Life Sciences, Pharmaceutical and Medical Device Companies Need to Trust Less and Question More to Keep High-Value Data Safe

 

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Scot Glover, Managing Director
San Francisco Life Sciences Practice Leader

 

Life sciences, pharmaceutical and medical device companies possess sensitive, high-value data that cybercriminals, hacktivists, unscrupulous competitors and other malicious actors aim to steal or otherwise expose. Personally identifiable information (PII), such as employee data and information about clinical trial participants, is a prime target for compromise. So, too, is intellectual property (IP), like drug formulas, proprietary software and manufacturing processes.

Adversaries are finding success with their campaigns: According to a 2016 study by the Ponemon Institute, which included pharmaceutical and medical device businesses, 90 percent of healthcare organizations (an all-inclusive category for all sectors participating in the survey) have suffered a data breach in the past two years. Ponemon estimates that those incidents cost the healthcare industry US$6.2 billion.

There are other cyber risks, too, that can be even more damaging. The recent, massive WannaCry ransomware attack, for example, shows how the interconnectedness of healthcare systems, and weak security practices, can put both organizations and patients at risk. The malware also affected Windows-based radiology devices at two U.S. hospitals, according to reports. The attackers took advantage of known vulnerabilities in the devices’ software. Many devices across the healthcare system use old software that is difficult to update, which means they are ripe for malicious actors to exploit.

Time to move cybersecurity from “top concern” to “top business priority”

Although cybersecurity is, and has been, a top concern for leadership at life sciences, pharmaceutical and medical device companies and their stakeholders, most of these businesses aren’t doing enough to ensure PII, IP and other vital data, and their critical systems and devices, are protected. There are several reasons for this, including:

  • Too much trust: Companies often outsource key critical functions, such as research and development, marketing studies and patient data analysis. Unfortunately, many companies feel that the risk of a data breach or hack is also outsourced to the business partner, and that the collaborative agreements they’ve established with their commercial or academic partners or contracted research organizations somehow guarantee security.
  • Lack of insight: Businesses may not dig deeply enough into their collaboration networks or supply chains when conducting cyber assessments to identify security gaps and other risks.
  • Too few resources: Many organizations in the industry are small and in startup mode, and therefore operate very lean. They devote most of their time and budget to research and development, which leaves them with little or no funding to put toward enhancing their cybersecurity. Also, many of these businesses rely on cost-effective and easy-to-access technology tools to store and share information, which means information could be exposed to malicious hackers if the tools are not configured and secured properly.

To improve cybersecurity, life sciences, pharmaceutical and medical device companies must stop viewing the issue as a top concern and treat it as a top business priority. As a starting point, these organizations should seek to answer the following questions:

  1. What information do we share with our strategic partners electronically and how is that data protected while in transit or stored? More companies than ever before, big and small, are now working with contract resource organizations (CROs). These CROs exchange sensitive and confidential data over electronic networks continuously, and the potential for loss, compromise or theft of PII or IP is high. Cybercriminals often will target the security weaknesses of third parties to gain access to a targeted company, using tactics such as phishing. Another risk area: Many businesses are relying on third-party vendors, i.e., cloud providers, to manage and store their data.
  2. How are our strategic partners handling our information physically at the research site? This question relates to the earlier point about companies’ lack of insight into their collaboration network. Organizations must understand how their information might be exposed in a lab environment or at a research site. The theft, by an insider, of a researcher’s notebook with details about a new drug formula or a medical device in development could spell the end for a company whose entire value is tied up in that irreplaceable IP.

Medical device companies have a third question they should consider (although, so too should the organizations and patients relying on these devices):

  1. What is the risk that our products could be hacked and/or controlled by malicious actors? The potential for medical device compromise is no longer in the realm of science fiction. And there were warnings that this would become a reality even as the Internet of Things was emerging. Back in 2014, for instance, the U.S. Federal Bureau of Investigation (FBI) issued a report warning that cyber attacks against healthcare systems and medical devices were likely to increase as more healthcare records were digitized and more medical devices were connected to the Internet.

Life sciences, pharmaceutical and medical device companies must think more critically about, and build a better understanding of, their cyber risk exposure and know what digital assets malicious actors would be most likely to target. When it comes to cybersecurity, these businesses would do well to trust less and question more. Failure to do so can put not only their brands and reputations at risk but their entire business — as well as, potentially, the lives of their patients.

Technology, Privacy and Cybersecurity Among Top Risks for Healthcare

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the healthcare industry.

 

Susan Haseley

By Susan Haseley, Managing Director
Healthcare and Life Sciences Industry Leader

 

 

 

A few years ago, several high-profile information security break-ins at banks and other consumer-facing outlets made the public all too aware of the cybersecurity dangers at financial institutions.

These days, it is healthcare organizations in the crosshairs.

When Protiviti and North Carolina State University’s ERM Initiative conducted a survey of directors and executives worldwide to identify the top risks that are on their minds, technology, privacy and cybersecurity figured as three of the top six concerns. When we zoomed in on the responses of our healthcare survey participants, disruptive technology, privacy concerns and cybersecurity figured as the third, fourth and fifth top risk, respectively. Perhaps more important, these risks saw the biggest upward change from last year.

