Digitalization in the pharmaceutical industry – slowly but steadily, across its various domains, from drug discovery, clinical development, supply chain, sales and marketing to engage with various stakeholders, is a reality today. Consequently, the concept of data as a business asset, is fast taking the center stage, being the nerve center of the business. It encompasses, conceiving data requirement, generation of a massive pool of credible data accordingly, their analysis and finally – putting a robust data security system in place, against any kind of theft or misuse.
While digitalization of pharma business, helps transform the company to an all-time ready and an agile customer-centric business entity, with one ear always listening to customers to delight them with its deliverables. Conversely, the other ear is on its employees with a similar objective. This is a difficult task and mostly involves disruption of status-quo within the organization, but often produces game changing outcomes for the business, as is known to many.
Which is why, one sees a good number of people around, offering expert digital services for the pharma industry – along with a hope of a never before improvement in the future organizational performance. So far so good, but this transformation process also invites a huge technology-related threat to business – ‘Cyberthreat.’ In this article, I shall focus on the critical need of taking guard against this threat, as is often advised by all well-qualified domain experts. This risk is expected to increase further, as the technology keeps advancing.
Although, I had deliberated on Cybersecurity in my article, ‘Exigency of Cybersecurity in Digitalized Pharma,’ in a different context, before delving into the core point of today’s discussion, let us together try to recapitulate what does ‘Cyberthreat’ mean to us, in the real world.
Cyber-threat in the digitalized business:
Let me paraphrase, especially in context of the pharma industry, what the Cybersecurity and Infrastructure Security Agency (CISA) of the Government of the United States, has stated. It articulates, ‘Cybersecurity’ or ‘Cyber threats’ to a control system, refer to the attempts of unauthorized access to a control system device and/or network using a data communications pathway.
This access can be directed from within an organization by trusted users or from remote locations by unknown persons using the Internet. Threats to control systems can come from numerous sources, including disgruntled employees, and malicious intruders. To protect against these threats, it is necessary to create a secure cyber-barrier around the Industrial Control System (ICS).
Many sources indicate that the threat to cyber security in business, is often triggered to gain access to a company’s digital system to damage or steal data, or even to rattle its digital infrastructure for accomplishing a specific purpose.
Rapid digitalization in pharma may attract more cyber criminals:
According to a senior official of Kaspersky - a global cyber security company: “As rapid digitalization penetrates the healthcare sector, cyber criminals are seeing more opportunities to attack this lucrative and critical industry, which is honestly not equipped enough to face this virtual danger.”
The company further emphasized, with systems are now interconnected and mobile devices extensively used, both for remote access and for data sharing, digitalization in pharma increasingly exposes the organizations to both generic and targeted attacks. Thus, ‘creating Cyber immunity’ to ensure a powerful safeguard against such threats, becomes a top priority area in the digital transformation process of the drug industry.
Interestingly, way back in 2012, another report had also cautioned: ‘Cybercrime costs economy billions annually, with pharmaceutical and biotech companies among the hardest hit.’
Evidences of Cyber-attacks on pharma across the world:
There are numerous evidences of Cyber-attacks on the pharma players, globally. Such as, in June 2017, The Washington Post reported, US-based global pharma major, was among dozens of businesses affected by a sprawling cyberattack, with victims across the globe facing demands to hand over a ransom or have their computer networks remain locked and inaccessible.
Another report of December 13, 2017 wrote, by the third quarter of the year, ‘Merck had a better idea of the financial tab from the attack. While it generally had a very solid quarter, the results were dampened by the impact of the attack. There were $300 million in lost sales and costs.’
The Deloitte paper, titled ‘Cyber & Insider Risk at a Glance: The Pharmaceutical Industry’, also reiterated, the evidence abounds that pharmaceutical companies are the target of sophisticated Internet criminals. Serious cyberattacks are taking place even in the most advanced countries, including the US, Europe and Japan.
In the US, besides Merck, hacking has taken place against other major pharma and medical device makers, such as, ‘Boston Scientific, Abbott Laboratories, and Wyeth, the drug maker acquired by Pfizer Inc. The same group successfully hacked the Food & Drug Administration’s computer center in Maryland, exposing sensitive data (including formulas and trial data) for virtually all drugs sold in the US,’ the paper revealed.
