Stepping Away from the Flame

When asked to cast his mind back five years, Vishal Salvi, Chief Information Security Officer (CISO) at Infosys, describes a simpler time for the pharmaceutical industry. Though cyberattacks were on the rise in the financial and telecom sectors, they had not yet managed to affect drug manufacturers. Unaware of the severity of these attacks, pharma failed to develop control methods as rigorous or regulated as those of other industries. “Half a decade ago, we lived in the pre-ransomware era. Pharma companies didn’t have to worry about cyberthreats,” Salvi says. “But the internet is a shared information highway. Though pharma was initially unaffected, its exposure to this vast network meant that it would eventually be burned.”

Within a few short years, the flames came closer – and the industry experienced one of its earliest and most significant tastes of cybercrime. The burn came in the form of Merck’s 2017 cyberattack. Racking up damages of over US$1 billion, the company fell prey to malware, NotPeyta, allegedly developed by the Russian military hacking group Sandworm. The attack, which pushed the company to decommission 30,000 computers and paralyzed its operations, underscored the seriousness of cybercrime in pharma and highlighted the need for robust infrastructure to protect against future infiltration. “The stark reality is that the industry is woefully insecure. Though the Merck attack wasn’t targeted, it had huge consequences for not only the company, but also the USA’s strategic drug stockpile,” says Charles Fracchia, founder BioBright and Vice-president of Data at Dotmatics, a scientific data company driving the automation of laboratory workflows.

As Merck pieced its manufacturing capacity back together, it had to rely on the national reserve to supplement its supply of HPV vaccine Gardasil, revealing major points of strain in the country’s biomedical infrastructure. The attack sent shockwaves through the industry – a stark reminder of the power of the digital interface for destabilization.

But the looming threat hasn’t deterred pharma from pressing ahead with its goals of embracing concepts like Industry 4.0 – which by its nature will introduce more technologies to the pharmaceutical sphere. In fact, since the attack, internal and external pressures have prompted pharma companies worldwide to adopt more digital tools to facilitate drug discovery and development. The COVID-19 pandemic has further motivated companies to consider digital technologies’ ability to streamline and optimize practices and manufacturing operations in more recent times. “COVID-19 changed our technology architecture,” Salvi says. “As a result, security controls, which were heavily centralized, have become dispersed. If the pandemic had struck 10 to 15 years ago, we wouldn’t have had the capacity to introduce such systems. But, in many ways, the industry’s evolution over the last few years primed it to transition to using more digital systems at scale.”

Pharma’s newfound agility was demonstrated by the rapid development of the first generation of COVID-19 vaccines, Fracchia explains. “One of the metrics that emerged from the pandemic (and is of great interest to me) is the fact that, in under 600 days, the Moderna vaccine was approved for emergency authorization use – ready to be administered to hundreds of millions of people worldwide. The vaccine has undeniably improved global health security, but this would not have been possible without strong digital workflows and frameworks.”

Though the shift towards digitized practices has benefits in terms of the industry’s ability to respond to change, Fracchia argues that it comes with a need to implement further security measures. “We are now seeing companies led by data and that’s a transformation all must make to keep pace. But with this comes the need to embed security in companies’ operations from day one. Otherwise, they will be building on fragile foundations,” he says.

However, for some companies, introducing cybersecurity systems early on may be a challenge. Many have a well-established presence within the industry and may not have considered the impact of cybercrime on their businesses in their initial launches. Though digital solutions will offer opportunities to modernize and create pertinent interventions for patients, do these companies now have the savvy to avoid the risks posed by digital threats?

Old mindsets, new problems

A major hurdle in implementing robust security systems is the use of legacy resources, equipment, and plants. Many of the manufacturing sites used today were developed well before Industry 4.0 became a pervasive concept, explains Salvi. “Though companies are keen to digitize, overhauling existing systems to cater to Industry 4.0 concepts won’t be easy. It is very difficult to upgrade old systems to accommodate new security frameworks. What’s more, pharma has not historically been at the forefront of the cybersecurity movement.” This, he argues, is the root cause of challenges in deploying and embedding security systems.

“Pharma is getting its wake-up call. Alongside the healthcare industry, it is one of the most targeted sectors by hackers and other bad actors. Though some issues remain, many companies are now looking at how they can invest in cybersecurity that works for their operations,” he adds.

But not all industry players are moving quickly to deploy cybersecurity systems. Even with high-profile examples to learn from, some have yet to adopt any at all. According to Fracchia, these companies face consequences as severe as bankruptcy – both financial and reputational. “It can result in a total loss of trust in products and services. This change in opinion can happen virtually overnight. But, beyond individual losses, it has consequences at the macroeconomic level. Today the USA’s bioeconomy accounts for up to five percent of our GDP and is growing much faster than other sectors. So cyberattacks could stunt the growth of this flourishing sector.”

