06/16/2021 | Digital Innovation

Pharma and cyber crime

Nigel Thorpe, Technical Director of the pan-European IT experts Secure Age Technology, looks data breaches in the healthcare industry and explains why it’s time to concentrate on the data itself.

The pharmaceutical industry is no stranger to cyber attacks. Pharma and biotech companies suffered more breaches than any other industry, with 53 per cent of them resulting from malicious activity, according to the 2020 Cost of a Data Breach Report form IBM and the Ponemon Institute. The study found that the average cost of a breach in the pharmaceutical industry was $5.06 million, behind healthcare, energy and financial sectors.

The arrival of COVID-19 and the urgency to develop tests, vaccines and therapies only served to put the industry more firmly in the crosshairs of cyber criminals and state sponsored hacking groups. In July 2020 the UK’s National Cyber Security Centre (NCSN) helped expose Russian attacks on Coronavirus vaccine development, while in October the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning advisory to all pharmaceutical companies and research institutions, highlighting the need to improve IT security across the industry. In December, at least six pharmaceutical companies in the US, UK and South Korea working on COVID-19 treatments were targeted by North Korean hackers, according to the Wall Street Journal. The increase in attacks underlines the fact that pharmaceutical companies will develop highly lucrative IP and handle large amounts of patient and healthcare data, making them all a prime target for criminals looking to compromise, steal and exploit information. The main challenges facing all of these large organizations are compounded with multiple locations and varying levels of complex relationships within areas such as hospitals, healthcare providers, suppliers, distributors, as well as governments – all needing online access to various systems and data, controlled by regulation.

The 2021 Healthcare Data Risk Report by cyber security company Varonis examined the state data security within healthcare organizations including hospitals, biotech as well as pharmaceutical firms. It analyzed a random sample of Data Risk Assessments for 58 companies – and a total of three billion files – to determine how data is exposed and at risk. It found that nearly 20 per cent of all files are open to every employee and that the average health care organization has 31,000 sensitive files open to everyone – including ones that have HIPAA-protected information, financial data, and proprietary research. This is a lot of data, and it comes in two forms. Structured data is the type of information that can be stored in many traditional databases composed of columns and rows, such as a customer or trials database which include names, addresses and telephone numbers.

Unstructured data is everything else, from email trails or chat logs to reports and presentations, image libraries or videos. In fact, some 80 per cent of data is unstructured and much of it is sensitive information. With the industry’s love of spreadsheets, as highlighted by the UK’s track and trace problems, it represents a particular data security problem as they often contain highly sensitive data but are weakly protected.

Time to focus on the data

Within any organization, staff routinely extract information from databases and apps for reporting, presentations and adhoc data analysis. In the pharmaceutical world where research and data analysis are widespread, this is magnified many times. Extracted data gets stored in a variety of places, from file shares to local disks and removable media, and most organizations will admit they do not know the location of all their information – sensitive or not. This represents a significant challenge to the traditional approach of applying tight security only to most sensitive data. Home working adds an additional layer of vulnerability. Employees working remotely have now become attractive targets because most home networks are less well protected than corporate ones. Once inside, the hacker has a great chance of accessing the corporate laptop, finding locally saved documents, and then jumping on the company network.

Traditionally, we have tried to protect all data with multiple layers of security to prevent access, but the relentless flow of headlines around successful cyber attacks and breaches proves this is not working. And, as the Varonis report shows, any given data file is likely to be accessible by staff who have n reason to see that information. So, if we can’t keep the cyber criminals out nor trust the people around us, we must rethink the traditional methods of protection and adopt a data-centric approach, where security is built into data itself.

Full disk encryption will protect against structured and unstructured data at rest on a hard disk / USB stick, which is great if you lose your laptop, but it is of no use in protecting data against unauthorized access or theft from a running system. Data therefore needs to be protected not only at rest, but also in transit and in use, on site or in the cloud.

But this is no easy task. In the 2020 IBM and Ponemon report, 67 per cent or respondents said discovering where sensitive data resides in the organization is the number one challenge in planning and executing a data encryption strategy. Data classification technology is often used to identify ‘important’ or ‘sensitive’ data, but the report found that 31 per cent cited classifying which data to encrypt as difficult. Then, where you set the ‘importance bar’? Even seemingly trivial information can be useful to a cyber criminal, adept at amalgamating small pieces of data to form a bigger picture, for a spear phishing attack for example.

A universal approach

So why is it that the accepted norm is to encrypt only the ‘most important’ so ‘sensitive’ data? The problem is that traditionally encryption has been considered complex and costly and detrimental to performance and productivity. But with advanced in the technology and fast processing speeds, seamless data encryption can now be used to protect all data – structured and unstructured. This way, classification for data security purposes becomes irrelevant and stolen information remains protected and useless to cyber criminals.

A universal approach to data encryption simplifies data security. There is no longer a need a need to update data classification rules; Data Loss Prevention (DLP) rules can be simplified and targeted at more specific data loss scenarios; manual data classification decisions no longer affect security; and it no longer matters where data is stored – it will always be encrypted.

While the pharmaceutical industry made COVID-19 breakthroughs at an astounding rate, confirmed data breaches also increased by a staggering 58 per sent over the same period. And just as the world was woefully underprepared for a pandemic, so too were health companies unprepared for these attacks. By actively choosing to encrypt all data – whether it is stored, in transit or in use – we are finally designing security into the one thing that has value – data itself.

A brief history of data encryption

Data encryption goes back millennia. The Egyptians first used Disordered Hieroglyphics, the Greeks Steganography, the Spartans Scytale and the Romans the Caesar Shift Cypher, which all laid the foundations for modern cryptography. What has evolved are two fundamental approaches based on complicated mathematics: ‘symmetric’ and ‘asymmetric’ cryptography.

Symmetric cryptography replaces plain text by the ciphertext that appears to be gibberish. The message sender uses an algorithm and a ‘key’ to encrypt the message and the recipient then reserves the processes, using the same algorithm and key. But the person encrypting the message must be able to deliver the key to the recipient safely or the message can be compromised.

To overcome these problems, researchers came up with asymmetric, or “public key” cryptography, which creates two tightly connected keys per person. One is a public key and the other is a private key. If Bob encrypts a message using Alice’s public key, she can decrypt it using her own private key. Alice can give everyone her public key, knowing that only she can decrypt messages for her because she keeps her private key secret. Recently, PKI – Public Key Infrastructure – was developed to address identity and performance issues. PKI is like having a passport, but instead it employs digital certificates, “signed” by a trusted Certificate Authority (CA) rather than a government.

So now, Alice, Bob and Villanelle all have certificates which contain all their public keys, which are signed by a trusted CA that is common to them. The signature consists of the encryption process mentioned above, but in reverse. The CA has its own public and private keys and this time it uses its private key to encrypt (or sign) everyone else’s public keys. The resulting signatures are securely contained in a digital certificate. Bob can now retrieve Alice’s public key by obtaining ger digital certificate from a certified directory, secure in the knowledge that this is Alice’s one and only true identity.

The Romans, Greeks and Egyptians showed us the way, had we thought more about protecting data and less about simply trying to prevent access to it with firewalls, user controls and others ‘castle and moat’ techniques, modern information security may have taken a different route. But we now have the knowledge, the technology and the processing power to deliver on the promise of using encryption to protect all the data all of the time.


Nigel Thorpe

Technical Director pan-European IT experts SecureAge Technology

Keywords in this article:

#product and process security, #pharma

Find more contributions:

Detailed search in the magazine


Always up to date

With our newsletter you will receive current information on ACHEMA on a regular basis. You are guaranteed not to miss any important dates.

Subscribe now