Life science companies face increased risk of cyber exposure
Cyber hackers frequently target life sciences companies due to the amount of sensitive data that they possess. Vulnerabilities within the industry often include outsourcing information technology services, limited data storage protection, and inadequate IT policies and procedures. A PwC survey was recently conducted and revealed that almost 50 percent of pharmaceutical and life science organizations have experienced a security breach in the past year; and the biggest threats to these two industries are sophisticated viruses such as Advanced Persistent Threats (APTs) and malware exploits.
A company must recognize these vulnerabilities, along with cyber criminals’ motivations, before producing a cybersecurity plan. Review the following questions to help determine where your company may be most susceptible:
- Does your company collect, store, and/or process personally identifiable or other confidential information?
- Is this information safeguarded through policies and procedures, and are your employees trained on these procedures?
- Does your company conduct regular audits of any third-party information security service providers to check that they are following the approved information security procedure?
Cyber exposures can vary amongst life science companies. For example, pre-commercial drug companies whose trials are conducted by a third party do not usually have access to the same level of confidential patient information that a diagnostics company providing analysis of patient samples would. Medical devices are becoming more sophisticated and include networking capabilities. Numerous health care organizations use these types of devices increasing the risk for a breach of confidentiality, data theft, and in course business interruption. This alone can be detrimental to a company without even mentioning HIPPA breaches. HIPPA and patient confidentiality bring in another level of sophistication to the cyber hacks a life science company can be threatened by.
An information security disaster recovery plan should be in place in the event that a breach occurs. Preparation is crucial in order to anticipate the variety of cyber attacks a life sciences company may be subject to. The evaluated impacts should include both the company and a company’s customers and vendors, and it is imperative that the plan be reviewed and updated as needed. Once a company understands how destructive a cyber attack can be, it can manage its data more intelligently. Whether it is the company’s intellectual property or individual patient information, determining if the collected information is necessary to conduct business could mitigate risk by eliminating unneeded data.
About the Author
Mindy Evanter is an Area Senior Vice President at Gallagher WGA with over 25 years of experience, specializing in designing risk management and insurance programs for emerging and cutting-edge clients. Ms. Evanter works closely with life science and technology companies to mitigate their complex risk needs.