A prescription for better cybersecurity

pankit-desai

Pankit Desai, Co-founder and CEO, Sequretek stresses on the implementation of tighter security measures as a need of the hour for the pharma industry

Threat scenario 1: Pankaj Mishra* sits in his corner cubicle seemingly tying up loose ends at his current job as a clinical trial specialist at a mid-scale research company which performs the majority of the clinical trials for one of the largest pharma companies in the country. He is due to leave in a fortnight, but his exit interview has not gone as well as expected.

Threat scenario 2: Imagine that you are the Head of Research at one of the biggest pharma companies in the country, and one day your IT department tells you that your computer has been hacked and all data has been breached.

The above examples may sound like the teaser to the latest Netflix show, but, unfortunately, these are real life situations for pharma companies, the latter of which occurred in India. Although regulators and experts in India have been working the grind to shore up India Inc’s cyber defenses, the diversity and complexity of cyber attacks have expanded, making it seem as though the regulators and experts can only play catch-up. In the past couple of years alone, according to Cisco’s 2018 Annual Cyber Security Report, India Inc has lost damages amounting to USD 500,000 to cyber attacks across sectors such as pharmaceuticals. Take the example of NotPetya – India was the most affected country in the Asia-Pacific, and the seventh most in the world to this malicious software.

The pharmaceutical sector has become particularly vulnerable to cyberattacks. While sectors like banking and utility companies such as electricity providers have implemented tighter security measures, the healthcare sector seems to lag behind, even globally. According to consulting firm, Crown Management Records, more than half the pharma companies worldwide have experienced data breaches and at least a quarter of them have been hacked. The NotPetya malware has made American pharma giant, Merck, bleed more than USD 300 million per quarter, disrupted operations worldwide and affected its operations, research, and manufacturing verticals. Healthcare records, corporate espionage, leakage of confidential data, and insider threats from disgruntled/unreliable employees make the sector increasingly vulnerable to cyberattacks. Unlike the banking sector, where the main vulnerability can be identified as the financial records of customers, cyber attacks in the pharma and healthcare sector, in general, get more personal and real, as personal information regarding a patient’s family, financials, health, and insurance records are exposed threats. Companies and security experts alike need to recognise that the pharmaceutical sector hosts a lot of sensitive information, which is financially valuable to many who don’t have access to the information, magnifying the threat levels for the companies.

The Indian pharmaceutical

sector is just as vulnerable, given its increasing importance in the global pharma space. The Indian Brand Equity Foundation (IBEF) estimates that by 2020, the Indian pharmaceutical sector will likely be among the top three worldwide in terms of incremental growth, and is expected to touch USD 100 billion by 2025. Indian pharma companies are also the largest provider of generic drugs, with exports to more than 200 countries. According to a report by Assocham, the drug formulations market in India is expected to cross USD 20 billion by end of 2019.

Relaxed FDI guidelines, policies such as ‘Pharma Vision 2020’, and the influx of sub-licence contracts to Indian pharma companies spur growth, but at the same time they also increase the threats that the sector faces. For these companies, while financial damages are calculated to measure losses, the value of a drug formula or sensitive information falling into the wrong hands is priceless. Unfortunately, most high security measures seem restricted to R&D labs alone, and do not extend along the network and verticals through which this data might be used or accessed. This is especially true for Contract Research Organisations with whom the data will certainly be shared, but who may not share the same security protocols.

Geo-political and black-market threats

When it comes to the value of global innovation, pharmaceutical R&D chains are some of the most valuable properties in the world. As cybercrimes become more sophisticated – it is no longer the brilliant lone hacker out for some juvenile fun, it falls in the same range as organised crimes, some by Nation States even. No wonder then the governments around the world is also getting edgy about cybersecurity within their borders. A strong example can be found in India’s alleged opposition to the Chinese pharmaceutical group, Shanghai Fongsun’s, takeover offer for India’s Gland Pharma. Indeed, geo-political cybersecurity threats are one of the most significant threats for pharmaceutical companies.

Operational loopholes in pharmaceutical companies are particularly lucrative to organised crime groups who access these to steal prescription drug data for black market sales. Another threat comes in the form of hackers substituting counterfeits for actual drugs in the supply chain, thereby supplying pharmacies, and eventually, consumers with counterfeit drugs. A recent example of this includes counterfeits for anti-rejection, cancer and diabetic medications being sold on the internet and the black market. In black markets, medical records of individuals can fetch anywhere up to USD 250. Even healthcare providers in sophisticated markets like the UK and the US have fallen prey to health and personal information record thefts. If these security breaches are not found or resolved, and patient lives are endangered and lost, the pharma companies expose themselves to punitive damages, lawsuits, and repeats of clinical trials, which will set the company and, indeed, the sector back by years and accrue extreme financial costs.

