Theme news

Latest news: cybersecurity in pharma

Credit: Bert van Dijk/Getty images.

6 March 2023

Shifting cybersecurity responsibility to US tech firms may be “counterproductive”, says expert

The Biden administration has rolled out a new National Cybersecurity Strategy (March 2) that puts more pressure on the US tech industry to take more responsibility for protecting their systems from hackers.

The new strategy aims to take on the systemic challenge of too much responsibility for cybersecurity falling on individual users and small organisations.

The strategy has had a mixed reception, however, some experts believe that “overregulation” could have a “counterproductive” effect on a company’s cybersecurity. “Even amid surging cybercrime, shifting the cybersecurity burden to software developers and tech solution providers may seem an unduly harsh move, however, economically speaking it makes perfect sense,” Dr. Ilia Kolochenko, founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, told Verdict.

“That being said, overregulation or bureaucracy will certainly be harmful and rather produce a counterproductive effect.

“Unnecessarily burdensome or, contrariwise, formalistic and lenient security requirements will definitely bring more harm than good.”

Kolochenko believes the “technical scope” and “timing of implementation” for the requirements of Biden’s proposal is paramount to companies’ success or failure in taking increased responsibility.

The new National Cybersecurity Strategy also calls for US law enforcement to put more emphasis on bringing down gangs of digital thieves and ransomware bandits.

Edgard Capdevielle, CEO at cybersecurity company Nozomi Networks, believes that the work to implement the proposed strategies will “be expensive in time”.

“While the National Cybersecurity Strategy represents a positive shift in motivation, the actual work to implement these strategies will be expensive in time, human resources, and investment in compatibility and interoperability going forward,” says Capdevielle.

31 March 2023

FDA clarifies cybersecurity requirements to match newly enacted US law

New laws passed by the US government which came into effect on 29 March 2023 gives U.S. Food and Drug Administration (FDA) authorisation to require cybersecurity adjustments in submitted medical devices. The requirement will take effect 90 days from the law being passed, giving vendors until October 1, 2023, to prepare submissions meeting the new standards.

In its newly issued guidance for cyber devices, the FDA have said they intend not to issue ‘refuse to accept’ (RTA) decisions for cybersecurity shortcomings to vendors who submitted before this deadline. The agency plans to work collaboratively with sponsors as part of the review process to meet the new laws passed in the Consolidated Appropriations Act, 2023 by the US Senate.

By October this year, the FDA expects submissions to meet the new requirements, citing sponsors will have had sufficient time to prepare their premarket submissions. For submissions that do not tick the cybersecurity boxes, the FDA will duly issue RTAs.

Cybersecurity is becoming a more pertinent concern as more medical devices become connected to the internet, healthcare systems, and other digital devices. As connectivity and digital integration become an increasingly common feature in medical devices, security risks increase too. Data breaches are one of the main concerns – medical health records, insurance details and payment information could all be leaked.

According to GlobalData, between 2020 and 2025, cybersecurity in medical devices is forecast to grow at a CAGR of 7.3% from $869mn to $1.23bn. Inextricably linked will be the money spent by healthcare providers and payors to ensure digital safety too – this will grow slightly faster at a rate of 8.1%, from $4.59bn to $6.77bn.

22 March 2023

UK and Israel collaborate on cybersecurity development

The UK and Israel have announced the signing of a new roadmap for UK-Israeli bilateral relations. The roadmap will deepen tech, trade and make the country a driving force in the cybersecurity industry by 2030.

The roadmap is designed to deepen cooperation between the UK and Israel. Both countries will benefit from increased investment to strengthen cybersecurity capacity and foster tech innovation.

“Israel has long been a pioneer in digital forensics and cybersecurity. The investment made in terms of people and funding, over time, has proved highly successful in recent years and has made the country a driving force in the cybersecurity industry,” Jake Moore, global cybersecurity advisor at global digital security company, ESET, told Verdict.

The roadmap comes with £20m of joint funding that will go towards technology innovation to enable both countries to stay globally competitive.

“The constantly evolving ecosystem built to respond and prevent threats has made the country synonymous with cybersecurity.

The investment in people has also shown to improve the nation and its capabilities, far greater than seen in the UK,” claims Moore.

