Securing pharma's fast-expanding data landscape

Sept. 7, 2023
A layered defense-in-depth approach is the best way to handle pharmaceutical manufacturing data security

Pharmaceutical manufacturing’s terrain is changing fast and, post-pandemic, it is prompting the industry to respond vigorously with innovation and investment to meet demands for more affordable, effective medications. From the weights of individual molecules comprising an Investigational New Drug (IND) compound to the processing of a billion doses of a common generic, data is at the center of all pharmaceutical development and is fundamental to the safe, high-quality manufacture of all drugs.  

This data is highly sensitive and extremely valuable. AbbVie’s Humira, for example, is expected to generate more than $240 billion in sales globally by 2024, making it the top-selling drug of all time and making the data associated with this project one of the company’s most valuable assets.

Meanwhile, the industry is renewing its commitment to operational excellence and in the process adopting an Industry 4.0 model unique to pharma and its incredibly important mission of delivering society’s health care. The centralization of data via cloud-based content and management platforms can significantly improve data access, integrity and reliability. The cloud also expands and streamlines the organization’s response because critical information can be accessed and actioned in real time.

Although dynamic data sharing leveraging cloud-based collaboration platforms can support more efficient internal and external collaborations, the increasing integration and application of information technologies (IT) and operational technologies (OT) is also introducing new vulnerabilities to data security and integrity. This is a risk that the industry must manage decisively — or suffer the consequences.

IP theft is only the beginning

According to IBM’s 2021 Cost of a Data Breach Report, the average cost of a pharma breach in 2021 was more than $5 million — the third-highest cost behind the financial and health care sectors. But, to a certain extent, those cost estimates are related to how much it costs a company to recover from a data breach and not necessarily from the potential of loss from the stolen data itself. Pharma’s exposure to data security risk is increasing as its operating data becomes even more valuable to criminal groups operating on the dark web. Because drugs can generate billions in sales, data from the pharmaceutical production environment is extremely valuable and sensitive. Proprietary product and business data comes from all corners of the enterprise: 

  • Formulas and compounds 
  • Clinical test data 
  • Manufacturing processes 
  • Product chemistries and formulations 
  • Customer data 
  • Process design 
  • Protected Health Information (PHI) 
  • Personal Identifying Information (PII) 
  • Supply agreements and contracts 
  • Profit, pricing and financial information 

Pharma in the crosshairs 

Theft of sensitive information is just one of the threats facing pharmaceutical manufacturers. Cyberattacks on pharma are increasing and regulators have taken notice. During the pandemic, cyberattacks against pharmaceutical manufacturers and the healthcare sector skyrocketed. The UK’s National Cyber Security Centre (NCSC) reported more than 200 attacks specifically related to the pandemic, but it was a growing issue prior to the outbreak. IBM also reported it detected a number of cyberattacks against the vaccine cold chain, specifically companies and agencies involved in manufacturing and distribution.  

A recent joint statement by the FBI, Department of the Treasury, and Cybersecurity and Infrastructure Security Agency (CISA) provided details about the rising occurrence of ransomware attacks that hit the pharma and healthcare sector during 2021. As most of the pharma industry is coming to understand, “ransomware” malware encrypts files on a device, disabling those files and the systems that rely on them to function. Attackers then demand a ransom in exchange for decryption. And indeed, attacks are becoming more commonplace than ever, and pharma is a prime target due to the value of its proprietary data and intellectual property.  

Meeting pharma’s cybersecurity challenges head-on 

Pharma’s manufacturers face myriad challenges in ensuring enterprise data security. Ranging from network complexity to aging operating technology (OT) environments converging with legacy IT systems, there are few organizations that can say they are not challenged trying to put together an effective institutional response to data security. With growing manufacturing networks comes an expanding attack surface, and mergers and acquisitions of disparate systems, policies and procedures adds another layer of complexity to the cybersecurity onion. Add to this a cybersecurity skills shortage and insider threats. One of the more damaging cyberattacks of recent memory involved the internal theft of sensitive data. Underlining the challenge of cybersecurity are the unrelenting compliance obligations pharma faces while simultaneously generating innovation and the medications the world needs to sustain healthcare. 

Although regulatory compliance is something that the vast majority of pharma demonstrates extremely well every day, relative to cybersecurity, the faster adoption of Industry 4.0 digital innovation is challenging organizations and their operations to do two things at once: secure data and demonstrate that sensitive data is secure to regulators. That outcome is not as synergistic as it sounds — just because the process is compliant doesn’t necessarily remove the entire risk to the enterprise. 

For the most part however, Good Manufacturing Practices (GMP) covering documentation, data integrity, risk management, incident reporting and data protection do provide a sound basis for data security compliance and to prevent cybersecurity attacks in the first place. There is also a significant volume of guidance from regulators, industrial standards, and cybersecurity frameworks which provides pharma a solid platform on which to base its cybersecurity response and resilience to threats including: 

  • NIST series, developed by the National Institute of Standards and Technology. Especially NIST Cybersecurity Framework and NIST 800-82r3, Guide to Operational Technology Security 
  • ISA/IEC 62443 series: mainly 62443-2-1 Security program requirements for industrial controls systems asset owners  
  • ISO/IEC 27001 and ISO/IEC 27002, define requirements for the implementation of an information security management system, covering cybersecurity and privacy protection  
  • European legislation as GDPR for personal data protection, and NIS/NIS2 for networks and information systems protection 
  • Federal laws such as Health Insurance Portability and Accountability Act (HIPAA), Electronic Communications Privacy Act (ECPA), or several regulations from U.S. FDA such as 21 CFR Part 11: Electronic documentation management in pharma processes

Outlining the best possible security response 

A layered defense-in-depth approach is proving the best way to handle pharmaceutical manufacturing data security. Best practice across the cybersecurity community combines foundational protection, innovative tools, security culture and workforce education. These elements create layers of increasing data security that proactively thwart external cyberattacks and internal data theft. A holistic approach to cybersecurity is likely to provide more actionable insight into security risks before they occur, while continuously re-examining and improving the company’s data security protocols to be vigilant and protect against emerging threats. 

Data security is not an end, it’s the means to an end. The effort must be systematically aligned to the organization, its operations and business goals. Best practice calls for protocols to be aligned to industrial security standards and frameworks. Cybersecurity is a fluid construct, but the response must be structured to meet the threat across the entire enterprise, covering at least: 

  • Critical asset identification and protection: You cannot defend what you don’t know. Identify, register and assign an owner to all hardware devices, software, critical data and processes. Establish and define security controls and secure configuration baselines and update management guidelines for all of them. 
  • Establish data classification procedures, and determine what is critical, confidential or proprietary information. Provide a detailed description of the purposes for which the critical information may be used, shared, and stored, using encryption when transmitting and storing that information.  
  • Implement comprehensive procedures and processes for ensuring access control involving identification and authentication of users, systems and processes, based on managed identities and credentials and following the least privilege principle.  
  • Implement network protection procedures: Multi-layered boundary defenses should be developed relying on firewalls, separating operational networks from corporate, remote access and the internet, detecting network intrusion and anomalies and controlling and filtering both inbound and outbound traffic, using the principles of defense-in-depth. 
  • Implement continuous monitoring and anomaly detection processes. Check for vulnerabilities affecting critical processes, keep up-to-date systems and software, update malware and virus protection software and implement threat hunting and threat intelligence capabilities. 
  • Implement an incident management process to ensure a quick and effective response to cybersecurity events and incidents. Train users and technical staff and develop playbooks and runbooks for critical systems and major incidents. 
  • Establish a security governance process. It is not enough for corporations to implement technical solutions and expect them to deliver strategic value to the company. Define responsibilities for security and establish a risk-based process for continuous assessment and mitigation of critical risks. Establish comprehensive cybersecurity training and awareness plans for all users.   

A chronic, unabating threat  

Data is at the heart of pharmaceutical development and manufacturing; the quality and efficacy of all drugs depend on their security and integrity. Because of the challenges and complexities involved, much of pharma is turning to expert vendors to help deliver a meaningful and effective data security response. Vendors across the space are leveraging experience, systems and training to keep this chronic, unabating issue from limiting patient access to safe effective medications, no matter where in the world they are. 

About the Author

Juan José López | Associate Director of Cybersecurity Architecture and Governance, Cognizant Life Sciences Manufacturing