Express Pharma

Cyber resilience: A high priority

The COVID-19 pandemic has accelerated digitalisation and automation in the pharma sector. But, as the risk landscape of the pharma industry is huge it also needs to build better resilience and resistance to cyber-attacks on a war footing

1 2,054

The upheaval wreaked by the COVID-19 pandemic has ushered sweeping digital and technological transformations across businesses in its wake. But, it has also amplified the threat of data breaches and cyber-attacks.

Cybersecurity firm, McAfee recently reported a “605 per cent increase in coronavirus-related cyber disruptions globally.” Companies engaged in research, science, and technology were the key targets, as per the report. Between July and September 2020, companies witnessed a 19 per cent rise in such attacks

As Charlotte Dunlap, Principal Analyst at GlobalData, observes, “In a pandemic that is prompting accelerated digitisation, having integrated monitoring and observability cloud services are crucial to application lifecycle management for providing insight to app performance, efficiencies, and governance/security. Alongside the need to fast-track business transformations comes the risk of software bugs, security breaches, and performance bottlenecks.”

A mounting menace

The pharma sector, with a central role to play in the world’s response against the pandemic, has been forced to innovate in ways unprecedented. This, in, turn, has accelerated digitalisation and automation in the industry. But, it also increased its susceptibility to cyber-attacks. Pharma and life sciences have seen a spate of cyber-attacks since the onset of the COVID-19 pandemic.

A report from BlueVoyant, a US-based cybersecurity firm, revealed that in 2020, eight renowned firms involved in the development of a COVID-19 vaccine faced targeted malevolent attacks. It also found that nation-state espionage was growing aimed at stealing COVID-19 vaccine research data.

Several pharma and life sciences companies in India too have been targeted by cybercriminals over the years, with Lupin and Dr Reddy’s Laboratories being recent examples.

“India is currently ranked as the sixth most vulnerable country where pharma companies are open to attacks from cybercriminals. Indian pharma companies are witnessing major cyber threats as they deliver affordable medicines on a large scale during the COVID-19 pandemic. These attacks can be directly attributed to the fact that India is one of the countries developing vaccines for COVID-19,” explains Vishal Jain, Director of Inspira Enterprise, a managed security services provider

To understand India’s susceptibility to cyber-attacks, check out the box below.

An expanding threat landscape

Experts cite lack of effective cyber hygiene, virtualisation of businesses, increasing amount of data creation and storage, archaic infrastructures, remote working, compliance needs, state-sponsored attacks, growing network complexity, distributed networks etc. as chinks that add to pharma companies’ vulnerability to cyber-attacks.

Jain says, “In 2020, like many other industries, pharma companies are also undergoing a rapid digital transformation, with data being collected and managed online more than ever before. The enormous amount of data that resides with these companies is making them prominent targets of cyber-attacks. Even employee errors or negligence have been a weak link in compromising cyber hygiene.”

“Cyber threats that pharma companies are witnessing are due to multiple reasons like cloud migrations, the massive surge in remote work, distributed networks and acquisitions, an increasingly complex network, compliance requirements and so on,” states Pramod Sharda, CEO of IceWarp, India and Middle East, a company providing secured email communication and collaboration solutions.

“Two key factors are fuelling the rise of cyber-attacks and vulnerability of the pharma businesses, especially in the pandemic. Firstly, given the acceleration in virtualisation of businesses across the board, the attack surface has increased vastly, opening up more opportunities for cyber attackers to exploit. Secondly, now that the data is fragmented and confined to archaic infrastructures, the business vulnerability increases as a single data breach can setback the drug research processes to months or even years,” highlights Ramesh Mamgain, Country Manager, India & SAARC of Commvault, a data management and protection software company.

Catastrophic consequences

Data breaches, cyber-attacks on pharma and healthcare companies, who are privy to a lot of sensitive data, can wreak havoc that can have far-reaching consequences for not only the companies but the society at large.

An expert in technology law, GV Anand Bhushan, Partner, Shardul Amarchand Mangaldas & Co, says, “Typically when a pharma company bears the brunt of a cyber-attack, it can have a devastating impact on the company ranging from stolen IP, repeating clinical trials, contaminated drugs, physical damage and downtime, litigation, and lost revenue.”

He adds, “Data stolen from pharma companies is extremely valuable as hackers can sell personal patient information on the dark web that includes address history, financial information, and social security numbers which can later be used to commit identity thefts. In fact, a study conducted by the Ponemon Institute in 2018 revealed that each stolen record in the pharma sector was valued at $195 per record!”

Enlarging on the same theme, Sowmya Vedarth, Director, Deloitte explains how ransomware attacks, which are becoming common in the pharma industry, have led to heavy reputational and financial losses to organisations. She cites the NotPetya ransomware attack on Merck in 2017 as an example. The attackers demanded $300 per computer as ransom for the compromised data.

“This led to worldwide operational disruption and forced the organisation to cease production of drugs and significantly impacted the company’s revenue for a long time, causing an estimate of $870 million of damages,” she highlights.

Giving a recent example from the Indian scenario, Bhushan points out, “Such breaches go beyond the direct damage from lost data since cyberattacks and data theft affect the company’s valuation and leads to overall operational disruption as well. This was witnessed recently by Dr Reddy’s Laboratories whose stock prices came plummeting after a data breach was reported in its servers. The breach led to an overall disruption in its operations too since it had to shut down all its production facilities and isolate its data centres across the world.”

