Privileged access management operates as a much-needed step to secure pharmaceutical organisations in the age of the mass data breach, says CyberArk’s David Higgins.
When it comes to cybersecurity practices, the pharmaceutical industry is renowned for being notoriously difficult to safeguard. From the increasingly collaborative working practices that sit at the heart of the drug development process, right up to the sensitive nature of much of the data managed, the opportunities for hackers to get hold of data are seemingly endless. Controlling the flow of authorisation via privileged access management is quickly becoming a priority for the production line.
Our latest report, the annual CyberArk Global Advanced Threat Landscape Report,1 found that 42% of security professionals around the world admitted that the biggest cyber-threat facing them was unsecured privileged accounts. On top of this, research conducted by the UK government has revealed that firms operating in the pharmaceutical sector are often the primary targets of cybercriminals and hackers across the globe due to their wealth of Intellectual Property (IP) and patient data.2 Indeed, pharma companies are particularly prone to fall victim to IP theft and identity theft, especially as much of the health data they work with has to be packaged up in different ways for different countries.
This is not surprising – data flow in the pharmaceutical sector is rife, particularly when it comes to drug development. For instance, according to the well-known provider of biopharmaceutical services PAREXEL,3 the amount of information collected and used in regulatory submission for 400 trials is about 160 terabytes.4 This is without mentioning the fact that this data, both structured and unstructured, is spread in several places. Not only do companies have to monitor who has access to the apps the structured data sits on, they also have to consider how to protect their unstructured data, which is made all the more difficult by the fact that scientists have very strong ties with education and collaboration, opening up data to more threats.
This creates an industry-sized problem, forcing pharma companies to consider what their critical assets are and how they manage them. This implies awareness of tech and security considerations but also, due to the unique nature of the pharmaceutical industry, process understanding and business awareness. How can companies deliver the drive forward and agility needed to control such considerable amounts of data, while securing the data that already exists on legacy environments?
The added threat of mergers and acquisitions
Another obstacle to data protection in the pharmaceutical industry is that it plays host to more merger and acquisition (M&A) activity than any other sector – as evidenced by the beginning of last year seeing almost $30bn-worth (~€26bn-worth) of acquisitions at the start of the quarter alone.5
With each takeover being somewhat synonymous with the parent company absorbing large volumes of data, access routes, rights and permissions will all shift in the process. These numerous deals bring with them various changes in collaboration techniques with educational bodies. It is vital to ensure the integrity and protection of data from the very centre of operations by defining privileged access and always going down the path of highest security.
Automation as a solution
This deluge of data requires an automated approach in order to extract meaningful insights and unusual patterns.
Recent years have witnessed the rapid growth of drug development practices incorporating machine learning (ML) and artificial intelligence (AI). If funding levels in growing start-ups serve to be a litmus test for market confidence, then one needs to look no further than UK-founded pharmaceutical company Benevolent AI, which last year closed a round valuing it at $2bn.6
As the trend for new AI- and ML-enabled tools and efficiencies continues to rise, it’s critical to note how these additions impact data from a security perspective. The more these systems become embedded in production methods, the more points of access will inevitably be opened. This is expected to give rise to a new branch of highly valuable data that’s potentially vulnerable to being transferred out of the business, either by error or due to malevolent intent.
The insider risk
However, even with this much sought-after data to protect, many of the risks faced originate from within companies themselves. A massive 77% of attacks waged on businesses employ file-less techniques in their data capture efforts.7 For instance, rather than launching a widespread phishing attack on a swathe of targets, companies are more likely to fall prey to attacks that seek to exploit the vulnerabilities already present in their infrastructure.
Given the market landscape, encapsulating clinical research organisations (CROs) supporting drug manufacturers – who in turn are powered by data research facilities, project management teams and various testing and trials departments – risk can be somewhat difficult to mitigate. As a result, threats become nigh on impossible to keep at bay and IP theft perpetrated by company insiders considerably tough to quantify.
Looking ahead for data protection
Privileged access management operates as a much-needed step to secure pharmaceutical organisations in the age of the mass data breach. With the right privileged access security steps set in place, the ability to escalate privileges and, in turn, access confidential information such as patient records will be mitigated. Too much is at stake if proper cyber-hygiene is not woven into an organisation’s digital transformation.
Please note, this article will appear in issue 9 of Health Europa Quarterly, which will be available to read in April 2019.