Cybersecurity continues to be the breaking news, irrespective of the sector as it has become a significant part of the business. The rapidly changing cybersecurity risk landscape affects every sector such as chemical, oil & gas, manufacturing, logistics, finance, and even the Life Science sector. The Life Sciences sector is undergoing a prominent transformation motivated by the increased use of digital technologies. Data Analytics, IoT, artificial intelligence create a colossal growth opportunity for Life Science organisations.
Digitalisation is projected to transform manufacturing processes, logistics as well as service delivery. The emergence of data and data analytics becomes more critical for the accomplishment of Life Science organisations so do the cyber risks. The cybersecurity risks are an increasing threat to these organisations. The COVID-19 pandemic has accelerated the digitalisation of the Life Science sector, in every phase of the product life cycle. The boardrooms of global companies are paying increased attention to cybersecurity, conscious of the effects if they fail to regulate cybersecurity policies within their organisations.
“Boards that choose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril”- SEC Commissioner, Luis Aguilar, NYSE
The Life Science sector and cyber-attacks
So, what makes the Life Science sector an important target to cyber-attacks? One of the most important factors is that there is an enormous interest in the Life Science sector from a wide range of threat actors. Criminals are interested in the Life Science sector as there is a compelling amount of money involved. Also, cybercriminals target the Life Science sector to obtain personal data and intellectual property on new drugs. Life Science organisations hold the personal data of patients in abundance and highly sensitive personal health information which is very valuable for cybercriminals.
One such example of personal data theft has happened at Nebraska Medical Center last year where the patient’s personal details were stolen. Adding to this, the entire value of Life Science organisations is predominantly dependent on the technology and availability of data. As a result, data integrity is imperative to Life Science organisations. The adoption of new innovative tools such as cloud computing and big data analytics increases cybersecurity risks. The increased connectivity of computers and manufacturing systems implies that hackers can target physical production processes. The cyber-attack on Merck in 2017 forced the organisation to halt production, with some of its processes taking months to recover. The different threat actors, hacktivists, or foreign states may have different intentions but the organisations which suffer from a cyber-attack have to go through complex revamping measures.
“It takes 20 years to build a reputation but just 5 minutes to ruin it with a data breach, and then up to 2 years to rebuild it”– Manufacturing Chemist Pharma
Such consequences of a cyber-attack on Life Science organisations have adverse effects on the financial status as well as the reputation of the organisations.
Another cybersecurity challenge
Life Science organisations have to face another challenge apart from securing their businesses, which is maintaining compliance with regulations. The life science sector is one of the highly regulated sectors where regulations specific to patient details handling, production lifecycle are strictly controlled. In the US, the Health Insurance Portability and Accountability Act(HIPAA) regulates the sharing of protected health information (PHI) with insurance organisations or partner companies. In Europe, the General Data Protection Regulation (GDPR) focuses on handling the personal information collected by any business organisation. Just as Life Sciences organisations are subject to these regulations, their securities are traded on admissible platforms can also be subject to additional corporate governance requirements.
So, is there any legal cybersecurity framework to protect Life Science organisations from cyber-attacks and cybercriminals? The Cybersecurity Directive from the EU is a response to the rapidly rising cyber-attacks on business organisations in Europe. The aim of this Directive is to ensure a common level of cybersecurity risk management across the EU countries and to develop a new regulation of key sectors such as life science. The directive is important to life science organisations as they come under essential service. Along with the GDPR, the directive provides clear guidance to the organisations about how to protect the personal data of the patients as well as the protection of their infrastructure.
Life Science and physical security
In the Life Science sector, cybersecurity is also linked to physical security, specifically the strategies to protect tangible assets. Physical assets such as standalone IT network databases hold enormous amount of data. Both personal data of patients as well as information related to intellectual property. Therefore, it is important that Life Science organisations carry out risk assessments specific to IT systems. Life Science organisations are required to maintain proper risk management and internal policies. With these, they confirm that they have performed enough risk assessments throughout the product development lifecycle.
How do we perform risk assessments in the Life Science sector? And how does the cyber risk landscape looks like in the Life Science sector?