There are several driving factors for these ratings:

With the continuing digitization of healthcare records and just about everything else, a lot of valuable information is online, ready to be hacked into. Not only do health records contain some of the same financial data as financial records, including Social Security and credit card numbers, but they also contain additional personal and highly sensitive information that can be used to forge IDs, obtain prescription medication, or even sign up for health benefits.

This has made health records much more lucrative than financial data. Patients can’t simply change their personal information like they can a credit card number. Once stolen, the information can be sold and resold, or used to inflict personal damage. If the hack is into a medical device, such as a pacemaker or an insulin pump, the personal damage can be fatal. This last issue is so serious that the FDA has issued a draft guidance specifically for medical device manufacturers. As you can imagine, healthcare providers that use those devices are seriously concerned.

In the last six months, these topics have been on every agenda of every board in which I participate.

This is not a theoretical concern. Organizations need to consider all the possibilities and potential responses, including:

  • How would the company respond to a cyber incident? What is the incident response plan and policy?
  • What will the company do if a cyber attack brings down the computer network? How will staff handle patients without access to their electronic records?
  • How will the organization handle the adverse publicity?

Given all this, I am not surprised that the concerns about risks surrounding technology and cybersecurity shot up this year, while traditional healthcare worry staples like regulation and healthcare reform costs dropped.

One silver lining is that with risk awareness comes action. And healthcare organizations really don’t have a choice when it comes to technological innovation and digitization. Patients demand it. Other healthcare providers are doing it. Electronic healthcare records are nearly universal, and patients demand access to information and their doctors from anywhere – on their phones, at work, while travelling. If a provider fails to innovate to meet these demands, the patients will go to the provider who does.

Healthcare institutions have another big incentive to continue innovating. The successful healthcare organization of tomorrow is not the one that treats disease but the one that manages the health of its patients. To figure out how to do that, healthcare organizations need to harness data – continuous information about their patients’ health that will help prevent many of the expensive and urgent procedures that keep costs up today. With the increased amount of data comes an increased need to protect the privacy and security of the sensitive information. Advanced technological solutions, data security and data analytics are simply part of becoming a successful healthcare organization.

I am interested in your take on our findings. Access the healthcare-specific findings of our Top Risks survey here.

Tackling Healthcare’s Growing Cybersecurity Crisis Starts With a Proper Risk Assessment

David StantonBy David Stanton, Director
Healthcare IT Security and Privacy

 

 

 

As electronic medical records continue to evolve into the de facto standard, healthcare organizations are reaping the cost reduction and business and economic benefits. These benefits are attributed to advanced storage methods, fluid application data sharing and real-time business-relevant analytics. But this progress has its downside, in the form of heightened attention from cyber criminals.

In 2014, healthcare organizations accounted for approximately 25 percent of all reported data breaches – the highest percentage of any industry sector. Even more cyber intrusions are expected in the coming years because of the growing demand for protected health information on the black market. Patient medical records – often exploited for medical identity theft, fraudulent insurance claims, expensive medical equipment and drug prescriptions – can be more valuable to cyber criminals than credit or debit card numbers, which can be cancelled and reissued easily. In 2013, complete health insurance credentials sold for US$20 apiece – approximately 20 times more than the value of a U.S. credit card number with a security code. (See the latest issue of PreView, Protiviti’s newsletter on emerging risks, for more on this troubling trend.)

In the face of this growing threat, what should healthcare leaders do right now? The first step toward protecting patient information is effective risk assessment. A legitimate security framework, such as the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity is a good benchmark from which to assess an organization’s cybersecurity capabilities. Though the use of the framework is voluntary, we support its risk-based approach to managing cybersecurity risk.

A good portion of healthcare organizations can use improvement in the area of cybersecurity risk assessment. According to responses of healthcare leaders who participated in a Protiviti survey about cybersecurity risk and the audit process, only slightly more than half (53 percent) of respondents said they address cybersecurity as part of their audit plan, and nearly half of those acknowledged that internal audit does not evaluate the organization’s cybersecurity program against the NIST framework.

Why the inaction? One reason is perhaps a false sense of security. Healthcare organizations traditionally have placed a strong focus on HIPAA compliance, which covers risk assessment – though not necessarily information security issues. Though HIPAA does require completion of a risk assessment, it does not call for best-practice execution of security controls and adversarial resiliency. Yet organizations continue to use the HIPAA standard as comprehensive risk assessment – potentially leaving themselves exposed to cybersecurity risk.

The availability of cyber insurance also may be contributing to healthcare organizations’ less-than-stellar adoption of a cyber risk assessment and lack of expediency around implementing typical good security hygiene found in other industries (e.g., patch management, encryption, asset management, system hardening, monitoring controls, etc.). But times are changing: Insurance providers are being more prescriptive about what security controls, technologies and processes must be in place to show proper due diligence and can outright reject a claim if preventive measures aren’t implemented before the occurrence of the incident. Cyber insurance also does not compensate for the reputational black eye caused by consumers’ perception of negligence in protecting their information.

The bottom line is this: Healthcare organizations must act now to reduce their cyber risk exposure. Initiating proper risk discussions certainly doesn’t guarantee the avoidance of a breach, or eliminate the risks completely. But it does prepare the organization to conduct five critical functions: identify, protect, detect, respond and – in the case of an incident – recover. The framework and assistance for conducting these functions are available – it’s a matter of taking the first step.