Data breaches have become too familiar in the medical industry, carrying hefty price tags. Among the sectors falling under the medical umbrella, healthcare and pharmaceuticals have emerged as leaders in incurring the highest average costs associated with data breaches, as highlighted in a “Cost of a Data Breach Report 2023.” Unsurprisingly, the healthcare industry occupies the top spot for costly data breaches, given its wealth of sensitive information, making it a prime target for cyberattacks. However, the pharmaceutical industry’s position at number three may raise some eyebrows.
While cyberattacks on the pharmaceutical industry might not be as well-publicized as those in healthcare, finance, or retail, this sector shares significant similarities with healthcare. Beyond patient data, pharmaceutical networks house vital corporate proprietary information, including drug patent intellectual property, clinical trial results, IoT and OT devices manufacturing, and research subject data. Attacks on this industry could potentially disrupt critical research or even wipe outpatient prescription records.
While no data breach is good news, there are indications that the pharmaceutical sector is making strides in cybersecurity. The cost of a pharmaceutical data breach decreased from $5.01 million in fiscal year 2022 to $4.82 million in fiscal year 2023. Moreover, the time taken to detect (189 days) and contain (66 days) breaches is faster than the global average of 204 days for detection and 73 days for containment.
The most common causes of pharmaceutical data breaches include malicious attacks (45%), human errors (28%), and IT failures (27%). Threat actors prefer using attack vectors like phishing, compromised credentials, and cloud misconfigurations. Data storage choices also play a significant role, with on-premises and private clouds experiencing fewer breaches than public clouds. However, organizations employing multi-cloud environments tend to be the least secure, and violations in such setups are the costliest.
The cost of a data breach is influenced by the number of regulatory compliance requirements a given industry must adhere to. According to the “Cost of a Data Breach” report, 58% of data breach costs in highly regulated industries continue to accrue after the first year. The pharmaceutical industry is notably highly regulated, with the Health Insurance Portability and Accountability Act (HIPAA) being one of its most visible regulations. Surprisingly, a lack of training in HIPAA compliance has been observed among cybersecurity professionals, adding to security risks.
Additionally, new FDA guidelines are in place to ensure cybersecurity in medical devices. In contrast, manufacturing processes for devices and drugs must adhere to good manufacturing practices, and the supply chain must follow good distribution practices. Biomanufacturing, falling under the pharmaceutical umbrella, demands adherence to the National Defense Authorization Act. Since many pharmaceutical companies have facilities and offices spanning multiple states and countries, compliance with local ordinances and regulations is imperative. This is just a glimpse of the rules the pharmaceutical industry must navigate. Cybersecurity is gaining prominence across numerous regulatory areas, and failure to meet compliance can lead to license suspensions, felony charges, and substantial fines. These penalties can be enforced in multiple jurisdictions, depending on where and how the regulations were violated.
While artificial intelligence (AI) has become a buzzword across industries, the pharmaceutical sector has already embraced AI in its security tools and automation, with 40% of companies reporting extensive use of this technology. AI proves particularly effective in securing pharmaceutical OT and IoT environments.
While other security practices like implementing systems for safeguarding hybrid and multi-cloud environments or adopting a DevSecOps approach to embed security into software and hardware development are vital components of any cybersecurity program, the pharmaceutical industry is poised to lead in the use of automation and AI. Specifically, the industry is exploring generative AI to enhance data anomaly analysis and identify intruders within their networks.
As data breaches continue to plague the pharmaceutical industry, it is imperative that companies invest in robust cybersecurity measures, navigate complex compliance regulations, and harness the power of cutting-edge technologies like AI to protect sensitive data and maintain the integrity of their operations.
At SpearTip, Our IR planning engages a three-phase approach, which includes pre-incident, active incident, and post-incident planning processes. SpearTip identifies key stakeholders and decision-makers, critical data, and potential access points in the pre-incident aspect. Then, it engages in a live test, after which we offer remediation guidance. To benefit companies’ teams during an incident, we assist in developing a communications plan designed to detect and isolate the precise threat with a customized strategy map. The post-incident planning process development includes root cause and investigative audit, improvement analysis, and backup recovery.
SpearTip offers two types of tabletop exercises: Executive and Technical. Executive tabletop exercises are custom-designed to strengthen the collaboration among business leaders and promote a common understanding of how leadership teams respond to an incident. Technical tabletop exercises are designed to review current IR policies and procedures by engaging companies’ teams in specific scenarios that test their analytical and remediation capabilities in the event of an incident. All tabletops are based on threat actors’ most current tactics, techniques, and procedures and perceived gaps in your current IR plan. Following the exercise, we identify key findings, opportunities for improvement, and remediation steps to strengthen their ongoing security posture.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.