Any company can fall victim to a cyber-attack – but there’s no doubt the pharmaceuticals industry is a prime target.
This summer, the UK’s National Cyber Security Centre (NCSC) sent out a stark warning that organisations involved in developing a COVID-19 vaccine in the UK, US and Canada had been targeted by a group known as APT29. Unsurprisingly, it is ‘highly likely’ they intended to ‘[steal] information and intellectual property (IP) relating to the development and testing of COVID-19 vaccines.’
Whether they’re intent on stealing IP or holding companies to ransom, attackers will maliciously exploit any weakness they can to cause maximum disruption. They know precisely what is at stake, in terms of patient safety, the value of IP and cost of reputational damage.
Yet given the gravity of these threats, it is remarkable to think that it takes companies an average of 191 days to identify a data breach and 66 days to contain it. By the time they discover the breach, their systems have already been compromised and data could be lost.
While highly-sensitive research and drug recipes are always in demand on the dark web, COVID-19 brought with it a raft of fresh security concerns. Though not just targeted at pharma, there have been reports of ‘COVID-19 themed ransomware lure emails’ at a time when IT controls were weaker due to remote working and heightened anxiety might have caught some people off-guard.
Another report exposed the password vulnerabilities among executives at some of the world’s leading pharma firms, looking at how cyber-criminals are able to access both personal accounts and corporate networks. Indeed, as many as 68% of executives’ emails were found to have been exposed in a data breach within the past five to 10 years.
Data sharing is now commonplace in pharma, both between internal departments and with authorised external partners – but without adequate safeguards, there is a real danger that information will fall into the wrong hands.
This is why any investment made in digital technologies like automation, advanced planning and scheduling (APS), Internet of Things (IoT) and artificial intelligence (AI) needs similar investment in security too.
Every pharma company must ensure its applications have in-built security features and are updated regularly. They also need to communicate and review cyber-security policies, train staff, instil good practice and have a disaster recovery plan in place.
A lax approach to cyber-security – including weak or shared passwords, failure to update software, using public WiFi and unauthorised devices and file sharing – immediately puts an organisation at risk. The financial and reputational damage of a data breach is bad enough but think how catastrophic it would be if life-saving treatments are delayed or insurers refuse to pay some, or all, of the costs.
It might seem counter-intuitive to suggest that storing mission-critical production data off-site can help protect pharma companies from attackers. After all, it surely makes sense to hold this information on local servers and only grant access to authorised personnel.
While there is nothing wrong with this approach, protecting business systems depends on the vigilance and expertise of your IT department, whether it is in-house or outsourced, and wider workforce. This includes responsibility for data back-up, running updates and maintaining servers in temperature and moisture-controlled rooms. Any oversight, like failing to fix a bug, could quickly turn into a security threat.
It is worth remembering too that data loss is not always the result of malicious activity. A fire, power cut or natural disaster can also be extremely damaging to a business, especially if files are only backed up on an individual’s desktop and/or external hard drives kept in the same building as your server.
One of the biggest advantages of moving to cloud-based software and disaster recovery as a service (SaaS and DRaaS) is that data is stored off-site, away from pharma facilities that could be targeted. This physical distance alone offers protection from malware and natural disasters adversely impacting on-site servers and other IT infrastructure. Should your on-site servers fail, you are able to run any systems by logging onto the cloud.
Data is, of course, one of your most valuable assets, so always choose a provider with world-class data centres, preferably spread across different territories. Should there be a power outage or ransomware attack on a centre in the UK, or any country, data can be retrieved from another.
Unlike some back-ups, which are usually run overnight, a good DraaS creates a secure replica of the whole server at regular intervals (for example, every 15 minutes or less), so production managers do not need to worry about losing even a day’s work. Crucially, it can recover lost data within minutes to ensure business continuity.
Just as important are the data centre’s security credentials, so ask your provider if it is ISO 27001 compliant, how access to the building is controlled and whether it has fire protection safeguards and back-up generators. You also need reassurances that there is a team of experienced cloud specialists, responsible for managing updates and patches and limiting the chances of a successful cyber-attack.
In the fight against cyber-criminals, pharma companies should work with their SaaS partner to monitor user accounts and alert you to any breaches in real-time. This means you can quickly implement your response plan, change passwords and reinforce security policies to avoid any serious fall-out – even if teams are working remotely or on different sites.
Identifying a data breach in good time is one thing – but it could be months before you find out that critical information has been shared on the dark web and cannot be removed. One option is to use a dark web monitoring service, which helps you identify potential threats and take remedial action.
Unlike other manufacturing industries, drug production is the final stage in an R&D process spanning years or even decades. As such, it demands highly-specialist processes, with digital systems acting as a hub for real-time production data that improves operational productivity and efficiency.
A cloud-based APS, for instance, optimises production workflows, allowing teams to successfully manage and scale up highly-complex and inter-dependent processes via an unlimited number of planning algorithms.
These systems also tend to be far more secure, especially compared to storing data on local servers and desktops. As we have seen, a high-performance data centre offers multiple layers of protection, while different levels of permission grant access only to those who need it.
As pharma production becomes more data-led, companies must be more vigilant than ever in safeguarding their systems from attack. However, we should not view any of the recent breaches as a reason to shy away from digitisation in pharma. After all, technology is essential for innovation, which is one of the hallmarks of the sector.
The past few months have shown that technology is essential in ensuring businesses can remain operational in a crisis, and move quickly in response as the market demands. The pandemic has reminded us too that every company needs an effective security policy to avoid data being compromised in the first place, as well as an up-to-date and easy-to-implement disaster recovery plan.
Rod Schregardus is a supply chain technology specialist at Access Group