With data breaches and cyber attacks such as the recent ransomware attack which crippled parts of the NHS, hitting the news headlines seemingly daily, one of the most frequent questions I get asked by pharmaceutical businesses is how they can manage the ever increasing risks around cyber security.
Cybercrime is now a widespread issue, with a study published by Osterman Research Inc in August 2016 showing that 72% of UK based organisations had suffered a security attack in the previous 12 months.
The types of attacks experienced are diverse, ranging from “phishing” attacks where criminals attempt to obtain access to confidential information or passwords, through to “ransomware” attacks where criminals hold your data to ransom by encrypting it and demanding money for its decryption. The motivation behind these attacks varies from quick money making scams, through to much more sophisticated corporate and state level espionage.
Pharmaceuticals and healthcare, unfortunately, are a natural target of these criminals, as they are dealing with so much confidential material, ranging from patient healthcare information, to critical competitive IP. In addition, with healthcare devices now becoming increasingly connected to the Internet, there have already been instances of hacking into such devices, with potentially devastating consequences if the dosage or other vital data is changed.
In the highly regulated pharmaceutical industry, data integrity and data security is critical and as such, IT security may well come under the spotlight at MHRA inspections. In addition, with the enforcement of GDPR now imminent, bringing with it potentially crippling fines and reputational damage for non-compliance, the stakes have never been higher when it comes to getting cyber security right.
As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Board level involvement with reviewing the risks and control measures that are in place.
And this is where a structured approach to IT management becomes critical. With many in-house IT Managers understandably being pulled from pillar to post delivering day-to-day support, it is easy to lose sight of the systemised approach and relentless attention to detail that is needed to manage a pharmaceutical business’ risk around cyber security. There is so much more to cyber security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your company’s processes and procedures surrounding cyber security. For example: How promptly do security updates get applied to your servers and PCs? How are they tested to ensure they won’t cause a problem with your systems? What procedures do you have around leavers and removing their access, including remote access? How do you separate and secure data that is held on personal devices such as emails on smart phones? What policies do you have to prevent data leakage from stolen mobile devices or copies of files made to portable media like USB sticks? How do your staff know which emails are genuine and safe to open, and more importantly, which they shouldn’t open? How do your processes and procedures ensure new starters or temporary resources are educated in cyber safety procedures? How is your system backed up and how long would it take to recover it in the event of something like the recent ransomware attack? How often is it tested to ensure it would be successful? How would your business operate in the interim? And in the worst case scenario, how would you handle communication of a cyber attack in order to minimise the reputational damage?
To compound matters, cyber crime is a constantly changing landscape, with new threats emerging continuously and a constant need for pharmaceuticals companies to re-evaluate and update their risk management plans in order to remain one step ahead of cyber criminals.
In my experience, the key to successful risk management around cyber security is having a highly structured approach, encompassing effective procedures and policies that are constantly reviewed and updated, along with a suite of supporting technologies. Such policies will involve a multifaceted approach, incorporating user training to help people at all levels in the firm understand how to reduce the likelihood of attack, a suite of technological solutions to help guard against threats, day-to-day operating procedures that are rigorously adhered to, as well as contingency plans to fall back on should the worst happen. Such a structured approach towards management of IT systems not only addresses the challenges of cyber security but also brings with it the ability to successfully and safely harness technology to deliver real value to pharma businesses.
In future blogs, I will be exploring in more depth some of the key issues around successful use of IT in pharmaceuticals, including issues around MHRA, GxP and HIPAA compliance. In the meantime, if you are concerned about your business’ vulnerability to cyber security threats, or you have concerns regarding your MHRA/GxP/GDPR compliance position in regard to IT security, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.
________________________________________________________________________________
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/
