United Kingdom

Managing cyber risk in Life Science organisations – a survival guide

Data, analytics, IOT, wearable technology and artificial intelligence create a significant growth opportunity for Life Science organisations: real world data and artificial intelligence are expected to completely change R&D in pharmaceutical, biotech and medical device organisations. Digitalisation is forecasted to transform manufacturing processes, supply chains and patient service delivery.

As data and data analytics becomes more critical for the success of Life Science organisations, cyber risks are becoming a major concern for these organisations. Life Science organisations are likely to lose USD 642 billion globally to direct cyber-attacks, over the next five years, according to a recent Accenture report. The exposure of the Life Science industry is rated second compared to the high-tech industry, which it predicts will be robbed of USD 753 billion by 2024.

Why are Life Science organisations so vulnerable to cyber-attacks?

First and foremost, there is a huge interest in the Life Science industry from a wide range of threat actors: Criminals are interested in the Life Science industry as the industry controls significant amounts of capital. Hacktivists or extremists may consider the industry’s activity contrary to their own ethical standpoint. While foreign states may look to disrupt critical drug and treatment supplies or steal technology to help their own domestic firms compete.

Second, Life Sciences firms typically hold highly sensitive information in relation to products and medical research. The entire value chain of Life Science organisations, from research and development to production and distribution, is hugely dependent on technology and the availability of data. In consequence, primary data integrity is crucial to Life Science organisations as they attempt to launch new drugs and products and maintain regulatory approval. In research and development secrecy is paramount and therefore exceptionally important.

Moreover, some Life Science organisations hold a wealth of personally identifiable information and highly sensitive personal health information, with the latter becoming increasingly valuable to criminals. Whilst much of the clinical trial data leveraged across the value chain is anonymised, often this data is collected at the adverse event management stage and as part of patient support programmes; with volumes quickly mounting.

We observed cases of identity theft where hackers fraudulently gain access to prescriptions, medical treatment or government benefits. Worryingly, cyber security breaches really do begin to edge into literal life and death territory when there is the potential for product manufacture compromise or manipulation, medication to be mixed up, or for patients to miss out on vital treatment.

Third, we observe that Life Science organisations are reliant on a large number of third parties, including IT providers, data collection, external advisors and analytic firms as well as contract manufacturing organisations (CMOs) and clinical research organisations (CROs). The use of third parties means that businesses rely on systems and data over which they don’t have complete control, making them even more susceptible to a cyber event. Increased automation within the production process and reliance on sensor technology for quality control and product delivery means that 100% uptime must be guaranteed. An interruption in technology can quickly translate into material business interruption events. Non-malicious events caused by employee error or system malfunction can be just as financially significant as cyber-attacks.

Finally, the industry experienced many mergers and acquisitions in recent years. The consolidations in the Life Science industry invariably involves organisations merging disparate systems together and can lead to migration problems.

What key issues does the use of third parties raise for the Life Science industry?

The first is the allocation of responsibility and the need to understand how sensitive data flows and is managed. Who has ownership? What controls are in place and is there adequate clarity on liability should a breach occur? Given the criticality of data integrity, how do both parties validate that data remains correct and unchanged over time?

Secondly, the more third parties a Life Science company interfaces with, the more entry points there are into its network and the harder it is to maintain control over IT security. Use of 3rd party IOT devices and the pervasive use of sensor and wearable technology; coupled with the need for collaboration at different stages of the value chain and product lifecycle means that third party network access levels must be constantly amended, making it difficult for IT teams to keep up.

Lastly, if a Life Science organisation is using a third party for manufacturing, then any kind of outage the manufacturer has can have a sizable impact, both upstream and downstream. There is very little that can be done to mitigate this from a technical perspective, as that degree of control cannot be consistently maintained by IT teams that are unable to rely on their own Security Information and Event Management and other proactive monitoring systems. Life Science firms are forced to spread sensitive data to third parties in this instance and must evaluate the risk that this introduces and do so through non-technical means. Outsourcing production whilst cost effective in many instances reduces the organisation’s control over the Operating Technology (OT) environment used in production. They are then reliant on the third party to both prevent and respond to a cyber event that hits that OT environment.

How does the growing threat to cyber security exacerbate this?

Criminal actors are becoming savvier by the minute and now actively look for chinks in a company’s security armour, wherever they may be. Rather than targeting a major organisation head on, hackers know they are likely to have more success if they compromise a small third party. They then look to leverage the trust between the two organisations to penetrate perimeter controls.

Pioneering technology, such as AI and blockchain, means that the overall playing field is changing all the time, making it hard to keep up with new developments and remain secure. The scale of the infrastructure means that maintenance costs can be extremely challenging; driving firms to look to cloud solutions to remain competitive and achieve scale quickly. Life Science firms find themselves caught between the need to move quickly and remain safe, a classic business / security dichotomy.

What should firms be doing to reduce third party provider risk?

The first thing is to get a handle on what the risk actually looks like: how many third-party relationships are there and what is the criticality of these relationships? Once the picture is understood, a Life Science organisation can begin to focus on the third parties with the greatest exposure, as it would be impossible to manage everything with the same level of scrutiny. The focus should then be on questions such as: is that third party network access appropriate? Should we look to streamline our third-party provider base?

Once these third parties have been identified, the responsibility must be clearly defined- who will have ownership for the protection of data or will it be shared? What is the level of dependence on the third party from a production standpoint? If possible, firms should ensure they have contractual rights to audit their third parties’ security environment. The network access that third parties have should be tightly controlled and limited to business-critical areas. Contractual liabilities should also reflect the relative exposure that a third party introduces where possible. One example of best practice that we have seen involved a major pharma’s security team developing a close working relationship with their third party CMO’s IT team to upskill them, helping them improve the security of their environment with a hands-on approach. Both benefited from increased security and understanding of the risk environment.

Can we learn from any mistakes that have already been made?

There are a couple of obvious points: don’t be over confident and don’t rely on pure tech solutions as real problems can result from employee or engineering mistakes. Beyond this, don’t underestimate the costs associated with a potential outage event. Life Science organisations should develop critical scenarios and stretch their disaster recovery to adequately deal with cyber events. Response capabilities must be tested regularly with different scenarios to ensure firms aren’t just repeating the same exercise without learning from it. It is important to include both business interruption and data breach scenarios in mind during response planning as the management of these events can vary significantly.

Response plans should link both business and technical responses to target key drivers of exposure; for example, is the event going to lead to customer churn and liability settlements? If so how can this be minimised through PR plans, credit monitoring provision and other tactical deployment of resource? Can assurance be provided that robust encryption of any data lost is in place? How would this response be financed? Developing a clear game plan ahead of time can dramatically reduce the cost of an event when it occurs.

Cyber insurance is increasingly relevant as part of the overall cyber resilience and risk reduction of an organisation. Among many of other benefits, effective insurance can be used to bolster client responses, allowing quick access to expert forensic responders, legal advice, in addition to mobilising incident response plans and crisis management plans with experts that have managed numerous past events. Furthermore, it provides an additional layer of financial security by transferring cyber volatility off the balance sheet and into the insurance market. When taking out cyber cover it is important to examine how it can dovetail with existing insurance programmes to optimise its effectiveness and ensure that response is tailored to your individual risk profile and transfer needs.

If you would like to talk about any of the issues raised in this article, please contact:

Christopher Scott
Aon Global Risk Consulting

Lars Sorensen
EMEA Life Science & Pharma Industry Specialty