How can pharma companies safeguard themselves from increasingly sophisticated cyberattacks? Rod Schregardus explains why vulnerabilities occur and suggests some preventative measures

The debate around whether COVID-19 vaccine patents should be waived to ensure worldwide equity put the question of intellectual property (IP) in pharmaceuticals firmly in the spotlight in 2021.

Politicians and industry experts around the globe argued that simply making the recipe available to all would be counterproductive. Far from helping to tackle the crisis, organisations like the International Federation of Pharmaceutical Manufacturers and Associations argued that waiving the patent could cause disruption and distract from scaling up production and distribution.

It would certainly be difficult to replicate a novel mRNA vaccine – the result of pioneering research and development – without working with the original drug maker to develop the right processes too. The then German chancellor Angela Merkel said that ‘manufacturing capacities and high quality standards’ were the ‘limiting factor’ in vaccine production, and that protecting IP supported innovation.

Value of IP

This sentiment will certainly strike a chord with anyone who works in pharmaceutical R&D and manufacturing. IP is a highly valuable and closely guarded asset, and patent disputes are relatively common. However, while companies may go to great lengths to protect their proprietary drugs via the courts, they don’t always have robust IT security practices to prevent data being compromised.

Court settlements are never cheap, but even they can pale in comparison to the average cost of a data breach, which, for pharma, came in at just over $5million (£3.7million) in 2021.

When production is unexpectedly halted, entire batches may need to be scrapped, at a cost of up to £500,000. If the attack cannot be contained quickly, companies could well see longer-term manufacturing delays and struggle to fulfil their contracts. As reported in 2017, the temporary production shutdown that followed the Merck attack not only cost $135million in lost sales, but meant the company also had to ‘borrow from a US Centers for Disease Control’s (CDC) strategic stockpile to meet demand for one of its vaccines’.

This is not to say that pharma companies have not invested in cybersecurity over the years, but rather that they sometimes struggle to keep pace with the growing threat.
They may have had piecemeal policies, without a clear strategy, or believed, as the vaccine patents furore demonstrated, that their drugs were too complex to replicate easily. It is a view that Jim Wheeler, a director at the consultancy Control Risks, says was held by some in the industry until the COVID-19 outbreak.

However, it soon became clear that organisations involved in the development of vaccines were being targeted. Given the urgency of the situation, any clue into the make-up of the vaccine could be used to push forward programmes in countries where governments had little regard for IP, let alone Good Manufacturing Practice (GMP) and maintaining validated processes.

Wheeler points out that it is not only IP that could be compromised. Financials and HR data are valuable assets that could be held to ransom too. Another risk is that ransomware links and malicious material could be posted on public-facing websites, resulting in huge financial and reputational damage.

Patchwork of IT systems

Cybercriminals will exploit weaknesses in any organisation’s security, of course. However, large-scale pharma companies often have a patchwork of IT systems, both current and legacy, that have grown and become more complex through mergers and acquisitions. This makes them vulnerable.

There could be hundreds, or even thousands, of different software solutions being used across sites around the world, but managed by one, over-stretched central IT team. This team is trying to stay on top of applying for software licences, as well as managing updates and security patches. It also makes life extremely difficult for the manufacturing team, who have little time to spend grappling with clunky, and potentially risky, software.

Investment in technology is only going to increase among pharma companies. Automation, machine learning, artificial intelligence, Internet of Things, data analytics and predictive modelling have all transformed R&D and manufacturing practices, helping to drive innovation, maximise capacity, ensure safety and, ultimately, improve patient outcomes.

Yet, when production facilities are run using a myriad of connected devices, including laptops, smartphones and internet-enabled machinery, there are more potential vulnerabilities, and malware can spread quickly across the entire network.

Prevention, not cure

It takes pharma companies an average of 277 days to identify and contain a data breach, by which time valuable assets could have been sold on the dark web.
To build resilience, Wheeler advocates investment in people, processes and technology. Employees need to be well trained in good password management practice, be alert to phishing emails and grow confident in their decision-making, both on a day-to-day basis and during a suspected cyberattack.

It is incumbent on pharma companies to make sure that their software is fully up to date and supported, as well as easy to use, if they want to promote compliance and avoid the risky workarounds staff may develop. Wheeler impresses that it is necessary to promote a culture where everyone takes responsibility for security, not just IT.

The growing appetite for cloud-based technologies, in pharma and elsewhere, is an opportunity to bolster security. A reputable cloud provider will run continuous backups and fast recovery of data in the event of an attack, or another incident, such as a fire. They will have cybersecurity specialists working proactively to monitor and respond to threats, as well as maintaining compliance with ISO27001 and HIPAA for information security.

Employees can also be confident that they are using the latest version available, since the cloud hosting provider manages all the updates, simultaneously relieving the pressure on IT. In the past it might have taken six to nine months to plan and implement an upgrade to on-premises software, whereas, today, a cloud-based version can take just half a day. By making everything available in one place, and from any permitted device, senior leaders can reduce the chance of staff continuing to use unsupported, legacy software or unauthorised applications.

Some industry professionals may be cautious about storing sensitive or commercial information away from their on-premises systems. However, it is worth remembering that a hosted provider stores the data in high-grade data centres, with restricted access for personnel, backup electricity generators and environmental protections against fire and flood, to further reduce the risk of data loss.

Looking ahead

Both the prevalence and sophistication of cyberattacks are growing all the time, particularly following COVID-19. Some have been targeted attempts to steal IP, while others were blanket phishing emails looking to prompt people to inadvertently click on a malware link.

A serious breach is rare, but no company is immune, especially as digitisation continues to gather pace across the pharma industry. Understanding and monitoring the risk, and developing a strategy to prevent and manage an attack, are key to building resilience. As has been shown, this is achievable without creating an additional burden for busy IT or production teams.