According to a GlobalData Thematic Research: Cybersecurity (2022) report, there continues to be an ongoing shortage of cybersecurity skills.

There is currently a 65% workforce shortfall in the global cybersecurity space. This agreement between the UK and Israel is vital in closing this gap.

07/01/2024 17:15:18

Expert view

Key questions about cybersecurity in the pharmaceutical industry: Q&A with GlobalData thematic analyst

Credit: Bert van Dijk/Getty images.

Wafaa Hasan, MSc, is a senior digital health and thematic analyst in the pharma team at GlobalData’s London office. Her responsibilities involve writing reports and providing insights on digital strategy across disease areas and channels. Prior to working in the digital health team, Wafaa worked in the Thematic Intelligence team at GlobalData, where she contributed to quantitative and qualitative analysis reports on disruptive themes and technologies, with a focus on pharma, healthcare and medical devices sectors.

Lara Virrey: What are the biggest cybersecurity challenges facing pharmaceutical companies today?

Wafaa Hasan: For biopharmaceutical companies, the primary dangers cyberattacks pose are intellectual property (IP) loss and operational disruption. Losing IP and proprietary information erodes their competitive advantage as innovations are stolen. For example, in December 2020, data related to Pfizer and BioNTech’s Covid-19 vaccine was stolen and released online. Meanwhile operational disruption at any stage of the value chain hinders output and ultimately revenue.

Undefended breaches will always beget reputational damage and litigation risk, and recent regulation punishes the exposure of personal data more severely, so companies involved in handling sensitive personal health data, such as those conducting clinical trials, have to be aware of the dangers.

Lara Virrey: How can pharma companies best defend themselves against cyber threats?

Wafaa Hasan: Due to the sensitive nature of their research, intellectual property and personal data they handle, there are several practices that pharma companies can use to effectively defend themselves against cyber threats. For instance, pharma companies can conduct regular risk assessments that determine and evaluate any potential weakness and dangers in the organisation’s systems, procedures, and infrastructure. Effective resource allocation and security measure prioritisation will be made possible by this review.

Pharma companies can also use role-based access controls (RBAC), multi-factor authentication (MFA), and strong passwords to make sure that only authorised users can access sensitive systems.

Conducting regular training programs for employees is crucial in any pharma organisation to educate employees about common cyber threats, phishing attacks, and encourage employees to report suspicious activities promptly. Another practice is to use security information and event management (SIEM) tools, firewalls, intrusion detection and prevention systems (IDPS), and endpoint protection. These technologies provide proactive defence against cyberattacks by being able to identify and stop threats in real time.

Additionally, DevSecOps has been discussed for several years but will be more broadly implemented in development cycles in the coming years. DevSecOps is a software delivery model that involves introducing cybersecurity early in the software development life cycle. This means security is ingrained in the early stages of app development and involves early collaboration between developers and security teams. DevSecOps has many benefits, including improving security posture and integration, faster delivery of applications as security is already ingrained into the application, and reducing costs by identifying potential vulnerabilities and bugs before deployment.

Lara Virrey: How has the nature of cybersecurity threats to the healthcare industry changed in the past two to three years?

Wafaa Hasan: The rush from office-based work to remote working caused by the Covid-19 pandemic significantly increased cyber risk. The increased use of technology such as collaboration tools increased the potential attack surface for hackers, and the high speed of transition required meant that many IT security teams had insufficient time to install adequate security defences. Companies also moved more sensitive operations and information online than before, making attacks more costly.

Malicious actors took advantage of this environment through cyberattacks such as phishing, ransomware, and supply chain attacks. Companies involved in developing Covid-19 vaccines and therapeutics became targets of cybercriminals looking to steal proprietary information about these products.

Even after the Covid-19 pandemic, cyber risk is higher than ever, for example, in April 2023 generics drug manufacturer Sun Pharmaceuticals disclosed a ransomware attack compromising its file systems, resulting in the theft of both company and personal data.

Lara Virrey: Is the pace of innovation in security technologies keeping up with evolving threats?

