A Matter of Life & Data
When the stakes are life and death, as they often are in the pharmaceutical industry, every data point counts. The pharmaceutical industry might not be dealing with the deluge of data that the finance, telco, or retail industries face, but it’s inarguable that the data flowing through a pharmaceutical company’s servers is far more meaningful and sensitive to the people affected by that data — and, in some cases, that’s all of us. The pharmaceutical industry is, after all, an industry that keeps people healthy and safe. It can even counter pandemics that threaten to overwhelm society and, potentially, cost millions of lives, as it did when it created a vaccine for Covid in record time in 2020.
With research and development (R&D) data, clinical trial data, regulatory and compliance data, manufacturing and supply chain data, commercial and market data, financial and operational data, patient-centric data, competitive intelligence data, as well as a whole host of other types of data, the pharmaceutical industry has long understood its very existence is reliant on — and underpinned by — data. And this data has enormous value, which makes it enticing to hackers and criminal syndicates.
Healthcare Data Breaches Are Second to None
“Privacy – like eating and breathing – is one of life’s basic requirements,” said New York Times best-selling author, Katherine Neville. It’s a sentiment anyone giving his or her personal data to a pharmaceutical company would surely agree with. However, it is a quote the pharmaceutical industry doesn’t seem to be living up to right now.
According to the HIPAA Journal’s article, Healthcare Data Breach Statistics, “There was no letup in cyberattacks on healthcare organizations in 2023, which set two new records – The most reported data breaches and the most breached records. In 2023, 725 data breaches were reported to OCR and across those breaches, more than 133 million records were exposed or impermissibly disclosed.”
Data breaches are a critical risk for pharmaceutical companies because of the sensitivity of the data under management. A data breach can result in legal and financial ramifications, as well as compromise patient safety. Key strategies for minimizing breach risks include implementing robust data management systems and regular security audits. Pharmaceutical companies must prioritize data security to protect patient data and maintain trust. Data governance can proactively shield critical assets by leveraging robust governance frameworks and sophisticated cybersecurity measures.
Cyber attacks
133M
Records exposed or impermissibly disclosed
In 2023, 725 data breaches were reported to OCR and across those breaches, more than 133 million records were exposed or impermissibly disclosed.
Healthcare Data Breaches: A Growing Crisis
With the enactment of laws like HIPAA, HITECH, and the CURES act, companies have proactively shifted their attitudes towards data security. However, companies are still way behind the curve. In his article, IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million
Figure 1: Healthcare data breaches In his Healthcare Data Breach Statistics Alder . These numbers are quite staggering.
Top Ten Data Breaches
Rank Year Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach 1 2024 Change Healthcare, Inc. MN Business Associate 190,000,000 Hacking/IT Incident 2 2015 Anthem Inc. IN Health Plan 78,800,000 Hacking/IT Incident 3 2023 Welltok, Inc. CO Business Associate 14,782,887 Hacking/IT Incident 4 2024 Kaiser Foundation Health Plan, Inc. CA Health Plan 13,400,000 Unauthorized Access/Disclosure 5 2019 Optum360, LLC MN Business Associate 11,500,000 Hacking/IT Incident 6 2023 HCA Healthcare TN Business Associate 11,270,000 Hacking/IT Incident 7 2015 Premera Blue Cross WA Health Plan 11,000,000 Hacking/IT Incident 8 2019 Laboratory Corporation of America Holdings dba LabCorp NC Helathcare Provider 10,251,784 Hacking/IT Incident 9 2015 Excellus Health Plan, Inc. NY Health Plan 9,358,891 Hacking/IT Incident 10 2023 Perry Johnson & Associates, Inc. dba PJ&A NV Business Associate 9,302,588 Hacking/IT Incident
The pharma sector is a particularly vulnerable industry because, as Alder explains , healthcare data is more valuable on the black market than other types of data. “This is because it takes longer for healthcare fraud to be discovered and stolen data can be used for longer compared to (for example) a stolen credit card which can be stopped as soon as the breach is discovered,” says Alder . Not only is the data as personal as it can get, but it is also, in many cases, immutable. It can’t be changed like a credit card number easily can be.
According to Adler , “The most common causes of data breaches were phishing attacks and compromised credentials, with phishing the initial access vector in 16% of data breaches and compromised credentials the vector in 15% of breaches.” As with most other corporate expenditures, costs are passed along to the consumer. “The report revealed 95% of organizations had suffered more than one breach and the costs of these breaches were passed onto consumers by 57% of organizations, with only 51% of organizations increasing security investments following a data breach,” concluded Adler .
Cybersecurity Ten-Point Plan
Below is an example of a 10-point cybersecurity plan pharmaceutical companies can use to ensure their systems are secure:
1
Build a robust cybersecurity framework
Implement comprehensive cybersecurity policies and frameworks, such as the NIST Cybersecurity Framework or ISO/IEC 27001. This safeguards data, ensures regulatory compliance, maintains business continuity, protects financial assets, and preserves a business’s reputation. It also provides a competitive advantage and fosters a culture of security awareness, making it an indispensable component of modern organizational strategy.
2
Regular Risk Assessments
Conduct frequent risk assessments to identify vulnerabilities in systems and processes. By identifying vulnerabilities, prioritizing risks, and enabling proactive mitigation, risk assessments play a vital role in protecting assets, ensuring compliance, and maintaining business resilience. Without them, organizations risk being blindsided by preventable cyber threats.