The real impact of the attack often doesn’t come out:
Outside world often doesn’t get to know about the comprehensive impact of numerous cyber-attacks for various reasons. Some of which may include, it’s possible aftermath on both the corporate image and also the brands, besides share prices. At the same time, the situation may prompt many to question the company’s capability to protect its business in the digitalized world.
The key reasons:
As the 2018 Data Security Incidence Report highlights, healthcare-led all industries accounted for around about 25 percent of more than 750 reported incidents, in volume. As identified by Kaspersky from various cyber-attack techniques and behavior of cyber-criminals, on the digital infrastructure of pharma players, let me paraphrase below the three key motivators, besides a few others:
- Getting Intellectual Property (IP) related strategic details, including R&D, unpublished clinical trial results and formulation development processes.
- Detailed business plans for pre-identified products.
- Or, may even be for ransom.
Where does India stand?
According to reports, India ranks 6th for highest cyber-attacks on pharmaceutical companies. Nearly 45 per cent machines in the Indian pharmaceutical organizations more than four in 10 devices were detected with malicious attempts. Ahead of India features - Pakistan (54 per cent), Egypt (53 per cent), Mexico (47 per cent), Indonesia (46 per cent) and Spain (45 per cent).
Such attacks are taking place even in India, as cyber-criminals “are slowly realizing that pharmaceutical companies house a treasure trove of highly valuable data such as the latest drugs and vaccines, the newest researches, as well as medical secrets,” the report says.
Likewise, another article, published in Health Issues India, on September 17, 2019, made some interesting points. The article is titled, ‘Cyberattacks: A crisis in Indian pharma?’ It flagged in the following three areas, in this regard:
- Numerous cracks exist in the cyber-security armor of Indian pharmaceutical companies.
- Just five to ten percent possess security systems strong enough to protect information from hackers.
- And many do learn about a breach for several months.
Quoting a top expert, the paper reemphasized that generally in the Indian pharma companies “current systems don’t have security control and visibility in place to immediately detect the attack and respond on a real-time basis.” Thus, ‘it is unsurprising that Indian pharma has been so hard hit by cybercrime,’ the article further commented.
Echoing many others, Booz Allen also advised in its article – ‘Understand the risks, and stay ahead of the game.’ This is a critical requirement in the digital age. Although, most pharma companies agree on the possibility of huge business losses from a cyber-attack, the industry continues to lag behind other industries when it comes to cyber-security implementation, the paper reiterated.
On the other hand, just strengthening a company’s IT systems, alongside an installation of powerful anti-virus software may still not be enough. Nor will it be adequate to working closely with the vendors who help protect cyber-security of the digital infrastructure of various companies. Even a robust system of forensic audit and analysis and reevaluating cyber-security protocols on an ongoing basis, may not be able to prevent cyber-attacks.
This is primarily because, a company is run, managed, looked after and cared by its employees. Although, it always remains the endeavor of any company to hire good, trustworthy and high performing employees, it does not always happen that way. It is also equally possible that some of them, at some time, for some reasons, may misuse the digital network for others or personal gain.
Thus, besides putting in place all other safeguards, as stated above, to attain desirable ‘Cyber-Immunity’, it is crucial for the organization to ensure buy-in of each employees a vital concept. This is – protecting cyber-security is everybody’s responsibility in a digital business framework, both individually and collectively. The process should start from the CEO and percolate down to the lowest rung in the ladder of hierarchy.
Hence, the reality is – ongoing digital transformation process of the pharma business would open the door of cyber-threats – often leading to crippling cyber-attacks. Thus, developing a comprehensive and strong cyber-immunity framework becomes essential for the organization. From this perspective, right from the start of this process – and not later on, drug companies need to ponder over the critical link between digitalization and cyber threats to provide adequate cyber immunity to its digital systems, for game changing outcomes.
By: Tapan J. Ray
Disclaimer: The views/opinions expressed in this article are entirely my own, written in my individual and personal capacity. I do not represent any other person or organization for this opinion.