Pharma and cyber crime

The pharmaceutical industry is no stranger to cyber attacks. Pharma and biotech companies suffered more breaches than any other industry, with 53 per cent of them resulting from malicious activity, according to the 2020 Cost of a Data Breach Report form IBM and the Ponemon Institute. The study found that the average cost of a breach in the pharmaceutical industry was $5.06 million, behind healthcare, energy and financial sectors.

The arrival of COVID-19 and the urgency to develop tests, vaccines and therapies only served to put the industry more firmly in the crosshairs of cyber criminals and state sponsored hacking groups. In July 2020 the UK’s National Cyber Security Centre (NCSN) helped expose Russian attacks on Coronavirus vaccine development, while in October the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning advisory to all pharmaceutical companies and research institutions, highlighting the need to improve IT security across the industry. In December, at least six pharmaceutical companies in the US, UK and South Korea working on COVID-19 treatments were targeted by North Korean hackers, according to the Wall Street Journal. The increase in attacks underlines the fact that pharmaceutical companies will develop highly lucrative IP and handle large amounts of patient and healthcare data, making them all a prime target for criminals looking to compromise, steal and exploit information. The main challenges facing all of these large organizations are compounded with multiple locations and varying levels of complex relationships within areas such as hospitals, healthcare providers, suppliers, distributors, as well as governments – all needing online access to various systems and data, controlled by regulation.

The 2021 Healthcare Data Risk Report by cyber security company Varonis examined the state data security within healthcare organizations including hospitals, biotech as well as pharmaceutical firms. It analyzed a random sample of Data Risk Assessments for 58 companies – and a total of three billion files – to determine how data is exposed and at risk. It found that nearly 20 per cent of all files are open to every employee and that the average health care organization has 31,000 sensitive files open to everyone – including ones that have HIPAA-protected information, financial data, and proprietary research. This is a lot of data, and it comes in two forms. Structured data is the type of information that can be stored in many traditional databases composed of columns and rows, such as a customer or trials database which include names, addresses and telephone numbers.

Unstructured data is everything else, from email trails or chat logs to reports and presentations, image libraries or videos. In fact, some 80 per cent of data is unstructured and much of it is sensitive information. With the industry’s love of spreadsheets, as highlighted by the UK’s track and trace problems, it represents a particular data security problem as they often contain highly sensitive data but are weakly protected.

Time to focus on the data

Within any organization, staff routinely extract information from databases and apps for reporting, presentations and adhoc data analysis. In the pharmaceutical world where research and data analysis are widespread, this is magnified many times. Extracted data gets stored in a variety of places, from file shares to local disks and removable media, and most organizations will admit they do not know the location of all their information – sensitive or not. This represents a significant challenge to the traditional approach of applying tight security only to most sensitive data. Home working adds an additional layer of vulnerability. Employees working remotely have now become attractive targets because most home networks are less well protected than corporate ones. Once inside, the hacker has a great chance of accessing the corporate laptop, finding locally saved documents, and then jumping on the company network.

Traditionally, we have tried to protect all data with multiple layers of security to prevent access, but the relentless flow of headlines around successful cyber attacks and breaches proves this is not working. And, as the Varonis report shows, any given data file is likely to be accessible by staff who have n reason to see that information. So, if we can’t keep the cyber criminals out nor trust the people around us, we must rethink the traditional methods of protection and adopt a data-centric approach, where security is built into data itself.

Full disk encryption will protect against structured and unstructured data at rest on a hard disk / USB stick, which is great if you lose your laptop, but it is of no use in protecting data against unauthorized access or theft from a running system. Data therefore needs to be protected not only at rest, but also in transit and in use, on site or in the cloud.

But this is no easy task. In the 2020 IBM and Ponemon report, 67 per cent or respondents said discovering where sensitive data resides in the organization is the number one challenge in planning and executing a data encryption strategy. Data classification technology is often used to identify ‘important’ or ‘sensitive’ data, but the report found that 31 per cent cited classifying which data to encrypt as difficult. Then, where you set the ‘importance bar’? Even seemingly trivial information can be useful to a cyber criminal, adept at amalgamating small pieces of data to form a bigger picture, for a spear phishing attack for example.

A universal approach

So why is it that the accepted norm is to encrypt only the ‘most important’ so ‘sensitive’ data? The problem is that traditionally encryption has been considered complex and costly and detrimental to performance and productivity. But with advanced in the technology and fast processing speeds, seamless data encryption can now be used to protect all data – structured and unstructured. This way, classification for data security purposes becomes irrelevant and stolen information remains protected and useless to cyber criminals.

A universal approach to data encryption simplifies data security. There is no longer a need a need to update data classification rules; Data Loss Prevention (DLP) rules can be simplified and targeted at more specific data loss scenarios; manual data classification decisions no longer affect security; and it no longer matters where data is stored – it will always be encrypted.

While the pharmaceutical industry made COVID-19 breakthroughs at an astounding rate, confirmed data breaches also increased by a staggering 58 per sent over the same period. And just as the world was woefully underprepared for a pandemic, so too were health companies unprepared for these attacks. By actively choosing to encrypt all data – whether it is stored, in transit or in use – we are finally designing security into the one thing that has value – data itself.