Not only is everything hackable, everything is also actually hacked. It is only a matter of time before cybercriminals increasingly manipulate and paralyse critical systems. The pharmaceutical and medtech industries are not immune to such attacks. As they involve human lives, information security is all the more important in their case.
The average cost for companies resulting from data protection breaches is USD 3.86 million per attack. A stolen dossier costs on average USD 148. The healthcare sector is on a higher level: Here, the costs are about 2.8 times higher, at USD 408 per dossier. This makes the industry a very attractive target for attackers.
However, an attack on pharmaceutical or medtech companies does not only have an impact in financial terms. The loss of control over data or the machine-learning algorithms used could, in extreme circumstances, endanger human lives. If a manufacturer of pacemakers is the victim of a cyber attack, the attackers could quickly gain control of the heartbeats and thus the lives of the patients. The same applies if manufacturers do not comply with basic security measures.
Intelligent medical devices are playing an increasingly important role in the emerging ecosystems of the healthcare sector. The products are primarily characterised by their growing connectivity. They connect the patient directly to hospitals, doctors, nurses, insurance companies, health authorities, central laboratories and research institutions. The lubricant for these ecosystems is a gigantic amount of highly sensitive data that is now more valuable than credit card numbers.
- Better analytics quality resulting from innovative machine learning metrics, both in large central laboratories and on the actual patient, for example using biomarkers.
- Directly available results, regardless of location and time zone
- Improved quality of care for patients as a result of intensified contact, better support for monitoring and also personalised medicine based on big data and machine learning
- Cost savings resulting from the use of innovative business models
- Greater user-friendliness and improved customer experience due to the use of chatbots and collaboration platforms
However, these advantages only apply if the system is not compromised by malware and if data is not stolen from the system. The greater the benefits, the greater the risks: A single weak point in the overall ecosystem can nullify the benefits within a very short space of time.
Secure the systems, stay innovative
How should pharmaceutical and medtech companies protect themselves from attacks and external threats? Blockchain, the apparent solution to everything, is often also referred to as such in the medical device sector. Data is linked together, which guarantees its immutability. However, the origin and authenticity are often not taken into account in the process.
Certifications are a second, often used solution. Certifications are helpful for safety, i.e., protection against improper use and errors. However, certifications have not provided help so far regarding security, i.e., protection against malicious manipulation and targeted attacks. One of the main reasons for this is that, in the case of security, it is crucial to adequately respond to changing environments. If, for example, a vulnerability in the underlying operating system or driver becomes known, the system must be patched i.e. repaired, as quickly as possible.
Broken confidentiality vs. broken humans
Quickly adapting broken systems is especially important in the case of medicine. The theft of personal data, intellectual property, proprietary software or business strategies leads to a breach of trust. The hacking of cars, sensors in nuclear power plants, aircraft cockpits and medical devices, however, leads to human life being endangered.
Cyber resilience strategies for enabling digital control are the key to lasting success for pharmaceutical and medtech companies. These strategies include measures for secure business processes and the use of impenetrable security technology.
For secure business processes, it is important to implement adequate mechanisms for securing data management:
- Backup and restore solutions
- Multi-factor authentication
- Password policies
- Patch and update management
- Establishment of least privileges
- A strategy of minimal disclosure
Security technology includes, above all, modern cryptographic measures such as:
- Anonymisation and pseudonymisation
- Agility and interchangeability of the algorithms used
- Standard data protection (end-to-end encryption, secret sharing, digital signatures, modern hash functions)
- Data protection developed for the specific needs of the company
- Patchability and authentication of patches for all software components
- Innovative cryptographic primitives (homomorphic encryption, garbled circuits, etc.)
The first part of the series on changes in the pharmaceutical and medtech industry: