Pharmaceutical Companies Face Cybersecurity Challenges While Navigating Digital Transformation
Updated: Feb 28, 2019
Pharmaceutical executives are used to thinking of their products as drugs or medicines—molecular compounds used to treat or cure diseases, to aid in diagnosing them, to prevent their occurrence, or to lessen their severity. Today’s consumers (and insurers) are increasingly demanding results instead of medications, however.
This shift to outcome-based medicine has been enabled by digital transformation. With the rise of social media and other digital channels to communicate health information, and in the face of growing pressure to contain costs, consumers and insurers alike are insisting that drug companies prove and publicize the safety and efficacy of their products.
Industry leaders are beginning to recognize opportunity within this imperative: adopting “digital first” approaches can not only improve pharmaceutical marketing and communications, but also enable companies to diversify their revenue streams by offering new services and digital solutions to complement their traditional products. Moving “beyond the pill” in this way can potentially improve clinical outcomes for patients as well as profitability for pharmaceutical companies.
Pharmaceutical Companies Struggle to Keep Pace with Digital Transformation
But making this shift requires a quantum leap, not a minor adjustment. And the industry has struggled to keep pace with change. A 2016 McKinsey & Co. report, for instance, identified pharmaceutical companies as having fallen “dramatically… behind the curve” when compared with those in other industries in terms of digital maturity. Capgeminicalled the pharmaceutical industry a “digital beginner,” ranking it last, behind nine other industries, when assessing investments in technology and digital leadership initiatives.
These are multiple reasons for this lag’s existence. First of all, the pharmaceutical industry tends to be conservative because barriers to entry are steep, keeping out startups and innovative smaller businesses that lack extensive funding. The cost to develop a new drug tops $2.6 billion and takes more than ten years. Only established companies can afford these sorts of research and development expenditures, but these larger organizations tend to be hobbled by legacy infrastructures that cannot be easily adapted as technologies change.
The pharmaceutical industry is also less adaptable because it is so heavily regulated. Before a company can bring a new drug to market, it must obtain FDA approval, a process that is lengthy, time-consuming, and fraught with uncertainty. Even if a drug finds success in clinical trials and is finally approved, it can be years until the initial investment in R&D is recovered. Thus companies often spend a great deal on marketing their existing product line and fiercely defending the patents they hold. With these fiscal priorities already established, it can be difficult for decision-makers to make digital transformation a budget priority, or to understand which digital initiatives can contribute most to future success.
Finally, pharmaceutical companies are inclined towards caution because consumers of their products are risk-averse. No one wants to take a drug whose side-effects aren’t well understood. And patients are more likely to perceive benefit from taking a drug they believe will heal them (the placebo effect) than a drug of uncertain efficacy. Consumer trust is one of the most valuable assets an established brand in the pharmaceutical industry can possess, and decision-makers may unconsciously resist change in order to retain it.
Cybersecurity Also a Major Industry Challenge
When it comes to cybersecurity, resisting change can dramatically increase risk. And just as pharmaceutical companies have lagged behind other industries when it comes to digital maturity, the industry has also been slow to adopt cutting-edge security practices and technologies.
For industry leaders and smaller pharmaceutical companies alike, the consequences of this unpreparedness can be severe. When Merck fell victim to the NotPetya strain of ransomware in June of 2017, forcing production to a halt, the company incurred more than $300 million in lost sales and repair costs in the first quarter after the attack. Smaller companies, may of which don’t have cybersecurity insurance—as Merck did—and which lack the resources to cover recovery costs, are less likely to survive such an attack.
Precious Intellectual Property
Pharmaceutical companies—both established industry players and smaller companies alike—hold their most valuable assets in digital databases in the form of intellectual property. This IP comprises formulas to create molecules with the power to heal and cure, to reduce suffering, and to earn billions of dollars in profits. But the nature and value of pharmaceutical IP is widely known, making companies uniquely vulnerable to highly advanced and dangerous threats.
In fact, nation-state level actors have already identified the pharmaceutical industry as a prime target. Well-organized and well-funded, these operatives employ penetration techniques that range from sophisticated zero-day exploits to more mundane—but highly effective—phishing attacks. Companies that have fallen victim to such threats include Boston Scientific, Abbott Laboratories and Pfizer. The US Food & Drug Administration was also targeted, and highly sensitive data (including drug formulas and clinical trial results) was exposed in a breach.
Insider Threat Risks
For the same reasons that they’re an attractive target for nation-state actors, pharmaceutical companies are particularly likely to fall prey to insider threats. Because the potential payoffs for IP theft are so great, unscrupulous employees may be tempted to abuse their access privileges for personal gain. Companies may even be tricked into hiring cyberespionage agents who’ve disguised themselves as skilled workers.
Taking the Safe Path to the Digital Future
It is already exceptionally challenging to defend your organization’s IT infrastructure against the world’s most sophisticated threat actors. And as consumer demand for digital health solutions continues to grow, the scope of the challenge will only increase. Smaller organizations can avail themselves of the kinds of top-tier security resources otherwise available only to major enterprises by partnering with a managed detection and response provider with expertise protecting data with advanced contextual analytics and active system-level surveillance.
When facing threats at this level, it’s nearly impossible to prevent all intrusions before they occur. But deploying a comprehensive security platform can dramatically decrease the time it takes to detect and remediate threats, and this can make all the difference when it comes to stopping the acquisition and exfiltration of your most valuable data. Contact Netswitch today to learn more about what sets the Securli Platform apart.