Executive Summary
Corporate data security is big business. Unfortunately, cybercrime is much, much bigger business. According to Cybersecurity Ventures, cybercrime is estimated to cause the world $6 trillion in annual damages by 2021 — the largest transfer of wealth in the history of the world, forty times more than the damage caused by natural disasters this year, and more than the combined global trade of all major illegal drugs. Living in a digital world means information can be analyzed and understood better than ever before. But this also means it’s weightless, locationless, and even more vulnerable than information in the pre-digital age. Just as there are no unbreakable safes or impenetrable locks, there are no foolproof firewalls or perfect passwords. And, in any age, humans are humans, and can be bribed or blackmailed or tempted. A variety of illegal activities falls under the umbrella term of cybercrime, including:
- Espionage: in which confidential information is stolen from one organization for the gain of another
- Ransomware: malicious software introduced to a system in order to hold it hostage until a payment is made
- Malware: a program or file that is harmful to the system to which it’s introduced
- Phishing: sending emails that purport to be from a different organization in order to trick users into sharing confidential information such as their passwords
- Hacking: events like distributed denial of service attacks, in which a server or network is deluged with an overwhelming amount of traffic in an attempt to disrupt the target and cause it to go offline.
In biopharma, we’re stuck between a rock and a hard place. On the one hand, our industry is more vulnerable than many others when it comes to cybercrime — a combination of some outdated technology, and an understanding that our information is potentially incredibly valuable. On the other hand, our concern is perhaps greater than any other industry’s: keeping our information safe can be a literally life-and-death matter. Simple, everyday actions and awareness, as we describe, can help a marketer keep their brand’s, and company’s, and patients’, information safe. Cybercrime can occur from “outside the house” (efforts from other organizations apart from the company) or “inside the house” (actions by a company’s own employees), and both require awareness, vigilance and action.
Background
According to HIPAA Journal, 2019 saw more than 600 ransomware attacks on academia, healthcare and government institutions, and two of the affected healthcare practices shut down as a result.
Attacks are increasing, and so is the average impact of an event on its victim company. Moreover, cybercrime against biopharmaceutical companies, in particular, has increased, making ours the most targeted industry. And employees in marketing and PR are those most likely to be targeted by phishing and emailed malware.
The last few years have shown us exactly how large of an impact a cyberattack can have on our industry. In June 2017, pharma giant Merck was hit with a massive security breach, designed to look like ransomware, from Russia’s military intelligence agency.
The “NotPetya” attack, which the White House called “the most destructive and costly cyberattack in history,” also affected other companies in Europe, Russia, India and the United States (and even caused an as-yet-undecided global debate about whether such events count as acts of war).
“The era of cyberweapons is forcing companies to defend themselves against a scale of threat that, in the conventional world, would have merited government help. With the insurance companies working to protect themselves against cyber risk, and because there’s only so much that governments can do, companies such as Merck have no choice but to build their own defenses to manage risk.” — David Voreacos, Katherine Chiglinsky, Riley Griffin, Bloomberg Markets
At Merck after the NotPetya attack, more than 30,000 computers and 7,500 servers were down for weeks, and some lost decades of data. Merck claimed total losses of $1.3 billion from the attack. And, in the same year, the WannaCry ransomware began to attack organizations, and has continued to spread for years. In the first half of 2019, 40% of healthcare organizations had been hit by it.
As a result of attacks like these, the U.S. Department of Health and Human Services created the Health Care Industry Cybersecurity Task Force, whose report declared that “healthcare cybersecurity is in critical condition.”
Many believe that healthcare is at greater risk from cybercrime than other industries for a variety of reasons, including:
- Its infrastructure may be more outdated and less secure.
- We may be targeted more — perhaps twice as often — as organizations in other industries.
- While healthcare breaches can usually be detected more quickly than those in other industries, they can still take nearly two months to be found, according to a 2018 IBM survey.
- Our problems take far longer to solve — up to 15 times longer, according to the IBM survey.
Note: These statistics include all kinds of healthcare organizations, of course, including hospitals and HCP practices, but it’s important to consider these in addition to biopharma corporations, since we are all concerned with protecting data about our patients, their treatments, and our research.
“Pharma has a treasure trove of intellectual property while hospitals have patient data that they are putting at risk. Healthcare surprised us because it was not what we were expecting,” he added. “When it performed poorer than retail we thought, watch out, because of all we’ve seen in retail.” — Stephen Boyer, CTO, Bitsight
Culturally, we’ve erroneously turned the idea of “hacking” into one of two things. Sometimes we see “hacking” as a verb deployed when you log into your friend’s account … a minimization that can lull us into thinking of it as if hacking is relatively innocuous. Alternatively, we often see “hacking” as activity done by black-clad baddies tapping away in dark rooms surrounded by dozens of giant screens, a feature of thriller movies as unrealistic as car chases and stunt falls.
The truth is, cybercrime can wreak havoc with the simplest-looking actions. Opening an email, clicking a link — even charging your phone — can open your device up to cybercrime. Findings of the recent 2019 Global Data Exposure Report by Code42 told a powerful story about the disconnect we often experience between our data-security hopes and reality.
What This Means for You
Cybercriminals want the most sensitive data that they can get to. And they look for the smallest foothold to get into a system. As pharma marketers, it may not be in our job descriptions to plan our companies’ data security. It is, however, our responsibility to be on the vanguard of understanding, appreciating and collaborating to reduce and prevent these threats from entering our organizations.
Consider Data-Security Scenario Planning
Some hospitals have tested how they would respond if, mid-procedure, their computers were overtaken by ransomware. What would you do if, for instance, your sales force fell victim to an attack as a new campaign was launching?
Build in Data Security From the Start
Bring in your experts from the beginning to make sure your plans and campaigns are developed safely. Know the right questions to ask of potential partners, vendors.
Remain Vigilant
Whether in the office, at home or traveling, make sure you’re doing work in ways that match the recommendations of your experts. Use an approved password manager to create and safeguard your passwords. And above all, notice anything that seems odd — an email that seems off, a system that isn’t working the way it usually does, or someone acting suspiciously.
Don’t Leave Loopholes
Be sure to immediately disable the access of former employees or vendors. Don’t change or share or bypass security measures. Avoid over-privileging (giving unnecessary permissions). Don’t use software — versions, apps, etc. — that hasn’t been approved by your experts. And avoid business communication through unapproved means, such as personal email or messaging tools.
Keep Records Safely
Back up your important files in approved ways that are not on the same network — perhaps on an external hard drive or in approved cloud-based storage — in order to foil any ransomware demands that could arise.
Do Your Homework
Your compliance and training organization most likely offers training on data privacy and proper data handling. Take it, and take it seriously!
Targeting tactics like data segmentation, i.e., propensity or lookalike models, and retargeting are not listed by the Network Advertising Initiative as definitively compliant or noncompliant, as they require an additional level of scrutiny.
Conclusion
Data security might not be your full-time job, but it is your job to work in ways that guard the information for your brand and your company. Cybercrime in healthcare puts at risk our organizational data, our intellectual property, our clinical research and the private data — or even the safety — of the healthcare professionals and patients with whom we build trust. With the stakes so high, awareness and vigilance are everyone’s responsibility every day. Your actions might be all that protects your organization — or opens it up.
Sarah Morgan is a content strategist for Intouch.