The healthcare sector’s resource challenges are well-known, often cited as the reason for slow security progress. From an outside perspective, it would appear that the industry’s global revenues in 2020 topped $ 1.27 trillion.
SC Media’s conversation with Capgemini security leaders during RSA found that’s simply not the case.
The mindset is that pharma “is cutting edge” with strong research and on the frontline of tremendous innovation, explained Joe McMann, Capgemini’s head of cyber strategy. “But at their core, [the sector] is manufacturing. ”
In short, innovative tech and processes are built on a legacy foundation. But McMann stressed “they are still running factories and production facilities and operating like a lot of big organizations.”
Most of pharma is made up of Fortune 500 organizations, but it’s not standardized, he added. The sector’s security leaders have to worry, but not the healthcare, safety, IT, and privacy sides as well. Each element is crucial to enabling progress in the industry, but “it’s a lot for them to manage.”
Pharma’s “business model at its core is very strange,” said Dave Cronin, cyber practice lead of Capgemini North America. For many entities, the drug development center, including drug development, “in the hopes that you get one big hit.”
Once the successful drug is found, the company works to corner the market, get the patent, generate revenue, then repeat the process, Cronin continued. In that way, the model means it’s “culturally tough because companies are trying to foster creativity and share information. It’s a cutting-edge industry, so [entities] don’t want to put any restriction around that. ”
To McMann, the current state of pharma is nothing like hospitals, which are running with tight, lean budgets. In contrast, most pharma companies have existing information departments.
Instead, the complexity of its environments and systems are at the core of pharma’s security challenges. As McMann sees it, the sector is just “spread really thin.”
Further, in healthcare, CISOs are covered by the Health Insurance Portability and Accountability Act.
While pharma shares some of these concerns, its CISOs must also protect cyber intrusions that could lead to costly downtime. Pharma Companies
But by far the worst case scenario in pharma is someone breaks into a factory and mixes up the chemical make-up, ”said Cronin.
Moving the security needle after pharma’s red-flag moment
Pharma’s challenges aren’t unique. Other sectors are also failing to ensure that the public would expect. There are few easy solutions, which makes cybersecurity difficult for all sectors. And much like other industries, there are also some variances: some companies have made security a priority, while others have not.
For healthcare, in addition to its constrained resources, entities are also dealing with a number of technical challenges. In particular, it is simply not possible to lock down every endpoint or leverage multi-factor authentication.
One could surmise that the pharmacy may have the benefit of a technical standpoint.
These risks aren’t conjecture, either. In one of the most notable pharma hacks in recent years, threat actors targeted and successfully cracked into the European Medicines Agency in December 2020 and accessed the first authorized COVID-19 vaccine from Pfizer and BioNTech.
The pharma companies submitted the COVID-19 vaccine to the regulator for approval in early December 2020, ahead of the cyberattack. The EMA was scheduled to meet and determine the vaccine’s conditional approval before the incident.
The actors also accessed documents attached to the vaccine candidate’s regulatory submission, which was stored on an EMA server. The incident highlighted the value of pharmaceutical data and research and should have served as a red-flag moment for the sector. Healthcare had its own defining moment after the death of a patient during a cyberattack early last year.
However, pharma’s security resistance is not technical but profit-based, explained McMann. If there is a chance of a security measure that could reduce the effectiveness of collaboration, productivity, or connectivity to other factors, companies may resist deploying certain tools.
Other inhibitors to progress may include the possibility of limiting information sharing across the enterprise, such as the introduction of manual or physical security processes.
Pharma companies also struggle with flat networks on the manufacturing side, which could enable an actor to traverse the network, shut it down, break down production, and mix-up chemicals. To make progress, Cronin said these entities must first have shown the gravity of the problem.
Once these issues are evaluated, effective security steps include “segmenting the network, adding authentication and encryption, making it difficult to access quality controls, and proactively spending the money,” Cronin said.
These are the key business decisions that should empower cybersecurity leaders to get involved, explained McMann.
Pharma companies with effective security are also able to effectively communicate the risks to the board and are empowered to take action, he added. Other companies with risky security processes may see board resistance and calls to “let it ride.”
Boards may respond that they are prepared to accept the risk or not, based on the security leader’s assessment, said MacMann. “It takes money and willingness to cause business effects.”