Onapsis: The cybersecurity threat to pharma is growing

Not that long ago, most pharmaceutical companies were probably more concerned about the physical security of their labs and offices than digital security. After all, if a competitor or state-backed actor was looking to get inside information or commit an act of sabotage, that’s the route they’d most likely take. But as the industry, like so many others, has become increasingly digitised, so has the threat of cybercrime. 

In fact, cyberattacks targeting healthcare organisations increased 74% from 2021 to 2022. It’s hardly coincidental that such attacks occurred at a peak in global COVID-19 vaccination programmes. The money being pumped into the development, refining and rollout of vaccines made the pharma companies a natural target for cybercriminals, particularly those making use of ransomware. 

But even as pharmaceutical companies face falling sales and increased investor pressure, those threats aren’t likely to dissipate. Instead, as digital technologies continue to grow in importance for the sector, it will likely face new and increasingly potent cybersecurity threats. As such, it’s critical that players in the sector do everything they can to bolster their cybersecurity efforts. 

IoT, invisible attacks and costly breaches for pharma 

People outside the pharmaceutical and cybersecurity industries may be surprised to learn how rapidly attack incidents have grown, but they should also be aware that the variety of those attacks has grown too. While massive incidents such as the 2017 malware attack on Merck grab all the headlines, smaller attacks that don’t hold much media attention are far more common.     

The knock-on effects of these attacks are multiple and expensive, as the pharma industry is home to both sensitive data and expensive technology. It is also highly regulated by the Food and Drug Administration with severe penalties for non compliance. A 2020 report found that the average cost of a breach exceeds US$5m and threats take an average of 257 days to be detected and contained. That’s to say nothing of the setbacks to the development of potentially life-saving medicines. 

As the industry continues to embrace digitisation and innovate, especially around Internet of Things (IoT) technologies, the available avenues for attacks will keep growing too. Remember, many IoT devices aren’t designed with security in mind. While things have improved since cybercriminals leveraged IoT devices to take down large portions of the web in 2016, they remain a potentially serious point of vulnerability. 

A growing need for cybersecurity investment 

Against that backdrop, it’s critical that pharmaceutical companies and organisations make the requisite investments in cybersecurity. 

An incident-response approach simply will not cut it either. Companies need to have a proactive, top-down approach to protection, putting in place protections for all business-critical applications. Additionally, with the amount of data stored in the cloud increasing and the need to share information and collaborate across departments and indeed care providers and universities, it is critical that companies manage identity and permissions to effectively protect sensitive data.

Of course, organisations in the sector can’t be expected to build up the expertise necessary to implement those things themselves. Their focus is, and should always be, on the business of drug development. 

Instead, they should look to use cybersecurity providers with deep sector expertise, particularly when it comes to protecting business-critical applications. These applications impact  everything from R&D, supply chain, to manufacturing and finance. That vendor should also have a strong track record when it comes to research, with its team able to proactively identify the latest threats and how to nullify them. The vendor should additionally be open about sharing research with customers, ensuring that their own cybersecurity teams are able to deal with any new threats, identify any gaps across the attack surface and shore up any vulnerabilities. 

Beyond that, the cybersecurity vendor should be able to help shore up an organisation's response to a successful breach, ensuring business continuity. The better an organisation is able to respond to a successful attack, the lower the damage and fallout will be. 

Adapting cybersecurity to a changing industry 

As the pharmaceutical industry continues on its path of rapid digitisation (one which comes with significant rewards, including faster breakthroughs and increased efficiency), cybersecurity will only become more important. 

As such, organisations in the sector must invest in cybersecurity, fortify critical applications and manage data permissions. In doing so, especially in concert with the right vendors, pharmaceutical organisations can safeguard their assets and effectively mitigate the impacts of cybercrime in an increasingly digital landscape.