3
Access Control and Authentication
Use strong access controls, such as multi-factor authentication, to limit access to sensitive data. Access control ensures that sensitive information (e.g., personal data, financial records, intellectual property) is only accessible to authorized users, reducing the risk of data breaches. By limiting access, organizations can prevent unauthorized modifications, deletions, or tampering with critical data.
4
Data Encryption
Encrypt sensitive data both in transit and at rest to protect it from unauthorized access. Encrypting data at rest ensures that even if an attacker gains access to stored data, they cannot read or use it without the decryption key. Encrypting data as it moves across networks prevents interception by hackers using techniques like man-in-the-middle attacks.
5
Incident Response Plan
Develop and regularly update an incident response plan to quickly address and mitigate the impact of a cyberattack. An IRP defines who is responsible for what during an incident, ensuring a coordinated and efficient response. The plan outlines how to communicate with employees, customers, partners, regulators, and the media, reducing confusion and misinformation.
6
Employee Training and Awareness
Provide ongoing cybersecurity training for all employees to recognize cyber threats. Regular updates, simulations, and hands-on practice ensure that employees remain vigilant and prepared to defend against evolving threats. Employees are often the first line of defense, and their ability to recognize and respond to threats can significantly reduce the risk of breaches as well as limit financial damage.
7
Regular Software Updates
By staying current with updates, organizations can proactively defend against evolving security threats, protect sensitive data, and maintain customer trust. Ignoring updates leaves systems exposed to attacks, increasing the likelihood of costly breaches and reputational damage. In today’s threat landscape, regular software updates are not just a best practice, they are a necessity for maintaining a strong security presence.
8
Network Segmentation
Segment networks to limit the spread of malware and protect critical systems from broader network vulnerabilities. This limits the spread of malware, protects critical systems, improves incident response, and supports compliance requirements. By isolating different parts of the network, organizations can reduce their attack surface, improve monitoring, and ensure business continuity.
9
Monitoring and Threat Detection
Implement continuous monitoring systems to detect unusual activity and potential breaches in real-time. Continuous monitoring can detect unusual patterns or behaviors that may indicate zero-day exploits or advanced persistent threats. Real-time alerts provide immediate notifications when suspicious activity is detected, enabling a rapid response to the threat before significant damage is done.
10
Backup and Recovery
Maintain regular backups of critical data and develop a recovery plan to restore operations quickly after a breach. By implementing advanced tools, leveraging threat intelligence, and fostering a culture of security awareness, companies can enhance their ability to detect and mitigate threats, ensuring the protection of sensitive data and maintaining business continuity.
Implementing Effective Data Governance
In her Forbes article, Beyond The Algorithm: Why Data Governance Is Key To Pharma’s AI Future
Clinical trials Chakrabarty recommends a five-pronged approach; build a robust data ecosystem, automate data pipelines, upskill the workforce, incorporate data privacy and regulatory requirements, and optimize clinical trial supply management. Companies must decide whether centralized or federated data ecosystem, she says, with the latter more likely to foster innovation. Automating data pipelines involves streamlining the ingesting, cleaning, transforming and preparing data processes. This automation not only accelerates the delivery of high-quality, model-ready data but also reduces human error and operational costs.
Effective data governance is essential for pharmaceutical companies. It ensures compliance, integrity, patient safety, operational efficiency, and risk mitigation. Data governance impacts various areas of a pharmaceutical company’s organization, including business excellence. It plays a crucial role in navigating the industry’s elaborate regulatory landscape. Pharmaceutical companies must also adhere to regulatory standards, such as FDA and EMA guidelines. They must maintain data integrity and quality governance. Lapses in data quality can result in serious legal repercussions, loss of market credibility, to say nothing of the loss of patient trust. Above all else, pharmaceutical companies must prioritize data governance to maintain patient trust.
Data governance is critical in the pharmaceutical industry, particularly concerning patient safety and confidentiality. Strict protocols should dictate who can access patient records, how they’re accessed, and the level of security around this information. Data governance establishes robust security measures, including encryption standards, access controls, and continuous monitoring. These measures reduce the risk of patient data breaches and ensure trust, integrity, and ethical handling of data. Pharmaceutical companies must prioritize data security to protect patient data and maintain trust.
Cyber Health
When it’s a matter of life and death, as it can be in the pharmaceutical industry, data must be part of the solution not the problem. Ensuring regulatory compliance is vital for preventing financial losses and protecting a pharmaceutical company’s reputation. Data governance ensures compliance with regulatory standards, protects patient data, and sustains a business’s operation.
The pharmaceutical industry operates in a high-stakes environment where data is not only a cornerstone of innovation and patient care but also a prime target for cyber threats. While pharmaceutical companies must adhere to strict regulations and standards of all kinds, they often in a fight against hackers and criminal syndicates who are not constricted by any such rules or regulations.
Despite advancements in regulations and security frameworks, the pharmaceutical industry continues to face significant challenges, as evidenced by the alarming rise in data breaches and their devastating consequences. To safeguard patient trust, ensure regulatory compliance, and protect critical assets, pharmaceutical companies must adopt comprehensive cybersecurity strategies, invest in advanced data governance frameworks, and foster a culture of security awareness. By prioritizing data security and governance, the industry can not only mitigate risks but also enhance its ability to deliver life-saving therapies and maintain its vital role in global health. Implementing data governance and a ten-point cybersecurity plan, like the one listed above, will help pharmaceutical companies comply with regulatory standards, protect patient data, and avoid costly fines while maintaining the most important thing of all — a patient’s trust.