He goes on to elaborate, “The prospect of hefty fines and reputational damage are just the tip of the iceberg. If not handled swiftly and carefully, a data breach will have pharma companies entangled in lawsuits.”

“Organisations that collect and digitally store personal information are legally required to implement ‘reasonable’ data protection measures, and in case there is a data breach, the regulatory authorities will investigate the incident and impose hefty penalties if they find out that the organisation has not implemented them. This automatically implies that pharma companies as such will be subject to extensive scrutiny in such a scenario simply because they hold highly sensitive and critical information,” he illuminates.

“Further, depending on where the pharma company does business, it will be subject to notification requirements under applicable laws. For instance, be it the GDPR in the EU or the Cert-In Rules in India, companies are required to notify the regulatory authorities in the event of a data breach, and there can be serious consequences for businesses that fail to report a data breach. This once again suggests that a slight oversight by pharma companies while complying with notification requirements under applicable cybersecurity and privacy laws can entangle them in legal battles and investigations,” adds Bhushan.

“Pharma companies and other healthcare providers/groups are also at risk of losing the trust of patients and other stakeholders, losing intellectual property, loss of sensitive business information, and reduced trust for online activities, and so on,” points out Sharda.

Likewise, Vedarth hits it on the nail when she reminds, “The risk landscape of the pharma sector is immense and not just limited to financial and reputational damages, a cyber-attack might also lead loss of human life.”

A sound defence is pivotal

So, an effective cybersecurity strategy is an absolute imperative for all the actors of the pharma industry and their partners as well.

But, how to go about this huge endeavour? Some experts in this field share their insights with us.

Jain from Inspira counsels, “Among the first steps to strengthen the cybersecurity programme is to perform a risk analysis. This will help them understand where their data is stored, who has access to it, where it is transmitted and destroyed. This simple test will reveal potential risks.”

“Organisations should have a holistic approach to ensure cybersecurity for their environment. This involves a combination of proactive measures such as the deployment of the essential technologies supplemented by 24/7 security monitoring, vulnerability assessment of the network and applications, threat hunting, security culture development of the employees and partners,” he further adds.

He says that the following are major pillars to an effective cybersecurity strategy are:

  • Protect digital perimeter: Control access based on who and what is connecting. Create a network by providing secure remote access. Install integrated threat detection and defence tools like Firewalls, Intrusion Prevention System, service and traffic tool, Virtual Private Network encryption functionality, Wi-Fi Protected Access 2 (WPA2) for the network, email spam filters and sound web security strategies such as AV scanning, malware scanning and IP reputation awareness
  • Secure physical premises: Install security cameras and alarm systems equipped with motion sensors, mobile surveillance units.
  • Guard intellectual property: Develop and enforce intellectual property safeguard policy, which ensures that all IP developed by members of the organisation belongs to the company, as well as nondisclosure agreements for employees and contractors, register the trademarks, along with any applicable patents.

Nitin Varma, MD, India & SAARC, CrowdStrike, opines, “Reactive strategies and use of legacy systems have put the sector in a vulnerable position. Healthcare organisations must equip themselves with modern tools which can support the sector to proactively fight against these adversaries. The recent attacks have made the sector realise the importance of cybersecurity and the need for dependable security solutions which can keep up with the evolving threat landscape. The nature of attacks witnessed in the recent past has shown us the sophisticated methods being used by adversaries.”

He opines that organisations should design their cybersecurity strategy around three aspects – People, Process and Technology.

He says, “They need to transition to endpoint detection and response (EDR) systems from traditional systems to keep up with the fast-evolving threat landscape. There must be a focus on understanding the elements of cloud security as it is critical for organisations to protect their cloud workload. It’s not just about new technology, security teams need to evaluate the effectiveness of a particular solution and maximise the use of the tools while streamlining people, processes and technology. Another important aspect is educating the employees or end-users in the organisation and making sure they have a basic understanding of the ways in which their systems can be compromised.”

Bhushan advises, “It is observed that pharma companies mostly focus only on protecting their manufacturing facilities with lesser importance being given to the protection of IP and data, and often have an incident response approach rather than a pre-emptive approach to ensure cyber-security. However, it is critical that pharma companies take a pro-active approach when it comes to cyber-security. That being the case, the cyber-security strategy should be holistic and comprehensive in nature that protects the organisation on the whole.

“Pharma companies should first identify the digital assets that they wish to protect, be it IP, drug compounds or patient information. They should then categorise the data depending on the nature of such data, i.e., whether it is personal, sensitive personal, or critical data. This process should categorise data that is at rest and in transit as well, after which they should analyse the existing protocols in place to identify the loopholes that need to be patched,” he enlarges.

Sharda feels that the following three aspects are ‘must-haves’ for the cybersecurity strategy of every company:

  • Predictive analytics: Organisations can better scan risks, understand threats and be more informed in their decisions by leveraging Data Analytics. Making a prediction is a necessary component for staying ahead before any cybercrime activities come in your way.
  •  Regulation and supervision: Implement and enhance access restrictions ports to ensure that there is no unauthorised access.