Cyber resilience: A high priority
The COVID-19 pandemic has accelerated digitalisation and automation in the pharma sector. But, as the risk landscape of the pharma industry is huge it also needs to build better resilience and resistance to cyber-attacks on a war footing
The upheaval wreaked by the COVID-19 pandemic has ushered sweeping digital and technological transformations across businesses in its wake. But, it has also amplified the threat of data breaches and cyber-attacks.
Cybersecurity firm, McAfee recently reported a “605 per cent increase in coronavirus-related cyber disruptions globally.” Companies engaged in research, science, and technology were the key targets, as per the report. Between July and September 2020, companies witnessed a 19 per cent rise in such attacks
As Charlotte Dunlap, Principal Analyst at GlobalData, observes, “In a pandemic that is prompting accelerated digitisation, having integrated monitoring and observability cloud services are crucial to application lifecycle management for providing insight to app performance, efficiencies, and governance/security. Alongside the need to fast-track business transformations comes the risk of software bugs, security breaches, and performance bottlenecks.”
A mounting menace
The pharma sector, with a central role to play in the world’s response against the pandemic, has been forced to innovate in ways unprecedented. This, in, turn, has accelerated digitalisation and automation in the industry. But, it also increased its susceptibility to cyber-attacks. Pharma and life sciences have seen a spate of cyber-attacks since the onset of the COVID-19 pandemic.
A report from BlueVoyant, a US-based cybersecurity firm, revealed that in 2020, eight renowned firms involved in the development of a COVID-19 vaccine faced targeted malevolent attacks. It also found that nation-state espionage was growing aimed at stealing COVID-19 vaccine research data.
Several pharma and life sciences companies in India too have been targeted by cybercriminals over the years, with Lupin and Dr Reddy’s Laboratories being recent examples.
“India is currently ranked as the sixth most vulnerable country where pharma companies are open to attacks from cybercriminals. Indian pharma companies are witnessing major cyber threats as they deliver affordable medicines on a large scale during the COVID-19 pandemic. These attacks can be directly attributed to the fact that India is one of the countries developing vaccines for COVID-19,” explains Vishal Jain, Director of Inspira Enterprise, a managed security services provider
To understand India’s susceptibility to cyber-attacks, check out the box below.
An expanding threat landscape
Experts cite lack of effective cyber hygiene, virtualisation of businesses, increasing amount of data creation and storage, archaic infrastructures, remote working, compliance needs, state-sponsored attacks, growing network complexity, distributed networks etc. as chinks that add to pharma companies’ vulnerability to cyber-attacks.
Jain says, “In 2020, like many other industries, pharma companies are also undergoing a rapid digital transformation, with data being collected and managed online more than ever before. The enormous amount of data that resides with these companies is making them prominent targets of cyber-attacks. Even employee errors or negligence have been a weak link in compromising cyber hygiene.”
“Cyber threats that pharma companies are witnessing are due to multiple reasons like cloud migrations, the massive surge in remote work, distributed networks and acquisitions, an increasingly complex network, compliance requirements and so on,” states Pramod Sharda, CEO of IceWarp, India and Middle East, a company providing secured email communication and collaboration solutions.
“Two key factors are fuelling the rise of cyber-attacks and vulnerability of the pharma businesses, especially in the pandemic. Firstly, given the acceleration in virtualisation of businesses across the board, the attack surface has increased vastly, opening up more opportunities for cyber attackers to exploit. Secondly, now that the data is fragmented and confined to archaic infrastructures, the business vulnerability increases as a single data breach can setback the drug research processes to months or even years,” highlights Ramesh Mamgain, Country Manager, India & SAARC of Commvault, a data management and protection software company.
Data breaches, cyber-attacks on pharma and healthcare companies, who are privy to a lot of sensitive data, can wreak havoc that can have far-reaching consequences for not only the companies but the society at large.
An expert in technology law, GV Anand Bhushan, Partner, Shardul Amarchand Mangaldas & Co, says, “Typically when a pharma company bears the brunt of a cyber-attack, it can have a devastating impact on the company ranging from stolen IP, repeating clinical trials, contaminated drugs, physical damage and downtime, litigation, and lost revenue.”
