The healthcare sector’s resource challenges are well-known, often named as the reason for slow security progress. From an outside perspective, it would seem that the pharmaceutical sector stands in staunch contrast in terms of cybersecurity budgets and overall posture, given the industry’s global revenues in 2020 topped $1.27 trillion.
SC Media’s conversation with Capgemini security leaders during RSA found that’s simply not the case.
The mindset is that pharma “is cutting edge” with strong research and on the frontline of tremendous innovation, explained Joe McMann, Capgemini’s head of cyber strategy. “But at their core, [the sector] is manufacturing.”
In short, innovative tech and processes are built on a legacy foundation. The outside view of pharma is teams of researchers and scientists, but McMann stressed “they're still running factories and production facilities and operating like a lot of big organizations.”
Most of pharma is made up of Fortune 500 organizations, but it’s not standardized, he added. The sector’s security leaders have to worry, not only about the forward-facing pharma side, but the healthcare, safety, IT, and privacy sides as well. Each element is crucial to enabling progress in the industry, but “it's a lot for them to manage.”
Pharma’s “business model at its core is very strange,” said Dave Cronin, cyber practice lead of Capgemini North America. For many entities the business model is centered around research and development and a tremendous number of moving pieces, including drug development, “in the hopes that you get one big hit.”
Once the successful drug is found, the company works to corner the market, get the patent, generate revenue, then repeat the process, Cronin continued. In that way, the model means it’s “culturally tough because companies are trying to foster creativity and share information. It’s a cutting-edge industry, so [entities] don't want to put any restriction around that.”
To McMann, the current state of pharma is nothing like hospitals, which are running with tight, lean budgets. In contrast, most pharma companies have existing security departments led by chief information security officers.
Instead, the complexity of its environments and systems are at the core of pharma’s security challenges. As McMann sees it, the sector is just “spread really thin.”
Further, in healthcare, CISOs are kept up at night by cyber scenarios that could impact patient safety, along with potential risks to patient data or compliance with the Health Insurance Portability and Accountability Act.
While pharma shares some of these concerns, its CISOs must also protect valuable intellectual property and keep manufacturing secure from cyber intrusions that could lead to costly downtime. Pharma companies also face a high risk of malicious insiders, who could gather intellectual property, or steal hardware and take it to a competing company.
But by far the “the worst-case scenario in pharma is someone breaks into a factory and mixes up the chemical make-up,” said Cronin.
Moving the security needle after pharma's red-flag moment
Pharma’s challenges aren’t unique. Other sectors are also failing to adhere to a number of leading security tactics that the public would expect. There are few easy solutions, which makes cybersecurity difficult for all sectors. And much like other industries, there are also variances: some companies have made security a priority, while others have not.
For healthcare, in addition to its constrained resources, entities are also dealing with a number of technical challenges. In particular, it’s simply not possible to lock down every endpoint or leverage multi-factor authentication.
One could surmise that pharma may have the advantage from a technical standpoint, given the risk to intellectual property and fewer needs for immediate data access.
These risks aren’t conjecture, either. In one of the most notable pharma hacks in recent years, threat actors targeted and successfully cracked into the European Medicines Agency in December 2020 and accessed the first authorized COVID-19 vaccine from Pfizer and BioNTech.
The pharma companies submitted the COVID-19 vaccine to the regulator for approval in early December 2020, ahead of the cyberattack. The EMA was scheduled to meet and determine the vaccine’s conditional approval before the incident.
The actors also accessed documents tied to the vaccine candidate’s regulatory submission, which was stored on an EMA server. The incident highlighted the value of pharmaceutical data and research and should have served as a red-flag moment for the sector. Healthcare had its own defining moment after the death of a patient during a cyberattack early last year.
However, pharma’s security resistance is not technical but profit-based, explained McMann. If there’s a chance a security measure could decrease the effectiveness of collaboration, productivity, or connectivity to other factories, companies may resist deploying certain tools.
Other inhibitors to progress could include the possibility of limiting information sharing across the enterprise, such as with the introduction of manual or physical security processes.
Pharma companies also struggle with flat networks on the manufacturing side, which could enable a threat actor to traverse the network, shut it down, break down production, and mix-up chemicals. To make progress, Cronin said these entities must first have to acknowledge the gravity of the problem.
Once these issues are evaluated, effective security steps include “segmenting the network, adding authentication and encryption, making it difficult to access quality controls, and proactively spending the money,” said Cronin.
These are the key business decisions that should empower cybersecurity leaders to get involved to inform decision makers on the actual risk to the business if necessary security mechanisms are leveraged, explained McMann.
Pharma companies with effective security are also able to effectively communicate the risks to the board and are empowered to take action, he added. Other companies with risky security processes may see board resistance and calls to “let it ride.”
Boards may respond that they’re willing to accept the risk or not, based on the security leader's assessment, said MacMann. “It takes money and willingness to cause business effects.”