The drive for transparency of clinical-trial data in the pharmaceutical industry and associated sectors will inevitably increase the vulnerability of data networks to cyber-attacks, warns a hacking expert at professional services organisation Ernst & Young.
At the same time, though, says Simon Placks, EY’s director, fraud investigation and dispute services, the introduction of new data portals gives companies and other data handlers in the sector an opportunity to review assumptions about their systems and re-engineer the data flow in their organisation to tighten up security.
Any organisational change involving data will introduce vulnerability, and particularly when that change is undertaken under pressure, Placks told PharmaTimes Clinical News.
Moreover, pharmaceutical companies are custodians of high-value data, which makes them of interest to ‘hacktivists’ or state-sponsored teams of cyber attackers from emerging markets.
As Placks explains, market forces in data incursion are also widening the range of potential targets.
10 years ago, hackers were mainly concerned with direct financial data, he says. But the burgeoning market for those data has pushed prices down, and hackers are now looking further afield.
They are also spending more time understanding the characteristics of particular industries, so that phishing e-mails designed to download malware can be tailored more convincingly to recipients.
The most sophisticated hackers can move from this initial “beachhead” to full compromise of a data network in as little as 72 hours, Placks warns.
Another trend in data transparency that could leave pharmaceutical or healthcare organisations exposed is the desire to aggregate and integrate different data sources, which together can provide better insight into treatment effects, patient pathways or health outcomes.
Hackers are “great data aggregators”, and combining one pseudo-anonymised data source with another will raise the risk of de-anonymisation, Placks points out.
Data-access portals are another point of vulnerability. One common mode of cyber attack is through ‘waterholing’, whereby a compromised website infects visitors to the site rather than the host itself (e.g. by installing malware on the visitors’ systems to collect data, e-mails, passwords, etc).
Plan to fail
All the same, no organisation can “keep everyone out all of the time”, so companies need to “plan to fail”.
Chances are, Placks suggests, that once clinical-trial data are ready for a new access system, a compromise may already have occurred upstream at one of many data touchpoints (e.g., regular auditing of clinical trials, data-sharing with external researchers).
Pharma organisations need to think about their vulnerability to common forms of cyber attack, as well as gathering more intelligence on what goes on in their own networks and what kind of data hackers are interested in, Placks says.
That way, organisations can install better “CCTV” in their data systems and take regular samples from networks so that any attacks can be dealt with as quickly as possible. That includes threats from the organisation’s own employees, particularly in an unstable job market.
The wrong approach, Placks adds, is to focus solely on network perimeters (such as a data-access portal) and to assume that hackers can be kept out.
Information Security Survey
According to a Global Information Security Survey published by EY last October, many respondents – who spanned major industries worldwide, including healthcare – were still not equipped to make informed decisions about the nature and level of potential cyber attacks.
For example, 59% of the organisations surveyed cited an increase in external threats, yet one third did not have a cyber-threat intelligence programme in place.