Cyber Attacks in the Lifesciences sector

A recent SCRIP Intelligence article served as a timely reminder of the threat facing the Lifesciences sector through cyber hacks and other technical attacks. SCRIP reported that hackers had gained access to emails from more than 100 publicly traded companies and advisory firms. 68% of the publicly traded companies were healthcare and pharmaceutical companies and out of the advisory firms hacked, 50% are advising in the biotechnology industry. FireEye, the US network security company who conducted the report into these hacks, believes the objective of the hacks was to obtain inside information about the companies’ forthcoming market announcements, including clinical trial results.

These hacks were followed by one of the biggest data breaches in history, when Anthem, Inc., a large US health insurance company, was hacked in February 2015. Personal data, names, medical IDs and employment information of nearly 80 million individuals were apparently stolen. A data breach at Premera Blue Cross, another health insurance company, resulted in the compromise of the personal data of 11 million individuals.

There are very serious legal, financial, regulatory and reputational issues associated with such attacks. The UK Information Commissioner’s Office (ICO) released a statement warning that the goal of sharing patient data across the National Health Service (NHS), by making patient data available digitally and online, puts the NHS at greater risk from cyber hackers. The Lifesciences sector remains a main target for cyber hackers.

What is Cyber?

A “cyber” attack is one which compromises (or seeks to compromise) the integrity, confidentiality and availability of data, systems and related assets. It is typically defined by security standards such as ISO/IEC 27002, the information security standard published by the International Organization of Standardization and the International Electrotechnical Commission.

The two key aspects of cyber liability are listed below:

Click here to view table.

Why is the Lifesciences sector being targeted?

Cyber hacking is an issue that the Lifesciences sector has had to deal with for several years. In 2011, the UK Government published a report into the cost of cyber crime. It was estimated that out of the £9.2 billion cost of intellectual property cyber theft in the UK, £1.8 billion was attributable to theft of pharmaceutical, biotechnology and healthcare intellectual property.

Commentators have noted that the recent increase in M&A and collaboration activity within the Lifesciences sector will lead to further diversity and innovation within the industry, which will inevitably lead to the creation of new, valuable intellectual property and insider market data. The fact that Lifesciences companies hold this information, along with vast quantities of patient, employee and sensitive market data, makes them prime targets for cyber attacks.

The combination of Lifesciences organisations being rich in data and recent regulatory requirements, such as the European Medicines Agency global Identification of Medicinal Products standards and the US Food and Drug Administration’s Global Unique Device Identification Database, is resulting in Lifesciences companies investing significantly in secure document storage in order to protect and maintain accurate product data information.

What should Lifesciences organisations do?

Planning for a cyber attack requires a combination of environmental/physical, technical and human workstreams. This covers a broad range of activity, from access restrictions, firewalls and penetration testing, to staff training.

In order to mitigate the risk of a cyber attack, Lifesciences companies should consider:

  • analysing their existing security processes;
  • training their staff to be aware of and how to avoid potential data breaches;
  • implementing technical measures to strengthen their defences to cyber hacks;
  • actively monitoring and managing their security systems to keep them up to date with recognised security standards;
  • identifying a disaster recovery/cyber crash team (internal/external); and
  • cyber insurance.

Lifesciences organisations who in the course of their business provide or support health, public health or adult social care services in England will also be expected to adhere to certain information governance standards. In order to confirm compliance with such standards, the organisation would be required to conduct an annual information governance assessment using the Information Governance Toolkit managed by the Health and Social Care Information Centre.