The pharmaceutical landscape is changing rapidly. The demand for more affordable and effective medications is increasing and has prompted drug developers and manufacturers to adopt innovative techniques, information and operational technologies (IT/OT). Many are adopting an Industry 4.0 model, focusing on automation and data exchange to achieve operational excellence
With an appreciation of the importance of protecting the highly sensitive and extremely valuable information collected throughout drug production, data protection and security remain a high priority when applying new technologies.
Although the integration of innovative systems and data centralisation using cloud-based platforms can help to improve manufacturing efficiency, it also adds new vulnerabilities. Risks to data integrity and security must be minimised or pharma developers and manufacturers could see financial and reputational consequences.
In this article, Juan Jose Lopez, Associate Director, OT/ICS Security Architecture, Life Sciences Manufacturing at Cognizant, explores how the industry is adapting to ensure data protection in the age of Industry 4.0 and explains how companies can best optimise their security.
A growing threat to pharmaceutical data security
As therapeutics progress from design to commercial stages, extensive amounts of critical data are generated that provide information ranging from the drug’s molecular weight to its performance in clinical trials.
The sensitivity and value of the data collected is reflected in the costs involved in the recovery of a data breach, which were estimated to be, on average, approximately $5 million.1
Data breaches typically encompass further losses in addition to the stolen data itself. Criminal groups operating on the dark web are aware of the value of pharma data and its potential to generate billions in sales.
From personal identifying indicators and protected health data collected during clinical trials to profit, pricing and financial information, all have the potential to be sold for criminal profit.
Reports of cyberattacks against pharma manufacturers and healthcare increased significantly following the onset of the COVID-19 pandemic.
Breaches as a result of ransomware attack — wherein malware encrypts files on a device, disabling them and the corresponding system until a ransom is paid in exchange for decryption — have also become more common in the pharma industry.
Consequences of these threats include corporate espionage, loss of intellectual property (IP), undermined profits, loss of patient data and regulatory violations.
Protecting against data loss
With pharma remaining a high-value target to cybercriminals, the industry must adapt to incorporate robust cybersecurity systems to protect its proprietary data and IP.
However, the pharma data environment is in the middle of an evolution towards an Industry 4.0 model and many organisations are navigating the incorporation of new digital systems to improve operational effectiveness.
Although the increasing integration and application of IT and OT platforms can support manufacturing efficiencies, they may also introduce vulnerabilities in data security and integrity.
Many companies are also dealing with further issues that compound the complexity of producing an effective response to data security threats. These include the use of legacy IT and disparate systems following mergers and acquisitions.
On top of the inherent challenges of adopting an Industry 4.0 model and ensuring that data is safe from threats, pharma developers and manufacturers must also evidence the security of their data to regulators.
Ensuring regulatory compliance, including following current good manufacturing practices (cGMPs), conducting risk management and incident reporting all provide a solid grounding for data security. However, it is important to remember that being compliant with regulatory requirements does not eliminate the risk to data security.
Fortunately, there is also a significant amount of guidance available from regulators regarding how to build a solid cybersecurity platform, as well as industrial standards and protective frameworks.
These include federal laws such as US FDA 21 CFR Part 11: Electronic Documentation Management in Pharma Processes, ISA/IEC 62443 standards and those developed by the National Institute of Standards and Technology.
Regulatory compliance is something that the vast majority of pharma companies demonstrate extremely well every day. However, the faster adoption of Industry 4.0 digital innovation is challenging organisations and their operations to achieve two things at once: securing data and demonstrating to regulators that sensitive information is secure.
That outcome is not as synergistic as it sounds because just ensuring that the process is compliant doesn’t necessarily remove the entire risk to the enterprise.
A layered defence to protect data security
A holistic approach to cybersecurity — incorporating various elements to create layers of increasing data protection — is proving to be the best way for pharmaceutical manufacturers to proactively defend themselves against cyberattacks and data theft.
This ideal approach systematically aligns data security efforts to the organisation’s operational and business goals while combining foundational protection, security culture, workforce education and innovative tools.
OT cyber resilience is achieved by ensuring that the organisation has proper governance, management and security processes in place. Some of the key tenets for OT security are achieved by
Cyberattacks exist and complete security is not possible. In most cases, it is not a matter of if a company is going to face a cyber incident, but when. Based on this principle and following the recommendations and internationally accepted best practices in cybersecurity frameworks, a layered, holistic defence should be implemented to prevent or minimise the impact of cyberattacks.
Asset identification and protection: Without identifying the assets to be detected, it will be impossible to defend them. Pharma organisations will need to identify, register and assign owners to all hardware devices, critical data, processes and software.
The asset owners will be responsible for ensuring that specific information is accessed, handled and managed appropriately. They will then need to establish and define security controls and configuration baselines, as well as ensure that management guidelines for each are updated.
Data classification: It is important to establish data classification procedures that define and differentiate critical, confidential and proprietary data, and provide a detailed description of when and how the information can be used, shared and stored.
The knowledge gained through data classification will allow the organisation to understand the measures needed to protect the data based on its sensitivity and importance.
Access control: Pharma developers and manufacturers should implement procedures and processes to enable access control, mitigating the risk of information being accessed without the appropriate authorisation and, therefore, the risk of a data breach.
This will encompass identifying and authenticating users, processes and systems, and protecting data at rest and in transit using strong encryption procedures
Network protection: The principles of defence-in-depth, in which multiple layers of security controls are applied, should be developed. Having multiple defences will provide redundancy in the event that one security control fails or there is a vulnerability that can be exploited in one layer.
These will rely on perimetral access control and traffic inspection provided by firewalls, secure remote access, network segmentation and microsegmentation based on security zones … and separating operational networks from corporate ones and the Internet.
Continuous monitoring: The multilayer boundary defences should also be developed to detect network intrusion and anomalies while controlling and filtering inbound and outbound traffic.
With anomaly detection processes, the defences should ensure that systems are kept up to date, update antimalware systems and offer threat hunting/intelligence capabilities.
Incident management: To ensure a rapid and effective response, pharma organisations must implement an incident management process (defining incident response responsibilities, scalation and communication measures) and ensure that users know how to respond to major incidents.
This could be by working through a series of attack simulations (tabletop scenarios, playbooks or runbooks) that represent the threats and vulnerabilities that the organisation could face.
Security governance: Pharma organisations should establish a security governance process. This involves defining responsibilities for security, implementing a risk-based approach toward critical risk mitigation and establishing comprehensive training and awareness plans for users.
By following these steps, pharma manufacturers can build a strong defence against cybersecurity attacks and protect valuable data from breaches.
A supportive partnership to safeguard data security
As the pharma landscape expands in complexity, with rising demand for broader access to therapeutics and the incorporation of innovative new technologies into existing processes, safeguarding the critical data generated will become increasingly challenging.
To protect patients, the pharma industry must navigate these issues and protect data from the growing risk of cybersecurity breaches. With the help of expert vendors, pharma organisations can ensure an effective and meaningful data security response with the right systems and training in place to protect patients.