He adds, “Data stolen from pharma companies is extremely valuable as hackers can sell personal patient information on the dark web that includes address history, financial information, and social security numbers which can later be used to commit identity thefts. In fact, a study conducted by the Ponemon Institute in 2018 revealed that each stolen record in the pharma sector was valued at $195 per record!”
Enlarging on the same theme, Sowmya Vedarth, Director, Deloitte explains how ransomware attacks, which are becoming common in the pharma industry, have led to heavy reputational and financial losses to organisations. She cites the NotPetya ransomware attack on Merck in 2017 as an example. The attackers demanded $300 per computer as ransom for the compromised data.
“This led to worldwide operational disruption and forced the organisation to cease production of drugs and significantly impacted the company’s revenue for a long time, causing an estimate of $870 million of damages,” she highlights.
Giving a recent example from the Indian scenario, Bhushan points out, “Such breaches go beyond the direct damage from lost data since cyberattacks and data theft affect the company’s valuation and leads to overall operational disruption as well. This was witnessed recently by Dr Reddy’s Laboratories whose stock prices came plummeting after a data breach was reported in its servers. The breach led to an overall disruption in its operations too since it had to shut down all its production facilities and isolate its data centres across the world.”
He goes on to elaborate, “The prospect of hefty fines and reputational damage are just the tip of the iceberg. If not handled swiftly and carefully, a data breach will have pharma companies entangled in lawsuits.”
“Organisations that collect and digitally store personal information are legally required to implement ‘reasonable’ data protection measures, and in case there is a data breach, the regulatory authorities will investigate the incident and impose hefty penalties if they find out that the organisation has not implemented them. This automatically implies that pharma companies as such will be subject to extensive scrutiny in such a scenario simply because they hold highly sensitive and critical information,” he illuminates.
“Further, depending on where the pharma company does business, it will be subject to notification requirements under applicable laws. For instance, be it the GDPR in the EU or the Cert-In Rules in India, companies are required to notify the regulatory authorities in the event of a data breach, and there can be serious consequences for businesses that fail to report a data breach. This once again suggests that a slight oversight by pharma companies while complying with notification requirements under applicable cybersecurity and privacy laws can entangle them in legal battles and investigations,” adds Bhushan.
“Pharma companies and other healthcare providers/groups are also at risk of losing the trust of patients and other stakeholders, losing intellectual property, loss of sensitive business information, and reduced trust for online activities, and so on,” points out Sharda.
Likewise, Vedarth hits it on the nail when she reminds, “The risk landscape of the pharma sector is immense and not just limited to financial and reputational damages, a cyber-attack might also lead loss of human life.”
A sound defence is pivotal
So, an effective cybersecurity strategy is an absolute imperative for all the actors of the pharma industry and their partners as well.
But, how to go about this huge endeavour? Some experts in this field share their insights with us.
Jain from Inspira counsels, “Among the first steps to strengthen the cybersecurity programme is to perform a risk analysis. This will help them understand where their data is stored, who has access to it, where it is transmitted and destroyed. This simple test will reveal potential risks.”
“Organisations should have a holistic approach to ensure cybersecurity for their environment. This involves a combination of proactive measures such as the deployment of the essential technologies supplemented by 24/7 security monitoring, vulnerability assessment of the network and applications, threat hunting, security culture development of the employees and partners,” he further adds.
He says that the following are major pillars to an effective cybersecurity strategy are:
- Protect digital perimeter: Control access based on who and what is connecting. Create a network by providing secure remote access. Install integrated threat detection and defence tools like Firewalls, Intrusion Prevention System, service and traffic tool, Virtual Private Network encryption functionality, Wi-Fi Protected Access 2 (WPA2) for the network, email spam filters and sound web security strategies such as AV scanning, malware scanning and IP reputation awareness
- Secure physical premises: Install security cameras and alarm systems equipped with motion sensors, mobile surveillance units.
- Guard intellectual property: Develop and enforce intellectual property safeguard policy, which ensures that all IP developed by members of the organisation belongs to the company, as well as nondisclosure agreements for employees and contractors, register the trademarks, along with any applicable patents.
