Looking Ahead: Cybersecurity Threats for Life Sciences
Guest Post by Danilo Maruccia, Digital Governance Competence Center & IT infrastructure Director, Senior Equity Partner PQE Group, with contributions from Stephen Tyrpak, Associate Vice President of MD Operations; US & Canada, Associate Partner
January 30, 2023
In the first half of 2022, there were 2.8 billion worldwide malware attacks and 236.1 million ransomware attacks. By year-end 2022, it was expected that six billion phishing attacks will have been launched. As we move into 2023, cybersecurity continues to top the list of CIO concerns. This comes as no surprise.
Cybercriminals have engaged in cyberattacks against healthcare organizations for years, and ransomware continues to be relevant despite efforts to combat it. Data breaches remain a common issue, and companies remain vulnerable. Threats are evolving and becoming more sophisticated and effective, with attack vectors increasingly used. Managed service providers, supply chains, and open source software are among those being compromised. And while Governments are increasingly aggressive in fighting back, healthcare organizations have as big a role as ever in defending themselves.
As threats become more significant, and as the attackers continually change their strategies and methods, organizations must relentlessly adapt to the ever-increasing efforts by the hackers and their intrusive operations. Ransomware attacks are now a permanent feature of the cyber threat landscape, increasing in number and sophistication. Although Ransomware as a service (RaaS) providers are continually improving their software, RaaS has also made it easier for various threat actors — including those with little technical knowledge — to deploy ransomware against targets. This new paradigm consists of a core group of developers who set up and maintain the ransomware and payment sites and the affiliates they recruit who breach victims’ networks and encrypt devices. Because of the significance and prevalence of ransomware in its impact, the United States Cybersecurity and Infrastructure Agency published its guidance on ransomware.
Attacks on life sciences and healthcare providers, including health technologies, pharmaceutical, biotechnology and medical device companies, have increased significantly in recent years, including the World Health Organization, which reported a fivefold increase in attacks in 2020. The growth in data loss and ransomware attacks on these organizations critically exposes companies and organizations and disables medical equipment and devices. The risks can lead to catastrophic consequences, including:
- Patient Safety / Death
- Intellectual Property Theft
- Legal Liability Lawsuit
- Regulatory Penalties and Fines
- Reputational Damage
Several steps should be taken, on an ongoing basis, to mitigate cybersecurity and privacy risks. These include:
- Performing privacy or security risk assessments to determine if potential risks and vulnerabilities exist and work with external counsel to mitigate identified risks and vulnerabilities
- Evaluating existing privacy and security policies and cybersecurity insurance coverage to project the cost of an incident and address gaps in coverage
- Evaluating enterprise-wide personal information data collection and retention practices to ensure compliance with state, federal, and international data collection laws
- Providing training to all types of staff, not just information technology, on phishing and ransomware awareness best practices (e.g., how attackers conduct it, what threat actors are looking for and practical advice for spotting and reporting the threat)
- Including indemnification, restriction on data use and other clauses in vendor contracts to protect against harm and conduct regular contract reviews
We believe that the future of healthcare is connected medicine. The potential for integrated pharmaceutical/biotech products and medical devices is infinite. It includes innovations such as knee implants that connect to a phone to track pH and degradation that can notify the patient or doctor of a possible infection or complication. Other examples are heart valves that can provide diagnostic feedback to a doctor that could help optimize pharmacological treatment or a chip implanted under the skin that could report if a cancer patient in remission is showing diagnostic signs that cancer may have returned.
While these may sound improbable, there was a time when nobody believed a pacemaker could save a person’s failing heart. The one thing that all of these have in common is that if they were to enter the market, they would be highly dependent on appropriate software and IT communication and would ultimately call for a new level of cybersecurity. Until now, most cybersecurity concerns have focused on protecting patients and institutional information, which is critical and has costly impacts. However, as technology continues to progress, cybersecurity threats may cost organizations their earnings, their reputations and people their lives.
Pharmaceutical, biotech and medical device companies must design their products with built-in, robust cybersecurity measures, simultaneously performing appropriate cybersecurity risk assessments utilizing cybersecurity experts. As technologies continue to evolve, the need for these specialized professionals to identify the exact risks associated with the product regarding cybersecurity is critical. As with all risk matrix, you cannot mitigate the risk if you do not know its potential harm.
* * * * *
PQE Group is an ISO 9001-certified technology solutions and compliance consulting services company for the life sciences industry, providing global capabilities deliverable throughout the entire product quality life cycle. Established in 1998, PQE has 30 offices worldwide and more than 1500 industry subject matter professionals. PQE specializes in areas including Data Integrity Assurance, Digital Governance and Cybersecurity, Medical Devices, Qualification and Engineering, Laboratory Excellence, Quality Compliance, Regulatory Affairs, and Third-Party Audits. It also has a proven track record managing large multi-site projects as well as small, medium, and start-up pharmaceutical, biotech, and medical device clients.
PQE Group’s highly professional subject matter experts can help ensure your IT systems are safe from ransomware, hackers, and other cyber threats. By partnering with PQE Group, you can be confident that your company will maintain FDA (and other regulatory agency) compliance and that your product can be safely developed and manufactured.