Digitalization – as it unfolds and imbibed by most drug companies, is presumed to herald a whole new ballgame in the Indian pharma business. Equally significant is the quantum benefit that the process will deliver to pharma stakeholders – right from drug companies to patients. It has already hastened the process of new drug discovery and will also help charting newer ways to meaningfully engage with stakeholders, besides enhancing treatment outcomes for patients, appreciably.
However, the flip side is, more benefits a company accrues from digitalization, greater will be the risks of cyber-attacks. Thus, preventive measures should also be equally robust. Otherwise, hackers can bring a company’s digital system to a standstill, causing not just a temporary loss in revenue and profit, but also valuable data leak, with considerable impact on even long-term business.
Strangely, associated risks of digitalization to pharma companies are seldom outlined in any discussion, leave aside alternatives for salvaging such untoward situation, if or as and when it comes. Unless, it is felt that the scope of such discussion doesn’t cover the implementors and falls totally on cybersecurity experts.
Nonetheless, it is intriguing in the pharma space. The reason being, pharma industry believes, while talking about the efficacy of any drug, its vulnerability in terms of side-effects, contraindications or drug interactions, should also be known to its users. That’s the purpose of a packaging leaflet. It’s a different reason though, that most drug companies in India have virtually jettisoned this practice as a cost saving measure, even for drugs that are not under price control. That apart, in this article, I shall explore the relevance of cybersecurity in the digitalized pharma world.
A question that help understand its implication:
During organizational transformation through digitalization in pharma, just like any other business, all crucial documents get transferred from paper to digital formats. The key question that follows in this regard is – what happens to these digital documents post cyber-attacks, if any? Any attempt to answer this question holistically will help people realize its implication – that ‘cybersecurity must be more than an afterthought.’
‘Cybersecurity must be more than an afterthought’:
The article, ‘Cybersecurity in the Age of Digital Transformation,’ published by MIT Technology Review Insights on January 23, 2017, stressed upon this critical point. It highlighted: “As companies embrace technologies such as the Internet of Things, big data, cloud, and mobility, security must be more than an afterthought. But in the digital era, the focus needs to shift from securing network perimeters to safeguarding data spread across systems, devices, and the cloud.”
Thus, while discussing the need to digitally transform a company’s business, cybersecurity must be part of that conversation from the very start – the paper underscored in no uncertain terms. That’s exactly what we are deliberating today - ‘as companies embark on their journeys of digital transformation, they must make cybersecurity a top priority.’
The cybersecurity threat may cripple innovation and slow business:
Cisco explored the concept of Cybersecurity as a Growth Advantage by a thought leadership global study. While assessing the impact of cybersecurity on digitalization, it surveyed more than 1,000 senior finance and line-of-business executives across 10 countries. Some of the key findings, as captured in the Cisco report, may be summarized, as follows:
- 71 percent of executives said that concerns over cybersecurity are impeding innovation in their organizations.
- 39 percent stated that they had halted mission-critical initiatives due to cybersecurity issues.
Interestingly, 73 percent of survey respondents admitted that they often embrace new technologies and business processes, despite cybersecurity risk. However, as we shall see below, pharma executives are quite confident of cybersecurity, probably because of inadequate experience in this area, as on date.
Companies are struggling with their capabilities in cyber-risk management:
The paper published in the May 2014 issue of the McKinsey Quarterly journal, titled “The rising strategic risks of cyberattacks”, also flagged this issue. It said: “More and more business value and personal information worldwide are rapidly migrating into digital form on open and globally interconnected technology platforms. As that happens, the risks from cyberattacks become increasingly daunting. Criminals pursue financial gain through fraud and identity theft; competitors steal intellectual property or disrupt business to grab advantage; ‘hacktivists’ pierce online firewalls to make political statements.”
McKinsey’s research study on the subject, conducted in partnership with the World Economic Forum also upheld that companies are struggling with their capabilities in cyber-risk management. As highly visible breaches occur with growing regularity, most technology executives believe that they are losing ground to attackers. Its ongoing cyber-risk-maturity survey research also ferreted out the following important points:
- Large companies reported cross-sector gaps in their risk-management capabilities.
