Cybersecurity Is a Top Priority for Pharmaceutical Organizations

In 2017, a large pharmaceutical consumer organization, whose identifying information is being protected here, fell victim to a ransomware attack. The attack disrupted production and customer deliveries in several countries. Consequently, the organization was unable to ship and invoice certain orders to customers prior to the close of the fiscal quarter. Since then, ransomware and malware attacks have grown manyfold, reaching an unprecedented number during the height of the COVID-19 pandemic. These attacks primarily targeted clinical research and research and development (R&D) infrastructure with the intention of conducting intellectual property (IP) theft of key research areas such as vaccines and COVID-19 treatments and therapies.¹ As a result, many pharmaceutical organizations have begun to treat cybersecurity as a top priority.

In March 2021, a study conducted by Reposify revealed that almost 92% of the pharmaceutical organizations surveyed had had at least 1 database exposed.² In addition, 42% of respondents had experienced exposure of their Server Message Block (SMB) protocol,³ which is used for interactions with partners and collaborators outside of an organization.

While these statistics are alarming, what is more critical is that the average cost of a breach of a pharmaceutical organization is close to US$5.3 million—1.3 times more than the average of other industries.⁴

…[T]he average cost of a breach of a pharmaceutical organization is close to US$5.3 million—1.3 times more than the average of other industries.

There are 3 significant factors that have contributed to the increase in security measures in large pharmaceutical organizations:

1. Digital transformation—Many organizations have accelerated their digital road maps, paying closer attention to key areas such as the cloud, artificial intelligence (AI) and machine learning (ML). The cloud saw a significant increase in investment, with industry estimates of a nearly 20-fold increase in cloud adoption among large pharmaceutical organizations.⁵ If the last several years belonged to the cloud, the next 5 will clearly be led by growth in AI and ML. Leveraging the additional compute power offered by the cloud and the increase in storage capabilities, many R&D functions in pharmaceutical organizations are looking for ways to introduce AI and ML. AI already is being used in areas such as peer review, scientific literature review and ligand identification. But the coming years will see AI and ML used in other areas such as clinical research, target identification and monitoring of the efficacy and toxicity of drugs. An increase in integration between clinical sites and technologies such as laboratory information management systems (LIMSs) is further enhancing the digital footprint of many organizations.
2. Increase in mergers and acquisitions—Some large organizations have already begun to rebrand generic departments as separate entities and, in some cases, acquire brands from other organizations to consolidate their portfolios. This has led to a large increase in integration activities at both the process and technology levels. Out of 20 mergers and acquisitions studies captured by the Reposify study, nearly 70% led to a compromise in the security posture of the parent organization.⁶
3. Increase in ecosystem collaboration—With the increase in partners in critical areas such as supply chain, R&D and clinical trials, many organizations are interacting with organizations outside of their firewalls. This exposes the organization to cyberattacks from outsiders who can leverage the vulnerabilities in a partner’s ecosystem.

While these are the key reasons pharmaceutical enterprises are paying more attention to security, there are other contributing factors, such as increased activity from threat actors from certain geographies and increased maturity in attacks, such as ransomware.

These circumstances have compounded and resulted in a change in strategy among technology leaders in pharmaceutical organizations. Leaders are now looking at 4 key parameters of cybersecurity:

1. Cybersecurity strategy—Cybersecurity has become a boardroom discussion. Leaders today recognize the importance of having a robust cyber strategy and the emphasis is on preventive and proactive measures, including cyberassessments, cyber-war gaming⁷ and cyberincident response.
2. Zero trust—In a Deloitte study, 70% of pharmaceutical technology leaders surveyed had already started working on a zero trust platform combining network, data and access at the time of the study.⁸ This is a significant step in enhancing and adding layers to cyberdefense posture.
3. Cybersecurity for the ecosystem—With an increase in attacks such as the ones on the supply chain and distribution sectors, many pharmaceutical organizations are investing in third-party risk assessment for both technology and processes to enhance their ecosystems.
4. Security awareness—According to a data breach report by Verizon, 22% of cyberincidents could be attributed to a lapse in internal processes.⁹ Keeping this in mind, many pharmaceutical organizations have undertaken awareness sessions and are measuring the effectiveness of the awareness sessions with mock phishing exercises.

The pharmaceutical industry is taking critical measures to enhance its cybersecurity posture. Pharmaceutical organizations continue to enhance their security operations by developing robust security operations centers (SOC), investing in the right talent to increase maturity in their cybersecurity processes and using analytics to gain insights into their cyberposture. Cybersecurity is the key to business continuity and maintaining a sustainable competitive advantage in the marketplace and, as such, it is best to be prepared.

Endnotes

¹ Jimenez, D.; "New Report Highlights Pharma Companies’ Vulnerability to Cyberattacks,” Pharmaceutical Technology, 29 July 2021
² Reposify, Pharmaceutical Industry 2021: The State of the External Attack Surface, USA, 2021
³ Ibid.
⁴ Op cit Jimenez
⁵ Sharma, N.; “Cloud Computing Impact on Pharma Sector,” BioSpectrum, 13 July 2021
⁶ Op cit Reposify
⁷ Johnson, K.; “Cyber-War Gaming: A Cybersecurity Tabletop Exercise,” TechTarget, May 2022
⁸ Deloitte, “Indian Pharma Takes the Digital Leap: What Does It Mean for Cybersecurity?”
⁹ Verizon, 2021 Data Breach Investigations Report, USA, 2021

Vikram Venkateswaran

Is a director of Deloitte India’s risk advisory practice. He started his career as a clinician and transitioned into a cybersecurity and digital transformation role with a keen focus on the adoption of digital and emerging technologies in the life science and health care industries.