Cybersecurity: How life sciences companies can avoid being a target
INSIGHT ARTICLE |
Life sciences companies, like many organizations, are collecting customer data at an enormous rate. According to a study by EMC, the collection of patient data by health care providers and health care-adjacent organizations has grown 48 percent year over year since 2013. Unfortunately, with this increase in data comes an increase in attackers who target these organizations.
The Chubb Cyber Index details the threat, determining that health care cyber incidents grew by 2390 percent during 2009-17. In addition, health care accounted for 38 percent of all cyber insurance claims during the last 10 years, leading all industries. This is likely because protected health information (PHI) has become more valuable to attackers than other data, like credit cards. In fact, an Experian study shows that medical records can sell for up to $1,000 compared to up to $110 for credit card numbers.
Common attack techniques used against health care organizations include ransomware, phishing and exploiting weak passwords. On top of this, the Office for Civil Rights (OCR) has issued fines averaging $1.5 million for HIPAA Privacy Rule violations during 2003-18. The risk of harm to patients and the resulting reputational and financial impacts make it critical for life sciences companies to take security very seriously.
Life sciences is evolving in a way that requires use of data and digital technology
Historically, life sciences companies focused on developing drugs, devices and therapeutic techniques. However, changes in consumer preferences have led life sciences companies to shift to a wellness model. This allows companies to provide higher-touch care, but requires more integration with external organizations and an increase in data collection.
For example, artificial intelligence (AI) has allowed life sciences organizations to make significant advances in drug development. This includes predicting how proteins that have not been synthesized might fold and reduce the time it takes to select clinical trial patients from years to weeks. Of course, the integration and collection of this data increase the available attack surface. For example, if the AI processing is outsourced to a third party, then the security of patient data and intellectual property is also in that organization’s hands.
The life sciences model has shifted toward wellness
It is possible to minimize risk without detracting from critical spend
The key to addressing the risks to sensitive data is to ensure you understand your security needs as early as possible and can communicate risks effectively up and down your organization. It is critical for security and business interests to be in alignment, otherwise you may end up wasting money on unnecessary security implementations.
For example, we encountered a life sciences client that spent significant time, money and resources protecting what it believed to be sensitive intellectual property. However, during discussions between the information technology (IT) group, company executives and RSM, the executive staff revealed that it did not consider this data sensitive and was fine if it was released publicly. Having these conversations with key stakeholders as early and frequently as possible can save a lot of effort and money.
Building risk governance
Risk governance does not mean you have to implement burdensome layers of bureaucracy to your organization. Rather, it could mean something as simple as adding security topics to already established IT or executive meetings. However, risk governance will not succeed if it does not include buy-in from security, internal audit and operations stakeholders. Risk management responsibilities should be shared across these groups to ensure employees are not shouldering too many responsibilities or creating internal conflicts of interest. Examples of the shared responsibilities of each group include:
- Directing and managing the information security program
- Working with client leadership to establish requirements for the security program
- Identifying, communicating and providing recommendations for security risks
- Testing security controls effectiveness
- Working with client leadership to define metrics
- Internal audit
- Validating adherence to security requirements
- Validating adherence to defined metrics
- Implementing security controls
- Abiding by policy
- Managing technical components
- Providing internal project management
We typically see IT spending set at 3 to 7 percent of a company’s revenue, with security at 5 to 8 percent of IT spend. While these numbers may be acceptable for organizations sustaining an already established security program, organizations building a new program will likely need to incur additional upfront costs. Understanding your current state through security testing and risk assessments is necessary before you begin to build this program. This can include the following activities:
- Align to a framework: You can select a security framework that fits your organizational requirements (e.g., NIST, ISO, HITRUST, PCI DSS). Performing a gap analysis against what the requirements dictate and what you have in place can provide an excellent baseline for your organization. Receiving an attestation of compliance to a framework can also provide a market differentiator showing how seriously you take security.
- Conduct security testing: Penetration testing, vulnerability scanning, network architecture reviews, device security reviews, password audits and other tests will provide insight into the effectiveness of your technical security controls. You can also conduct a “purple team” assessment to test how well you can detect malicious activities that occur during a penetration test.
- Phishing assessments: Simulated phishing attacks against your employees will test their susceptibility to phishing attacks.
- Incident response tabletops: Conducting tabletop exercises will test the effectiveness of your incident response plans and provide an opportunity to incorporate lessons learned into your processes before an actual security event occurs.
- Business process risk assessments: Traditionally, organizations determine risks at an enterprise level by assessing likelihood and impact of threats and whether controls are in place to address them. However, we recommend assessing risk at a process level. This allows you to determine the risks facing specific, critical processes within your organization and apply controls granularly, reducing the investments required and more accurately addressing the risks facing your data. For example, a health care organization can investigate risks to its electronic health record systems, since this is where its highest concentration of patient information is stored. Understanding the revenue associated with these processes and the number of records involved will also help you determine the monetary impact of the risks. This will help you calculate the return on security investment for the associated security improvements.
Sustaining the security program
Sustaining the security program will require visibility into the status of risks and the current effectiveness of security implementations. At a minimum, we recommend that you track metrics in the following areas:
- Security governance
- Detection and incident preparedness
- Technical hardening and testing
- Data protection
- Third-party risk management
In addition, the following list includes examples of security metrics that your organization can track:
- Failure rate percent of mock phishing campaigns
- Risk score of patches not applied >90 days
- Risk score of unsupported systems
- Percent of third-party reviews not completed
- Number of open versus closed cyber incidents
Pre-commercial and commercial companies will employ different cybersecurity strategies
Wherever your organization is in the life cycle, you will manage some form of sensitive data. Therefore, it is important to integrate security considerations as early as possible to minimize downside risk. Below is an example of cybersecurity strategies throughout the development life cycle:
Phases 1 and 2 clinical testing
Phase 3 clinical testing
Evaluating potential partners’ data security history and environment
Managing risk from partners’ use of data
Managing risk from partners’ use of data
Managing proprietary PHI databases
Implementing base cybersecurity best practices (e.g., vulnerability management, device testing and establishing secure baselines, policies and procedures)
This evolves throughout phases 1, 2 and 3.
Designing information technology architecture
Evaluating control environment
Focusing on organizational defensive capability, IR tabletops, advanced monitoring, security as a matter of business operations
Due to a changing business model, life sciences companies collect an increasing amount of high-value data, and any breach could result in significant fines, as well as patient and reputational harm. Along with this shift in data collection, your organization must adjust cybersecurity processes accordingly to identify, understand and address emerging risks. Implementing these measures can help create a sustainable security program that aligns with compliance regulations, increases visibility into threats and actively protects your sensitive data.
 “The digital universe driving data growth in healthcare,” EMC, accessed Jan. 28, 2019.  “Chubb Cyber IndexSM,” Chubb, accessed Jan. 28, 2019.  “Here’s How Much Your Personal Information is Selling for on the Dark Web,” Experian, accessed Jan. 28, 2019.  “OCR Levies Close to $80M in HIPAA Privacy Rule Fines,” Health IT Security, accessed Jan. 28, 2019.