The life sciences and health care (LSHC) industry, which is highly connected through thousands of participants with wide-ranging IT capabilities, is still in the early stages of addressing gaps in cybersecurity, as the Wannacry ransomware attack has shown.
Data breaches and other types of modern, large-scale cyberattacks have been making headlines for more than a decade, but recently, it seems like organizations in the life sciences and healthcare industry have been taking on more than their fair share. As it turns out, it doesn’t just seem that way – it’s actually happening according to Verizon’s 2017 Data Breach Investigations Report, which states that 15% of these attacks hit healthcare organizations.
We don’t have to go very far back in time for a good example of one of these attacks on a healthcare or pharma organization. According to Wall Street Journal information, in June 27, 2017, Merck, one of the largest pharma companies in the world, and 2,000 other companies were hit with ransomware called Petya that infected employees’ computers across 65 countries and left a ransomware note demanding a bitcoin payment to decrypt their infected files. Weeks later, the pharma giant is still trying to get their infrastructure back on track.
So, before a company like Merck – or any company for that matter – can determine a plan of action to prevent the next cyberattack, it must consider why the attack happened in the first place. With that in mind, let’s explore a few narratives that could come into play in the process of becoming a cyberattack target.
Four Narratives that Could Explain Why
- Managing cyber challenges can be more problematic for hospitals and other health-care providers, which have traditionally operated with tight margins and, in many cases, are not-for-profits.
- Healthcare and life sciences companies have long been slow to innovate when it comes to digital, and this hasn’t been helped by the fact that technology is not their core business proposition.
- For many organizations, being slow to innovate is not by choice. Some have found it difficult to continually invest in the latest technology, talent and oversight needed to protect against today’s ever-evolving cyberthreats.
- Finally, considering the above narrative about the ever-expanding perimeter and how the June cyberattack on Merck affected so many employees, it’s worth noting that the companies making headlines for data breaches aren’t small or even medium-sized.
How to Plan for What’s Next
It’s not easy, but it is absolutely worth your time to not only determine a plan to improve your cybersecurity, but also create a plan for how to respond if your company falls victim to a cyberattack. The best way to get started is to assume you’re already compromised, or that you’ll be compromised tomorrow at the latest, and then find a partner who can help you. The faster you make cybersecurity a priority, the better off you’ll be.
Some measures involve making targeted investments to improve core capabilities, especially those related to proactive threat detection monitoring and response planning. Chief among these are ransomware threat assessments and response planning, which requires the creation and updating of an incident playbook with roles and responsibilities carefully thought out. More general upgrades to security monitoring capabilities are also being made. Some providers are acquiring threat-hunting capabilities, which involves using analytics and data mining resources to proactively look for little-known threats. At the employee and vendor level, more is being done in the areas of staff training, including simulations on how to detect a phishing campaign and improve third-party risk management practices. Finally, new technologies and procedures are being put in place for better risk management reporting and crisis event planning throughout all levels of the organization, including to the board, when appropriate.
Cybersecurity is an essential part of maintaining the safety, privacy and trust of patients. More money and effort must be invested into ensuring the security of healthcare technologies and patient information. Security must be designed into the product from conception and not be an afterthought. Cybersecurity must become part of the patient care culture.
There will always be what-ifs, but with so many possible access points for a data breach, it’s nearly impossible to ever be 100% uncompromised, especially when you’re a huge company trying to balance growth and revenue with compliance and security.