Hackers are in it for a long haul

It is rather obvious that intellectual property and drug formula, and the manufacturing process behind these, thefts pose the biggest cyber security threat to pharma companies. Rival Nation States are a particularly interesting actor in this space. This is one aspect in which pharma companies’ scale of cyber threat differs. BoozAllen experts note that pharma hackers are usually in it for the long haul. Hackers or their plants tend to stay in the process from the Research, Conceptualisation, and Development through to the post-marketing phase. Once upon a time the research function was akin to shooting in the dark, but with the evolution of knowledge and technology, research has become a more targeted and focused function. Corporate espionage in the form of stealth of IPs for molecular formulae, for example, can delay production and destroy the quality of the final product. Increased digitisation and data analytics in the sector offers avenues for operational efficiencies and enhanced productivity, however the increased global inter-connectedness calls for more stringent protocol and for security to be interwoven into design and manufacturing processes. Like many other sectors, the pharmaceutical sector has also been looking at IT security in isolation rather than using it as critical delivery function to enable higher performance.

While IP and loss of drug formula is still considered the largest vulnerability in the pharma cyber security space, insider threat certainly comes in second place.  Greed, revenge, threats and blackmail are some of the key drivers for insider theft of data, which, not surprisingly accounts for more than two-thirds of hacking in the pharma space. Lack of employee awareness and education about what constitutes risk is also a huge concern for pharma companies. For example, the fine-tuning of active ingredients to conceptualise drug-like entities on inadequately secured company devices poses a significant threat to the organisation. Instant messaging platforms among employees are also platforms for data theft and rogue codes. Consistent training in not clicking on suspicious links even if they come from legitimate senders (known to the employees), not storing sensitive information on cloud services and data cards which do not belong to the organisation and taking them out of the premises, lack of encryption of data through access control, security for remote devices of executives working from home, exit processes for employees are all important measures to put in place to beef up cybersecurity measures.

Everyone is a target

In the example in the beginning, we cited a real life example of a Head of Research being targeted for sensitive content on his devices. However, threats are not restricted to just Heads of Departments or the top brass alone. In fact, according to Symantec’s 2014 Internet Security Threat Report, administrative or executive assistant and public relations personnel rank higher in terms of risk profiles for phishing than the top brass. In 2011, a former IT employee of the Japanese firm Shionogi remotely accessed the pharmaceutical firm’s infrastructure and deleted e-mails and other information which resulted in a USD 300,000 loss for the company. Perhaps it is obvious to hackers that companies are more willing to spend on securing devices of the top brass rather than those lower in the food chain.

Vendor vulnerability

Threats can also come in the form of risks along the supply chain – where sub-contractors and vendors are not trustworthy or their reliability has been compromised. Recently in the US, a sub-contractor for IT at a large pharmaceutical company was apprehended for stealing and selling the company’s networking equipment on eBay. This happened even though the sub-contractor had been thoroughly checked for background and security, prior to his recruitment. The onus is on the management of the pharma companies to ensure that their IT departments do not look for quick fixes in terms of hardware and inexpensive servers, thereby exposing the company to security risks. RFID tags intended to secure authenticity and monitoring in distribution have also become prone to hacking, with an aim to replacing the supplies with counterfeits. In 2015, the US FDA had to issue advisories on cyberattacks on certain medical devices after it was found that devices such as infusion pumps had been breached. Blinded data and vendor indifference are also significant risks when one considers the ease with which such data can be decoded and sold on the black market. Delays in the supply chain and security breaches can bring lawsuits from the vendors themselves against the pharma companies.

Reputational Risk

Pharma companies are also vulnerable in terms of loss of reputation and trust from consumers and stakeholders. The vulnerability of this loss is often underestimated, as it cannot be calculated directly in monetary terms. If consumers learn that trial data or products have been compromised, doubts regarding integrity and quality can endanger trust and confidence in the company. Loss of reputation is a strategic risk, and can be one of the drivers for the cyber attacks by rivals. A loss in reputation in turn leads to loss of revenue and brand value as a result of customer churn and regulatory reprehensions.

In effect, comprehensive security will arise from a solid foundation in employee education, integrating security into design and technology, and ensuring that human factor is also addressed in designing the security. The increased digitisation, the inter-connectedness of supply chains, higher number of licences and outsourcing, along with sophisticated cyber and geo-political risks need to be addressed as a package rather than in isolated solutions which are not cross-functional in effectively protecting the organisation, its employees, or its consumers.