Nitin Varma, MD, India & SAARC, CrowdStrike, opines, “Reactive strategies and use of legacy systems have put the sector in a vulnerable position. Healthcare organisations must equip themselves with modern tools which can support the sector to proactively fight against these adversaries. The recent attacks have made the sector realise the importance of cybersecurity and the need for dependable security solutions which can keep up with the evolving threat landscape. The nature of attacks witnessed in the recent past has shown us the sophisticated methods being used by adversaries.”
He opines that organisations should design their cybersecurity strategy around three aspects – People, Process and Technology.
He says, “They need to transition to endpoint detection and response (EDR) systems from traditional systems to keep up with the fast-evolving threat landscape. There must be a focus on understanding the elements of cloud security as it is critical for organisations to protect their cloud workload. It’s not just about new technology, security teams need to evaluate the effectiveness of a particular solution and maximise the use of the tools while streamlining people, processes and technology. Another important aspect is educating the employees or end-users in the organisation and making sure they have a basic understanding of the ways in which their systems can be compromised.”
Bhushan advises, “It is observed that pharma companies mostly focus only on protecting their manufacturing facilities with lesser importance being given to the protection of IP and data, and often have an incident response approach rather than a pre-emptive approach to ensure cyber-security. However, it is critical that pharma companies take a pro-active approach when it comes to cyber-security. That being the case, the cyber-security strategy should be holistic and comprehensive in nature that protects the organisation on the whole.
“Pharma companies should first identify the digital assets that they wish to protect, be it IP, drug compounds or patient information. They should then categorise the data depending on the nature of such data, i.e., whether it is personal, sensitive personal, or critical data. This process should categorise data that is at rest and in transit as well, after which they should analyse the existing protocols in place to identify the loopholes that need to be patched,” he enlarges.
Sharda feels that the following three aspects are ‘must-haves’ for the cybersecurity strategy of every company:
- Predictive analytics: Organisations can better scan risks, understand threats and be more informed in their decisions by leveraging Data Analytics. Making a prediction is a necessary component for staying ahead before any cybercrime activities come in your way.
- Regulation and supervision: Implement and enhance access restrictions ports to ensure that there is no unauthorised access.
- Training employees: Educate the workforce to prevent them from revealing any personal or financial information in an email and to not respond to email solicitations for this information.
He adds, “All employees and key stakeholders need to take this seriously and for the same, they need to consider cybersecurity best practices every day to help the organisation in order to avoid these types of incidents and fight against cyber-attacks.”
Vedarth informs that the fundamental pillars for ensuring an effective strategy are:
- Organisational: This consists of formulating and implementing policies and procedures which might be crucial for safeguarding sensitive data from an operational point of view.
- Technological: This requires organisations to constantly develop their technological capabilities in order to prevent a cyber-attack. Since cybercriminals also adapt to new technologies, it is imperative that regular technical advancements are made in networks and systems which may include using data masking and encryption techniques, anonymisation or pseudonymisation of sensitive data, patch and change management, security and incident monitoring, intrusion detection systems, data loss prevention, access control and privilege management tools, etc.
- Legal: A credible legal framework must be adopted by organisations that process sensitive data. Such standards must be approved by national legislation and must be compatible with international standards to provide an adequate level of security. Examples include Health Insurance Portability and Accountability Act, General Data Protection Regulation, Payment Card Industry Data Security Standard, Sarbanes-Oxley Act, etc.
Mamgain also reminds, “As the IT industry makes further advancements in protecting data, so do individuals with malicious intent. We’re seeing a massive rise in ‘Hack for Hire’ services, with India being touted as a hack-for-hire hub. We are also continuing to see ransomware turning more evasive, with a nation-state-like in sophistication and targeting larger firms with multimillion-dollar ransom demands.”
He says, “We must not forget that cyber attackers today are as adept as the IT teams protecting the data, hence we need to leverage smart tools like AI and Machine learning to our advantage. With intelligent data management and protection solutions at the core, enterprises can secure their critical data on the go.”
