Zero trust, Identity, Encryption

Protecting a high-value target: Steps needed to implement zero trust in pharma

BD issued voluntary disclosures for a pair of hard-coded vulnerabilities in some of its medical devices: Pyxis and Viper LT, a BD Viper LT, an automated molecular testing system. (Photo credit by governortomwolf is licensed under CC BY 2.0)

Amid the continued surge in COVID-19 cases, the pharmaceutical sector plays a critical part in supporting the health care sector response. But research shows the majority of pharma entities are actively exposing sensitive data through unsecured or vulnerable endpoints, demonstrating how desperately the sector needs better access management and endpoint security controls.

The ongoing pandemic contributed to the strain of resources and overall security concerns within the pharma sector, which Dave Cronin, vice president and head of cyber strategy at Capgemini Americas, argues makes the pharma sector ripe for adopting a zero trust security model.

At face value, the pharma sector has the funding map and revenue coming in, as well as the expertise, focus, and “the ability to train their user community on best practices and what to do and what not to do via education,” said Cronin. Most pharma companies also have the investment into network applications and security, which can provide the needed foundation.

Indeed, while the health care sector is burdened with constrained resources and limited security staff, theoretically, the shift into zero trust would be less burdensome in the pharma sector. Cronin explained how these firms can invest more into the network and security itself, with greater ease than in most sectors.

Establishing a security baseline

Much like other sectors, the pandemic forced a shift into more remote processes. As the network edge now exists beyond the physical enterprise and employees continue to share sensitive data from anywhere, there’s a crucial need to shift away from the traditional castle-like, layered approach to security.

To Cronin, the focus has been on maintaining access to data outside of the business and the myriad of problems tied to these new tech adoptions, while hackers continue to target the highly valuable data. 

“Intellectual data is really the crown jewels of the pharmaceutical industry itself,” said Cronin. But the secondary piece is the trial data and information on the participants, the personally identifiable information and related information, like Social Security numbers. If that information is compromised, it can “trigger a lot of fines, bad press, and problems.”

By adopting a “trust no one” mentality, the sector could better protect highly targeted, valuable data. But Cronin notes that a lot of these entities don’t know where they stand in terms of their security posture and should seek out a third-party consultant to perform an overall risk assessment to find their standing in the market.

The baseline assessment can determine if the pharma entity is employing the appropriate controls and where they are on the maturity scale in their cyber environment. If a pharma entity determines their rudimentary score is below average, “where they’re behind the times compared to their peers,” the next phase is to obtain a buy-in from the executives to move the needle.

Cronin explains the message to the board should be clear: “We need to do something here. Not only are we not compliant, but we have a lot of risk.”

“Risk is an important thing to assess and be able to communicate upstream, as the more risk, the more damage. You don’t want to be on the front page of the paper,” said Cronin. “You’re establishing a roadmap for an organization based on risk.”

The list should prioritize high-risk items to address first, whether that be the implementation of technology or making enterprise changes. The next steps will include fixing current implementations and then establishing 60- and 90-day plans, as well as longer term projects over the course of the year.

In the end, the roadmap should be designed to get the pharma company “to the point where, not only do they have the right technology in place and understand the compliance, but also have the culture to understand, anticipate, and remediate going forward,” he added.

Key zero trust concepts

Encryption is a key component to the process, which will protect data in transit between laptops to the network and the applications being accessed by users, explained Cronin.

But the vital component of zero trust is bolstering identity and access management, with strong authentication mechanisms able to prove the user is who they purport to be and strengthened with functions like tokens, able to prove the device really is the property of the company.

The next step includes policies to outline the role of specific users and the elements or functions the employee is able to access. With zero trust, Cronin explained that users should only have access to items absolutely needed to perform the job function, otherwise access is restricted.

Network and microsegmenting or compartmentalizing areas of the network and protecting them is another crucial piece of the puzzle. The overall goal is to restrict lateral movement within the network.

For pharma, the most valuable data will likely be the biggest priority for added necessary security that includes firewall gateways, additional authentication in some instances, malware protection, and other elements to prevent unauthorized access. 

In the event of a compromise, the access is limited and will prevent an attacker from proliferating across the network. With added monitoring capabilities, a pharma entity can verify when the unauthorized user gained access, what they accessed, and did the encryption work, explained Cronin.

The final step is to educate and routinely train employees, as part of overall enterprise buy-in and support of the process. Cronin stressed that there needs to be an investment in the employee community to “do the right thing and be cognizant of threats that are out there.”

“Being compliant doesn't necessarily mean you're secure,” said Cronin. Many compliance regulations provide vague guidance on certain security needs to prevent an audit, but not specifics on the needed steps. 

Interestingly, in health care, awareness for security needs is at its highest and has moved past the "compliance as security" mindset. Cronin notes that it’s still an issue in pharma, where often security is still seen as checking a box in response to key regulatory questions, like the use of a security awareness program.

Pharma companies need to take it a step further and take a pulse of the enterprise cybersecurity culture: 

  • If you can prove the use of a security program, how frequently does training occur?
  • Is there a tracking mechanism to see what employees were part of the program?
  • Is there enterprise buy-in and support?
  • Does the security team monitor or follow-up?
  • Is there a culture of cyber within the enterprise, opposed to simply being compliant?

Not only is the cyber culture important, entities will also need an inventory to understand the scope and impact of what they’re trying to protect, said Cronin. "If you don't have that as a logical first step, you're losing sight of a potential device that is unpatched, compromised, or [another issue].”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.