HRI spoke with PwC partner Nalneesh Gaur and principals Robbie Higgins and Dean Spitzer about the cybersecurity issues that pharmaceutical and life sciences companies are dealing with amid the COVID-19 pandemic.
Amid the pandemic, we see cybersecurity threats directed at pharmaceutical and life sciences companies. Why are they under these attacks now, and are they more vulnerable?
There is awareness that many organizations are more vulnerable now, because of two primary factors. First, they were forced into a remote work situation. They had the capabilities to work remotely, but none ever envisaged close to 100% of their workforce working remotely. Second, they didn’t think this remote workforce situation would last as long as it has. It’s also possible that not everyone will return to the office and a higher percentage of the workforce will end up working remotely full time.
There’s two things: hacking for a vaccine or a cure and then hacking as usual. First, there are hundreds of companies developing a therapeutic or vaccine, and these adversaries, which can include nation-states and/or competitors, are after the associated IP.
Second, there are ever-present cybersecurity threats that haven’t gone away, including opportunistic threats to go after IP for non-COVID assets. Only now, everyone is working from home where security can be lax.
In both cases, hackers are using similar age-old methods such as phishing and the like.
HRI: Some pharmaceutical and life sciences companies participating in the COVID-19 effort are small and, in some cases, new. Are they more vulnerable?
Robbie Higgins: It’s case-by-case. They benefit by being smaller because they’re not always as visible. However, all companies that are involved in responding to COVID-19 are gaining significant awareness and visibility broadly within the marketplace. Additionally, smaller organizations don’t always have the same cybersecurity capabilities (resources and technology) that larger enterprises have in place, making them more vulnerable.
Nalneesh Gaur: Where they might lack in sophistication, they make up for in agility. With a larger company, any new security angle you implement takes longer to permeate. A small company with a handful of platforms, fewer employees and likely a smaller set of vendors can move much faster. For a lot of these companies that are newer, they may have better technologies in place such as using the cloud, giving them access to security capabilities that larger companies may not have.
Robbie Higgins: The challenge they face is pace and ensuring that controls are in place. If it’s a planned migration to virtual trials, they can step through everything including the necessary controls prior to launch. What’s happening now is that organizations are under a lot of pressure to say, “How do we quickly pivot to virtual and what are the basic things we need to put in place?” It requires stakeholder presence and leadership awareness on the cybersecurity side. If that’s not there, it gets missed or may not be as prevalent as it should be.
Nalneesh Gaur: Their business has been disrupted: Trials are being reconfigured, they’re doing commercial territory management virtually, and manufacturing has been disrupted. In between that, they’re looking to digital to solve some of the problems. At the same time, hackers are not stopping. In the middle of business disruptions, companies that take time to look at their digital security to manage hackers and secure the platform will get ahead.
HRI: The medical supply chain has been disrupted from the outset. As manufacturers consider which functions can remain remote while buttressing the supply chain, what are the cybersecurity challenges?
Nalneesh Gaur: Businesses are concerned about keeping employees safe from COVID-19 to avoid an infection from shutting down the facility. But manufacturing plants are already running on often outdated technology. If they try to then take measures to enable these processes remotely, you are opening the business up to new forms of attack because they are highly vulnerable.
Many companies rushed to create a secure work-from-home blueprint. It got deployed in a hurry. In a manufacturing environment, now is probably a good time to think about what your secure blueprint for manufacturing and technology is.
HRI: Beyond manufacturing, we’re in a transitionary phase as companies consider return-to-work plans. How should pharmaceutical and life sciences companies be thinking about cybersecurity in this phase?
Robbie Higgins: Depending on the controls that were or were not in place, it raises the question, do they end up bringing back a higher number of cyber-infections? Traditionally, much of the security patching done at companies was dependent on employees being directly connected to the network. But working remotely, many employees can get email updates without being connected to the network or having the VPN connected. I suspect that a certain portion may come back not knowing they have a cyber virus that could spread from a single laptop to the broader enterprise environment.
One of the metrics to look at is how often they patched and the success rate during the time their workforce was remote. If that’s down even 10% or 15%, they may want to consider additional controls to ensure that they’re not infected as employees return.
Nalneesh Gaur: Also, companies are rethinking their working locales, setting up satellite offices rather than large corporate locations. Here it becomes a question of how you set up secure satellite work environments that are secure over a much more spread-out work area.
What’s happening now is that organizations are under a lot of pressure to say, “How do we quickly pivot to virtual and what are the basic things we need to put in place?” It requires stakeholder presence and leadership awareness on the cybersecurity side. If that’s not there, it gets missed or may not be as prevalent as it should be.
HRI: Pharmaceutical and life sciences companies rely heavily on third parties. What are the cybersecurity implications of that, and have they changed amid the pandemic?
Nalneesh Gaur: Third-party risk is among the top three risks viewed by boards of pharmaceutical and life sciences companies. You should look at what access third parties have to the company’s “crown jewels,” or most valuable data assets. Also, look at how a third party accesses and handles that information to make sure that at the inception of and throughout the relationship, they are taking responsible measures to ensure security.
It is a chain reaction. In many cases a pharmaceutical and life sciences company has a third party that has its own third party. If you’re at level 7 in that chain and 6 gets to 5 and so on, everyone is infected in the process. The pharmaceutical and life sciences company should consider what controls it wants in place to protect itself all the way down.
The use of third parties to provide services that require access to highly sensitive types of data continues to increase, and with that, the risk also increases. Amid the pandemic, we have seen a heavier focus on resiliency and availability of those service providers. Protection of that sensitive data continues to be the main focus, especially given that any new third party that is utilized creates a potentially new threat vector.