“Virus scanners, firewalls and passwords alone no longer offer enough protection against hackers. The production and automation levels of process manufacturing plants are increasingly interconnected, both with each other and with the Internet. The advantages of connectivity, however, are accompanied by heightened susceptibility to sabotage and tampering through malicious software such as viruses, trojans and worms. There is no one-size-fits-all solution when it comes to cybersecurity. The solution must always be tailored to the circumstances at hand,” advises Sameer Kudalkar, Head – Sales and Partner Development, Process & Factory Automation at B&R Automation, an industrial automation solutions providers.
He says, “After all, the right security strategy depends on the processes, infrastructure and other local conditions. There is no one-size-fits-all solution when it comes to cybersecurity.”
Thus, ramping up cybersecurity involves a host of factors and life sciences companies should draft and execute a strong, comprehensive and multi-pronged cybersecurity strategy which comprises various security controls across different domains and is customised to their needs.
Luckily, pharma companies are investing time and resources in fortifying their systems from cyber threats. They have increased their IT security budget and are effecting internal policies for better cyber-security and are developing adequate protocols to prevent themselves from becoming victims of cyber-attacks, and this is even before the pandemic.
Even, partners to the industry, who provide solutions to the pharma sector are getting more conscious about this aspect and are incorporating certain features to identify and block cyber-attacks.
For instance, Kudalkar from B&R Automation informs, “B&R encourages all its users to implement the measures they consider appropriate for their control system environment.”
He cites an example and says, “B&R provides dual firewalls for maximum security: The foremost rule for any plant is that they are isolated from higher-level systems by a secure perimeter network, known as a demilitarized zone or DMZ. Data from the system is first transferred to this perimeter network before it can be accessed from the outside. The perimeter network is guarded by either a triple-homed firewall, which enables it to be connected separately or two firewalls from different manufacturers. In most cases, this solution provides enough time to detect and block an attack if the first firewall is breached.”
In another example, Unichem Laboratories was reportedly facing many problems; including high-end security and control. Managing and streamlining the processing of their products without altering their business activities was also a major concern. It recently migrated from network email solution to IceWarp’s email and business collaboration suite. This solution promises to be more secure and offer efficient as it requires a single window for by integrating the office work in a single window for Email, TeamChat, and Storage and does not involve a third party.
Sharda says, “With our secured solution, it helps to avoid cyber risks, secure confidential and sensitive data, and manage domains to avoid email spoofing and malware attacks. Moreover, our solution is powered by CISCO Antivirus and anti-spam, and two-factor authentication, making it highly trustworthy among the sector.”
Emerging Technology Trends Survey 2019 from GlobalData also divulges that more than 70 per cent of pharma executives, who are responsible for the implementation of new and emerging technologies give priority to cybersecurity.
But, there is a long way to go before the sector builds a defence which, if not completely impregnable, would be very difficult to assail. So, now it needs to look beyond mere security and build resilience.
Cyber resilience is key
Cyber resilience simply explained, is how well an organisation can manage a cyber-attack or data breach and contain its impact on business operations and revenue. So, it is not just about a company’s IT environment but also its capabilities to continue effectively after a cyber-attack.
It is time for enterprises to create a roadmap on the gaps faced on the security front and the critical investments required to make the organisation cyber resilient. The need is glaringly obvious. It minimises the adverse financial impact of the attack and goes a long way in reputation management.
Jain says, “The recent attacks have shown that organisations have been unsuccessful in creating a sustained cyber resilience framework. Even with the technologies being implemented, it needs to be complemented with an infrastructure to monitor the same 24X7, either through an in-house Security Operations Centre (SOC) or outsourced to a Managed Security Service Provider (MSSP). Security culture development approach is also something that the management should adopt as part of their corporate risk management framework.”
He adds, “Reactive capabilities like incident response process and forensics should also be adopted (by the sector). It is important to engage in both proactive and reactive cybersecurity measures to reduce the risk of probable attacks.”
This, in turn, necessitates a transformational mindset. Discarding the idea of impenetrable, it works on the premise that attacks can happen anytime and disrupt operations. So steps must be implemented to prevent, respond and recover from them. In this scenario, cybersecurity becomes a business objective and is everybody’s responsibility. Security best practices need to be embedded at all levels of the organisation.
Hopefully, the pharma sector will adopt it as a key goal in the time to come as it embarks on a journey of innovation and growth.