By John Lu, Life Sciences & Health Care Cyber & Strategic Risk leader, Deloitte & Touche LLP
Accelerated digital innovation during the COVID-19 pandemic brought significant positive changes such as the ability to work effectively from home as well as reducing costs, improving cycle times, and greater visibility across the value chain. However, this has been accompanied by increased cybersecurity risks for the life sciences industry. As discussed throughout our ‘Intelligent biopharma’ report series, building trust in technology and having transparent, patient centric protocols is pertinent when adopting novel AI approaches. This week’s blog by John Lu, US Life Sciences & Health Care Cyber & Strategic Risk Leader, first appeared as a US Center for Health Solutions Health Forward Blog and explores how life science companies can integrate cybersecurity as innovative, digital technologies continue to be adopted at scale.
Pharmaceutical companies are increasingly being targeted for cyberattacks, according to a July 7 alert from the FBI, Department of Treasury, and Cybersecurity and Infrastructure Security Agency (CISA).1 Over the past several years, cyberattacks against pharmaceutical, medical technology/device, and other life sciences companies have disrupted supply chains, hobbled manufacturing processes, erased years of research, and resulted in hundreds of millions in damages. Cybercriminals likely assume that these companies, and other health organisations, are willing to pay ransoms because their services are critical, according to the joint alert. These bad actors also know that the life sciences industry has trade secrets/intellectual property, vast amounts of personal health data…and deep pockets.
As the cyber leader for Deloitte’s Life Sciences & Health Care practice, I work closely with various organisations across the industry. Like most industries, life sciences companies are becoming increasingly digital. Late last year, Deloitte surveyed 150 leaders from pharmaceutical companies to learn more about the industry’s approach to digital innovation (see Biopharma digital transformation). The vast majority (77 per cent) of respondents, said their organisation views digital innovation as a competitive differentiator.
While a digital strategy can help a life sciences company improve efficiencies in everything from research and development (R&D) to operations and sales, it also can expose companies to new risks as data starts to flow outside of its four walls and into data lakes that sit on various cloud platforms. While many life sciences companies are well aware of cyber risks, some executives still see it as more of an IT or R&D issue, rather than something that requires an enterprise-wide strategy.
COVID-19 accelerated innovation and threats
Compared to other industries such as banking and entertainment, the life sciences industry was slower to incorporate innovative digital technologies such as artificial intelligence (AI), cloud, and the Internet of Things (IoT) in their operations. That all changed during the early days of the COVID-19 pandemic. With lockdowns and physical distancing measures in place, many life sciences companies quickly transitioned to remote work, cloud-based data storage, virtual clinical trials, and other solutions to help maintain progress while many employees stayed away from their offices.
Cloud technologies and platforms provided scalability and agility for organisations to make it possible for employees to work remotely (and collaboratively) from home, store and share data, build data lakes, and even run AI and machine learning (ML) algorithms. Cloud technology also helped to reduce costs, improve time-to-discovery and insight, and collate data for greater visibility into manufacturing and supply chain operations. At the same time, pressure to develop vaccines and therapies required competitors to become collaborators and share digital information with each other. Each of these factors has increased cybersecurity risks. This has helped push life sciences cyber communities to be more agile and innovative in how they approach threats and vulnerabilities, as well as to collaborate even more extensively with peers throughout the industry.
Competition for cyber jobs is heating up
Looking back over the past 20 years or so, cybersecurity has evolved from a “low priority IT risk” to being a top enterprise-wide risk that is typically recognised across the organisation. Many life sciences companies are paying much closer attention to data and digital. Having the right people and skillsets dedicated to cybersecurity will continue to increase in importance.
As the cybersecurity industry continues to evolve, finding experienced, skilled talent has risen to become a top-tier issue for chief information security officers (CISOs). The demand for this expertise is astronomical. Every sector is looking to protect its digital data, and competition for top-tier talent is fierce. As many as 3.5 million cybersecurity jobs worldwide are unfilled—up 350 per cent between 2013 and 2021, according to industry researcher, Cybersecurity Ventures.
Life sciences companies are no longer only competing head-to-head with other life sciences companies for talent. They are now competing with a wide range of companies from various industries, some of which are often able to offer dramatically larger compensation packages. Even professional service firms like Deloitte compete for cyber talent. Worldwide, Deloitte has more than 22,000 cyber and risk professionals, and as demand continues to increase, we have developed several alternative talent sources, including a train-to-hire program. This type of innovation will likely be needed to fulfil a skillset demand that continues to increase.
Three cyber questions to consider
I have noticed that health care and life sciences companies are increasingly referring to themselves as digital or technology companies. Virtually every step along the value chain is transitioning to digital, and I expect that this will only increase in the coming years. However, if company leaders fail to recognise the importance of integrating cybersecurity into that digital value chain, even the best tools, technologies, and processes could be defeated by cybercriminals (see Defending against ransomware).
As life sciences companies move forward with new and innovative digital technologies, there are three questions company leaders should consider:
- How is cyber integrated into our innovative approach?
Whether it is a digital transformation, a shift to the cloud/migrating out of the data centre, or moving forward with virtual clinical trials, each innovative approach has the potential to expose a company to new, diverse attack vectors. These threats should be considered throughout the process—from requirements to architecture and design, to development, to testing, and to deployment—as the company moves to operationalise. Gaps can occur when cybersecurity is not integrated from the beginning. Such gaps could be exploited, which could potentially negate any gains or trust that would have been obtained through the new approach.
- Who can access the data?
Digital data has become consumable like banking information and accessible from almost anywhere through various devices. The more accessible data becomes, the more security is needed to protect it. A company might not know exactly what is in the data because data often is not tagged correctly. Moreover, how do companies ensure that only the designated person can access the designated data through a designated channel? Can data be retrieved if an audit needs to be conducted?
- Are consumers, patients, and/or customers our top priority? Do they trust us?
About 50 per cent of US consumers do not trust biopharma companies, according to our report, Overcoming biopharma's trust deficit. As life sciences companies get closer to consumers, patients, and customers, garnering end-user trust can become an even more important value for companies to harness. Making it possible for end-users to securely access their data when they want it can be important. This might be one of the first interactions a consumer has with the company. Finding the perfect balance of accessibility, while protecting critical information, brings cybersecurity to the forefront of building and growing trust.