Wafaa Hasan: Yes, although it is a constant challenge, the rate of innovation in security technology is generally keeping up with changing threats. Cyber dangers are continually changing, with new attack methods, strategies, and flaws appearing all the time. To counter these growing dangers, security technology vendors diligently create new solutions and updates. It's crucial to remember that the cyber threat landscape is complicated and evolving quickly. Attackers frequently outsmart security systems and develop new ways to exploit weaknesses.

There are several areas where security technologies are evolving. For instance, artificial intelligence (AI and machine learning (ML) are becoming particularly popular for incident response, given the increasing number of cyberattacks organisations must deal with every year. Automating incident response with AI makes it easier to resolve more incidents quickly, reducing the organisation’s downtime and resources required to deal with IT security.

Behavioural analytics tools can also be used to establish baselines of normal user behaviour and identify anomalous activities that may indicate a security breach.

Companies rushed to adopt the cloud when the Covid-19 pandemic pushed employees to work from home, which increased the attack surface area and exposed entry points for bad actors. The misconfiguration of security settings that fail to provide adequate security for cloud data is a growing problem in cloud security. Without strong security measures, cyberattackers can target those misconfigurations to steal cloud data.

Endpoints, or entry points, are end-user devices connected to a network. Examples are laptops, smartphones, or IoT sensors and devices. The need to work remotely during the pandemic caused a proliferation of laptop endpoints connected to the cloud. 5G networks will also increase the proliferation of IoT devices as they provide greater capacity for device connection. However, more endpoints mean more entry points for attackers to exploit. Endpoint protection and zero-trust models help contain attacks and protect the entire network in the event of one endpoint being exploited.

Lara Virrey: Are pharma companies doing enough to protect themselves against cyber threats?

Wafaa Hasan: In comparison to other industries, news of successful cyberattacks on pharma companies are relatively uncommon. Large-scale attacks such as the NotPetya malware attack in 2017 have been a warning for the industry, with Merck & Co’s estimating that damages from NotPetya amounted to $1.4bn as the company’s supply chain backlogged.

However, cyberattacks are still increasing in frequency and intensity, so pharma companies need to keep updating and investing in their cybersecurity capabilities, for example through the adoption of zero-trust architecture.

Companies such as Sanofi and Johnson & Johnson are industry leaders in the theme, investing in comprehensive cybersecurity measures. However, others, such as Shanghai Henlius Biotech and Cadila have been identified as laggards in the cybersecurity theme by GlobalData, and need to do more to protect company operations and sensitive personal data.

GlobalData, the leading provider of industry intelligence, provided the underlying data, research, and analysis used to produce this article.

GlobalData’s Thematic Intelligence uses proprietary data, research, and analysis to provide a forward-looking perspective on the key themes that will shape the future of the world’s largest industries and the organisations within them.

07/01/2024 17:15:18

Comment

Key cybersecurity trends in pharma

As per GlobalData, ransomware, cloud security, and shoring up against supply chain threats are key trends driving the theme of cybersecurity.

Credit: Getty Images/the_burtons

Maintaining the security of IT systems is a constant struggle for organisations of all types. Cyberattacks are frequent and increasingly complex, perpetrated by those furthering a geopolitical cause or attackers intent on making money. In 2021, enterprises invested more in cybersecurity and cloud architecture due to employees working remotely during the pandemic. This also sparked a mergers and acquisitions (M&A) boom in the tech sector.

Listed below are the key technology trends impacting the cybersecurity theme, as identified by GlobalData.

Ransomware and cybersecurity

According to the EU Agency for Cybersecurity (ENISA), there was a 150% rise in ransomware attacks from April 2020 to July 2021. ENISA has described the threat picture as the “golden era of ransomware”—partly due to attackers’ multiple monetisation options. Ransomware is a multi-faceted offensive campaign that also involves an attack on the brand reputation of the victim. Attackers are now operating secondary monetisation channels, auctioning exfiltrated data on the dark web.

A Cybereason survey found that 35% of businesses that paid a ransom demand paid between $30,000 and $1.4m, while 7% paid ransoms exceeding $1.4m. About 25% of organisations reported that a ransomware attack had forced them to close down operations for some time.

Cloud security

In the absence of strong security measures, cyber attackers can target the misconfigurations of security settings to steal cloud data. A March 2022 ‘Cloud Security Report’ from Check Point Software, based on a survey of 775 cyber security professionals, revealed that cloud security incidents were up 10% from the previous year, with 27% of organisations citing misconfiguration, ahead of issues like exposed data or account compromise.

