Managing Cyber Risk for Life Sciences Companies
Life sciences companies, including medical technology, digital health and pharmaceutical firms, hold vast amounts of vitally important information, and that data is a high-value target for cyber criminals. The average cost of a data breach in the pharmaceutical industry, including biomedical life sciences, is $5.2 million.1 Intellectual property (IP) is highly prized data, and the object of 95% of all cyber attacks in the life sciences sector.2
A cyber attack can be devastating to a life sciences organization. Stolen IP can cause a firm to lose exclusive control over proprietary and confidential information, as well as its competitive advantage in the marketplace. Breaches of medical records can be costly to remediate and may lead to regulatory fines, reputational damage and loss of customer trust.
Because the odds of a cyber attack are high and the potential losses are so great, life sciences firms need to understand the risks and take proactive measures to protect their interests.
Understand the Risks
Several key factors are behind the growing cyber threats facing the life sciences sector:
- Life sciences IP is incredibly valuable. It may include formulas for drugs and blueprints for medical devices that are backed by years of research and clinical trials. These may be potentially life-changing for patients and could generate billions of dollars in revenue, which is why this information is of huge interest to hackers.
- Increasingly sophisticated cyber criminals are launching attacks for corporate espionage or that are financially motivated. These attacks can be crippling for life sciences companies and cost valuable time as companies work to restore critical files.
- Life sciences organizations often need to exchange confidential information with a wide range of partners and vendors, across borders and via the cloud. While the sharing and analysis of this data may expedite research and development, it can also increase the chances of IP and Protected Health Information (PHI) falling into the wrong hands.
- Supply chains are typically global, comprised of many different international suppliers, which can add to a firm’s cyber vulnerability. Just one supplier without effective security controls presents a weak link that could allow cyber criminals to infiltrate organizations along the chain. Firms can also be at risk if a supplier has access to their networks, or they may experience business continuity issues if a supplier falls victim to a cyber attack.
- Wireless, sensor-based medical devices, such as insulin pumps, are transforming patient care. But if security isn’t properly addressed, these devices run the risk of being tampered with, potentially harming patients and exposing sensitive patient information.
- The proliferation of consumer health and wellness technologies, including wearable devices, may present attractive targets for hackers. Infiltrated devices could create additional vulnerabilities for medical providers, device manufacturers and app or software companies if their connected data is also compromised in the hack.
- The risks associated with mergers and acquisitions (M&A) that are frequent in the life sciences industry could include a data breach in a newly acquired company that could compromise the value of the IP for which the company was acquired.3
- Supply chain disruptions as a result of the COVID-19 pandemic could present new cyber exposures as life sciences companies re-shore their supply chains or seek new domestic suppliers.
Plan for the Inevitable
“Given the high value and sensitive nature of life science data, firms should engage strong cybersecurity controls on par with those of other highly regulated industries,” said Kirstin Simonson, Professional/Cyber Lead for Business Insurance at Travelers.
Taking these steps can help prepare for a cyber attack:
- Inventory your network assets and identify those that are critical. A third-party consulting firm can be especially helpful in bringing an objective perspective to this essential process.
- Segment your network to isolate critical and sensitive data from the data and tools that employees use every day. Segment backup data completely and store it offline.
- Restrict access to your organization’s most critical data to a small number of trusted employees.
- Require multi-factor authentication (MFA). The basic principle of MFA is that an authorized user must provide more than one method of validating their identity. Even if a cyber criminal has obtained a user ID and password, MFA decreases the risk that an attacker can gain access by requiring an additional means of validation.
- Work with your suppliers, vendors and cloud providers to create a security-first culture. Require them to maintain, at a minimum, the same security standards that your business maintains.
- Actively scan your network for unauthorized activities and anomalies, including any systems that remote workers may download to their devices, which could put security at risk. Take prompt corrective action. Consider deploying an Endpoint Detection and Response (EDR) solution.
- Continually update your patchwork management strategies.
- Use a well-defined, customized framework of standards, guidelines and practices to reduce your firm’s cyber vulnerability and keep it up to date to ensure ongoing compliance. Make sure all involved are well-educated on their roles and have trained backups who can readily step in if the need arises. This includes development of strong remote access protocols.
- Build medical devices with cybersecurity in mind from the earliest stages of design through production.
- Train your employees to recognize and avoid social engineering tactics, such as phishing emails and malicious links that allow hackers to penetrate your network or otherwise create security vulnerabilities.
To further protect your business, set spam filters on high to discard as much junk mail as possible, and clearly identify emails coming from an outside source before opening.
Even with the most rigorous security measures in place, no life sciences business is completely protected from the threat of cyber crime. That’s where cyber insurance comes in. It can help cover the costs of an attack and legal claims resulting from a breach.
Travelers’ CyberRisk TechTM offers broad, flexible coverage options to help protect your business against damages associated with an incident, including cyber extortion, data restoration, breach notification, business interruption, reputational harm and more. And, as a policyholder, you can take advantage of services to help mitigate the effects of cyber risk before, during and after an incident.
1 Ponemon Institute 2019 Cost of a Data Breach Report
More Prepare & Prevent
Considering implementing smart city technology? Know the risks and how to help protect your public entity.
Registering intellectual property (IP) and using written agreements can help protect intellectual property.
From wearables to implantables and from devices to apps, the demand for a patient-centered approach to medicine is leading to a networked ecosystem.