All the sessions from Transform 2021 are available on-demand now. Watch now.
Pharma cybersecurity, like other segments, faces new challenges as remote work takes over and proliferating security endpoints become more vulnerable. But as SARS-CoV-2 vaccine supply chain attacks show, the threats to pharma are particularly insidious.
Evidence shows pharma manufacturers’ cybersecurity systems aren’t keeping up with the increased workloads put on their supply chains, distribution networks, and development partners, a situation that puts valuable patient, supply chain, and pricing data at risk.
The pharma industry’s reliance on intellectual property and patents defining new vaccines, proprietary shipment data that exposes supply chain operations, and real-time patient data in the form of protected health information (PHI) makes the sector a prime target for all forms of cybercrime. PHI records are best sellers on the Dark Web because they provide a wealth of data that is not easily traceable. They also provide bad actors with the information they need to defraud medical providers, financial institutions, and patients themselves by stealing identities.
Unfortunately, the same collaboration, information, and knowledge sharing that led to the speedy development and production of COVID-19 vaccines is attracting a record number of cyberattacks, ranging from endpoint intrusion attempts to ransomware.
The usual suspects are at work, along with some unusual ones. Bad actors attempt to steal personal health data 66% of the time, followed by medical business data (55%) and credentials data (32%), according to the 2021 Verizon DBIR Report. The price is high. According to Comparitech’s analysis, ransomware attacks on U.S. health care organizations cost $20.8 billion in 2020. And the ramifications are many. Merck experienced one of the most costly ransomware attacks in history when bad actors launched the NotPetya attack. The attack disrupted vaccine production and infected more than 30,000 laptop and desktop computers and 7,500 servers, leading to a $1.3-billion insurance claim.
Pharma manufacturers now push digital transformation to gain end-to-end visibility across their production centers and supply chains and to meet customer delivery dates. But breach attempts, including an alarming rise in ransomware attacks, are happening because pharma manufacturers don’t design security into digital transformation plans from the start.
Meanwhile, many digital transformation projects include internet of things (IoT) technology as an enabler — placing pharma directly in the crosshairs of new, cutting-edge cyberthreats. Clearly, it is time for the pharma industry to look beyond security as a bolt-on and realize it is core to growth plans today and in the future.
In short, the pharma industry is under attack across multiple threat vectors and needs to urgently augment its approach to cybersecurity. Endpoints are often overloaded, making them less secure. Multicloud configurations have gaps that need to be closed using a more consistent approach to identity access management (IAM) that spans multiple public cloud platforms. And zero trust security frameworks need to become the new standard to enforce least privileged access to accounts and resources.
How to improve pharma cybersecurity
Digital transformation initiatives in pharma today focus on platforms and agile app development. As a result, cloud-based DevOps methods are gaining adoption. Pharma DevOps teams need to center on security in every phase of the system development lifecycle (SDLC) if their code, apps, and platforms are to stay secure.
Security can’t be relegated to the last step in the development cycle anymore; the risks are too significant and the threats too sophisticated. Pharma manufacturers also need to take steps to improve their cybersecurity hygiene across the company.
1. Pharma DevOps teams running on public cloud platforms, including Amazon Web Services (AWS), need to improve cross-platform password vaulting to reduce privileged access credential theft risk. Bad actors are becoming more skilled at exploiting gaps in cloud platform’s varying approaches at password vaulting (if they use any at all) and IAM. The majority of pharma DevOps teams are creating apps on multicloud platforms, further increasing the risk. Breaches happen because the gap between public cloud platforms’ different approaches to password vaulting, IAM, and privileged access management (PAM) aren’t consistent or integrated. Choosing the right tools can be daunting. Leading vendors offering PAM include CyberArk, ThyocoticCentrify, and ManageEngine.
2. Check each endpoint’s configuration to see if it is overloaded with software agents — causing conflicts that leave the endpoint unsecured — and correct the standard endpoint software image across the network, as needed. It’s common to see endpoint devices’ software configurations significantly overbuilt with multiple endpoint software clients for the same task. Absolute Software explained the ramifications in a recent survey that shows endpoint security is a double-edged sword and protected systems can still be breached. A key implication of the survey is that companies need to identify how their standard endpoint software images should be updated and streamlined to make each endpoint more secure. Absolute Software is helping health care and pharma companies improve their endpoint security across networks.