Cloud misconfiguration is typically caused by a lack of awareness of cloud security and policies; inadequate controls and oversight; too many cloud application programming interfaces (APIs) and interfaces to adequately govern the system; and negligent insider behaviour.

Chip-based cybersecurity

Protecting chips from cyberattacks is becoming a necessity as chips end up in mission-critical servers and in leading-edge, safety-critical applications. As systems vendors and original equipment manufacturers (OEMs) increasingly design their own chips, rather than buying commercially developed devices, they are creating their own ecosystems and are, therefore, making security requirements much more of a home-grown concern.

Macroeconomics is a key driver. The discovery in 2017 of high-profile security vulnerabilities—notably Meltdown and Spectre—meant chip vendors had to patch their security holes with software. That meant that customers, who had upgraded their servers to make the most of new processors, then lost much of their performance improvement. That, in turn, forced them to add more servers to process the same volume of data in the same amount of time.

Credit: Shutterstock/BeeBright

Cybersecurity supply chain threats

Cyberattacks targeting software supply chains are increasingly common and typically devastating. They came to the fore in 2020 when Russian hackers broke into SolarWinds’ systems and added malicious code to the company’s software system.

SolarWinds provides system management tools for network and infrastructure monitoring, and approximately 33,000 customers use its Orion platform to manage IT resources. Ultimately the hack would turn out to be one of the biggest cybersecurity breaches of the 21st century, affecting thousands of organisations, including the US government.

These attacks are effective because they can take down an organisation’s entire software supply chain and services, resulting in massive business disruption. Organizations can evaluate their attack surface and develop systems and infrastructure to defend against threats and manage vulnerabilities.

Critical national infrastructure (CNI) threats

Cyber threats against CNI are increasing, and governments are taking steps to recognise them. The 7 May 2021 attack on the Colonial Pipeline fuel facility in the US alerted governments worldwide to the risks such an attack can bring to CNI.

In Australia, the list of regulated CNI sectors has expanded to include higher education and research, communications, banking and finance, data, defence, energy, food and grocery, healthcare, space technology, transport, and water and sewerage. This formal expansion of CNI coverage will become a global trend as governments address cyber risks.

CNI organisations are increasing anti-ransomware precautions, mandating multi-factor authentication for remote access and admin accounts, locking down and monitoring remote desktop protocol (RDP), and training employees to spot phishing attacks and other threats.

Artificial intelligence (AI) threats

AI is essential to information security. It can swiftly analyse millions of datasets and identify various cyber threats. But attackers can also use AI as a weapon to design and carry out attacks. AI can mimic trusted actors, copying their actions and language. Using AI means attackers can also spot vulnerabilities more quickly, such as a network without protection or a downed firewall.

AI can also find vulnerabilities that a human could not detect, as bots can use data from previous attacks to spot slight changes. Cybercriminals can use data collected from a specific user or other similar users to design an attack to work for a particular target.

The growing use of managed cybersecurity services

Managed security services (MSS) provision is growing. According to the UK government’s 2022 Cyber Security Breaches Survey, 40% of businesses and almost a third of charities (32%) use at least one managed service provider. The core of an MSS provider’s (MSSP) business is in providing round-the-clock security monitoring and incident response for an enterprise’s networks and endpoints. However, as enterprise networks grow and evolve, support for other platforms, such as cloud-based infrastructure, has become a critical component of MSSP’s security portfolio.

Using an MSSP is typically intended to augment or replace an organisation’s internal security team, while other services offered by providers include intrusion prevention systems (IPS), web content filtering, identity access management (IAM), privileged access management, vulnerability scanning, and threat intelligence.

An offensive approach to cybersecurity defence

The increasing number of attacks against CNI has led to cyber authorities worldwide working more closely together. According to US Cyber Command, the US military plays a more offensive, aggressive role in combating digital threats. The UK now has a National Cyber Force, whose activities build on a previous National Offensive Cyber Program. France also has a cyber strategy with both defensive and offensive capabilities.

This is an edited extract from the Cybersecurity – Thematic Research report produced by GlobalData Thematic Research.

07/01/2024 17:15:18