the mHealth field has emerged in recent years largely as an application for developing countries, where mobile phone penetration is increasing rapidly. In developed and developing countries, mHealth is rapidly becoming a means of providing greater access to larger segments of the population, as well as improving the capacity of their health systems to provide quality care. Thus, mHealth is a big deal.

Protiviti’s recent white paper, “mHealth: How Mobile Apps Can Help Health Plans Improve Consumer Engagement and Facilitate Behavior Change,” recently took a close look at the mHealth space and identified multiple opportunities for health plans to use mobile app technology. Our research confirms that member engagement via mobile telephony can improve member satisfaction, loyalty and retention. It also can be a key strategic weapon against rising medical and administrative costs and reform uncertainty, and facilitate interaction with health exchanges and accountable care organizations.

I’d like to make a couple additional points about mHealth apps:

  • The federal government is already deeply invested in mHealth and patient engagement. The Department of Health and Human Services set up a Text4Health task force to provide mHealth recommendations directly to the secretary. It also established a SmokefreeTXT program for smoking cessation, and TXT4Tots, a text messaging library with evidence-based information on nutrition and exercise.
  • In the private sector, Aetna, Humana, Florida Blue and Kaiser Permanente are among several high-profile examples of health plans maximizing mHealth apps.
  • mHealth vendors are already servicing payers which need engaging mobile content for users – but too often use communications written by clinical staff using clinical terminology. Sensei Health stands out in this; it uses writers with diverse backgrounds – including comedians, in some cases – to compose several versions of a standard message, then tracks users’ response rates to each and sends future communications in the most popular style.

I note all this to give you an idea of the potential of mHealth apps for better member engagement. But organizations have to put some effort into it. To be successful, mHealth programs must get personalized information into members’ hands when their members want it – and not use mobile apps only to reduce administrative costs. They’ll need a comprehensive mHealth strategy in order to do this right. Companies don’t want to do it poorly and alienate the members they’re trying to engage.

Ask the senior management in your organization:

  • How can our plan maximize mHealth to optimize member engagement and facilitate behavior change?
  • How can we provide a secure environment for the exchange of sensitive personal information?
  • How can we integrate mHealth information into existing workflows?

The Protiviti white paper on mHealth apps provides details on key issues like patient privacy and data security. I encourage you to check it out.

Jim