3. All hybrid multicloud platforms used in DevOps, manufacturing, supply chain management, R&D, quality management, and sales need to have root-level multi-factor authentication (MFA), and IAM. Unfortunately, hybrid multicloud configurations are fraught with data risk. In fact, 50% of organizations will unknowingly misconfigure hybrid multicloud platforms, mistakenly exposing some applications, network segments, storage, and APIs directly to the public, up from 25% in 2018, according to research firm Gartner. By 2023, nearly all (99%) cloud security failures will be tracked back to manual controls not being set correctly. Bad actors are looking to make the most of the opportunities misconfigured multicloud configurations provide. Privileged access credentials are a primary target, making a unified IAM across multicloud environments critical. Every organization needs to think of MFA as table stakes for getting basic cybersecurity hygiene right. The long-term plan needs to concentrate on implementing a zero trust framework that enforces least-privileged access and applies microsegmentation across all on-premise applications and cloud instances. Leading MFA providers include Microsoft, Duo Security, Okta, Ping Identity, and Symantec.
4. Adopt a zero trust security framework, starting with endpoints across DevOps, clinical trial partners and networks, manufacturing centers, and health care provider partners to reduce the risk of a breach. Pharma manufacturers need to migrate from legacy server operating systems that rely on trusted and untrusted domain configurations and instead adopt zero trust frameworks now. The industry needs to enforce least-privileged access across every user and system and cloud administrator account, endpoint, and system access account. Zero Trust is a framework that enables any organization to take a “never trust, always verify, enforce least privilege” strategy when it comes to its hybrid and multicloud strategies. Configuring user accounts with just enough privileges to gain access to resources needed and providing least-privileged access for a specific time is essential. Absolute Software’s acquisition of NetMotion reflects how zero trust frameworks are becoming a leading priority across organizations today and strengthens Absolute’s competitive position in the zero trust and zero trust network access (ZTNA) markets with a unique endpoint-led offering. Meanwhile, Ivanti Neurons for Zero Trust Access shows the potential to help pharma manufacturers mature their adoption of the zero trust framework. Ivanti has a successful track record scaling cloud services and helping organizations improve business agility while delivering intuitive, secure user experiences. Ericom Software’s ZTEdge Zero Trust Security platform is purpose-built for the needs of small and mid-sized enterprises, designed for deployment by managed security service providers (MSSPs). Pharma manufacturers with multicloud configurations need to consider using AWS CloudTrail and Amazon CloudWatch services that monitor all API activity.
5. IT and security teams need real-time visibility into each endpoints’ current configuration, history of breach attempts, and the option of disabling the device anywhere, anytime. The most vulnerable threat vector of any pharma network is the endpoints. What’s needed is a unified endpoint security (UES) platform that can rapidly process large amounts of data to detect previously unknown threats and stop cyberattacks from capturing IP, shipment data, valuable logistics information, and PHI. Endpoints that provide real-time visibility and control successfully combine IT Asset Management and proven endpoint resilience and persistence. The current generation of endpoints claims to be self-healing. For an in-depth assessment of which ones are, please see Tackling the endpoint security hype: Can endpoints self-heal? Leaders in self-healing endpoints include Absolute Software, Ivanti, and Microsoft.
6. Get into a cadence of doing security audits across all systems and endpoints, with random audits of critical suppliers and health care partners. The data gained from audits helps identify systemwide strengths to expand on and weaknesses that need to be addressed. The long-term goal is to use audits to define a unified security model that can adapt quickly to the changing market and competitive conditions every pharma manufacturer faces.
These six recommendations are meant as a starting point for an industry that’s seeing record levels of endpoint and ransomware attacks. Attacks on the SARS-CoV-2 vaccine supply chains show how urgent it is for pharma manufacturers to define unified endpoint management (UEM) standards for their suppliers. Steps to counter pharma cybersecurity threats and shield these vital systems are overdue and must be accelerated.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.
Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more