- 90 percent had “nascent” or “developing” ones.
- 5 percent was rated “mature” overall across the practice areas studied.
Interestingly, the research found no correlation between spending levels and risk-management maturity. Some companies spend less, but do a comparatively good job of making risk-management decisions. Others spend vigorously, but without much sophistication. Even the largest firms had substantial room for improvement – McKinsey reiterated.
‘Corporate espionage’– a prime reason behind cyberattack on pharma:
An interesting article appeared in The Pharma Letter on July 18, 2017 on this subject. The paper is titled “Cyber-attacks: How prepared is pharma?” It said:“The pharmaceutical industry is a prime target for hackers. In 2015, a survey of Crown Records Management revealed that nearly, two-thirds of pharma firms had experienced breaches in data, and that one fourth of these same companies had been victims of hacking.”The paper also highlighted ‘corporate espionage’ as one of the prime reasons behind hacking.
In view of this, the author articulated that the need for pharma and healthcare companies to fortify their security systems has become clear in recent years. The best method of protection is to prevent cyber-attacks from happening, or at least reduce the risk of a hack, he advised.
Instances of cyber-attacks in pharma are many:
To drive home the point that when firms and other organizations fail to strengthen IT systems against attacks, they incur high costs -the above paper cited an example from the year 2016. It said: “The average global cost of data breach per stolen record was US$ 355 for healthcare groups, higher than losses in other fields such as education (US$ 246/record), transportation (US$ 129), and research (US$ 112).”
The author further emphasized that besides financial losses, pharma companies and other healthcare groups risk losing the trust of patients and other stakeholders. With the ongoing digitization in pharma, new threats may become even more pervasive and sophisticated. “Thus, investment in cybersecurity must be a priority, if pharma players are to protect their data and the data of their stakeholders”, he added.
Are pharma executives experienced enough on cybersecurity?
As reported by Pharma IQ on July 31, 2018, one of its recent surveys found that around 70 percent of senior pharma decision makers are “confident” or even “very confident” in their company’s IT security. But, digging deeper, the survey uncovered that:
- 42 percent of respondents’ companies do not routinely follow IT security policies,
- 49 percent said that the corporate risk profile is not firmly understood across all departments.
The survey concluded that this could potentially lead to gaps in the security process. To me it appears, this could, as well, be due to inadequate experience of pharma executives in this area.
But, investment in pharma IT is increasing:
The good news is, even in the current scenario, many pharmaceutical companieshave started making investments in IT solutions, in general. This is corroborated by the 2018 survey by Global Data. Some of its important findings are, as follows:
- 79 percent of them are currently making investments in identity and access management (IAM) solutions
- 72 percent are considering investment in the solutions over the next two years.
- 75 percent of the respondents are currently deploying some form of backup, archiving, alongside content and web filtering solutions to store, as well as, preserve their online information.
In pharma perspective, digitalization of business promotes paperless culture. It radically changes the basic infrastructure of maintaining critical documents in the workplace. Digital document storage systems become the nerve center of information on the company. All data – strategic or related to operations – internally generated or acquired – right across all critical functional areas, such as IP, research, clinical trials, manufacturing, sales and marketing, finance, supply chain legal and even of the CEO’s office, find a space in this digital data sever.
Although, the benefits of digitalization are well known and much discussed, it has a contraposition, as well – related to the vulnerability of the system to cyber-attacks. This flags a demanding need for protection of digitally stored assets from cyber-attacks, or to frustrate even any misdemeanorfrom amateur hackers. Thus, creating an almost impregnable, well-firewalled digital data storage server assumes prime importance. Equally important is formulating and religiously implementing a robust digital policy for the same.
Creating strong awareness among employees and stakeholders regarding cybersecurity and involving them in tandem with a system-approach, sans an iota of complacency, is expected to mitigate such vulnerability, appreciably. Thus, a sense ofexigency for cybersecurity in the digitalized pharma world, I reckon, is very real.
By: Tapan J. Ray
Disclaimer: The views/opinions expressed in this article are entirely my own, written in my individual and personal capacity. I do not represent any other person or organization for this opinion.