With risks posed to both profit and reputation, businesses that have been slow to adopt newer systems must quickly develop strategies to mitigate infiltrations and attacks. Salvi believes that this will rely on strong leadership with expert knowledge on cybersecurity-related issues. “Though companies are generally aware of the problem, they can struggle to address it,” he says. “But that’s understandable. Creating comprehensive strategies against such a rapidly evolving problem isn’t easy. It requires more than an investment; companies need active CISOs who can look at the issue holistically and provide operational and tactical action plans for the rest of their businesses to implement.” To date, he adds, this has been unheard-of in the pharmaceutical industry. Strategic hiring at the executive level will therefore be key in creating company-wide solutions.

The top-down strategy

Echoing Salvi’s sentiments, Fracchia believes the first step any company can take is to educate its board members and C-level executives. “Top-level executives just don’t understand the full scope of the issue and this is a limiting factor for the industry,” he says. “A great deal of work needs to be done to improve understanding of the field. Though CISOs are undoubtedly an integral part of any security response, they can’t be viewed as the cyber-janitor – ready to clean up messes when they occur. The whole team must actively engage with the issue so that real lines of defense can be developed.” 

But, even with the right education and tools, Salvi questions the willingness of some executives to actively engage with the issue. “How many companies are truly proactive about tackling cybersecurity? And how many are choosing to move slowly because the problem they’re facing is out of their comfort zone?” he asks. “To deal with cybersecurity issues effectively, companies must talk about pain points and actively participate in building an industry-wide understanding of the topic.”

As the industry’s top executives further engage in cybersecurity education,  forums for open dialogue will be key in supporting their growth. Salvi outlines that there are many consortia and initiatives – both open-source and monetized – available to help guide companies. He says, “Whether developed by regulators, government or industry, there are many programs that companies can access to build their understanding of the cybersecurity ecosystem.” He cites the NIST cybersecurity framework developed by the US Department of Commerce as an example of the guidance companies can explore. “With online learning modules and case studies available, the platform is an important tool for companies’ continued development and has been used as a cross-sector resource for some time now,” he says.

The recent launch of the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) is also helping to bring the industry one step closer to improving cybersecurity practices. Working with government, lawmakers, and pharmaceutical stakeholders, the nonprofit organization shares cyberthreat information with its members from industry. “We can only succeed in preventing threats to our bioeconomy if information is dispersed through all industry circles,” says Fracchia, who was recently appointed to the organization’s Board of Directors. “BIO-ISAC aims to detect potential threats and identify areas of vulnerability for pharma and life science companies. Our goal is to help as many people as possible understand that cybercrime is more than just an IT problem; it affects everyone from bench scientists to management. The more people who are sensitized to the issues it causes, the better.”

Future focus

Looking ahead, pressures beyond education will undoubtedly affect pharma’s interactions with cybersecurity platforms. According to Salvi, companies will have to closely monitor the growing attack surface –  the points within networks that are vulnerable to infiltration. “We are rapidly introducing change to our digital platforms. The pace at which it is introduced means that companies are exposing themselves to more risk than ever before,” he says. “The refresh cycle for operating systems, or the rate at which key elements of IT infrastructure are updated, used to be four or five years. Now it is roughly 18 months long. So you can imagine the number of  potential risks companies have to manage.”

As the attack surface broadens, companies will undoubtedly need specific guidance from regulators as to how the problem can be managed. Though laws like the EU’s GDPR and the USA’s HIPAA protect patient data, regulators provide less clarity regarding proprietary data owned by pharmaceutical companies. “Globally, there is clearly a lack of concrete regulation on cybersecurity,” says Fracchia. “Without clear legislation or guidance, companies are left to navigate the Wild West of vendor solutions – resulting in companies’ adopting systems that are inherently deficient for managing threats.” To address these areas of uncertainty, BIO-ISAC is working closely with key decision-makers in the regulatory space to introduce a new framework for this type of data. For now, companies will have to wait for clarity.

But, as cybersecurity issues evolve (and the sector continues to grow), hiring and training professionals to deal with regulatory issues among other challenges will be essential. Presently, the talent needed to drive the sectors’ progression remains a “rare commodity” – in part, Salvi explains, due to the field’s complexity. “It’s difficult to train cybersecurity professionals. The huge number of domains and tools makes it challenging to have all-round expertise in all of them and the current ‘supply’ doesn’t meet the industry’s future demand,” he says. But, like other companies engaged in the cybersecurity sector, Infosys supports the development of future talent. The company has trained over 2,500 graduates in the last three years to help build the professional pipeline. “If we can tap into developing talent, we can help ensure that we have a capable workforce to preempt problems and protect pharma’s most valuable assets.”

To learn more about BIO-ISAC, visit https://www.isac.bio.