Cybersecurity in Life Sciences organizations should not be neglected
It is no surprise that Life Sciences organizations, which often manage massive volumes of sensitive health data, can be a desired target for cybercriminals.
In this context, the generic term Life Sciences covers a whole range of entities: from medical research centers to sponsors of clinical trials like pharmaceutical or biotechnology companies.
To put things in perspective, selling electronic health records much more profitable for cybercriminals than credit card information. With every cyberattack, patients and their safety are put at stake, as well as an organization’s reputation. When it comes to the companies developing treatments, such pharmaceutical companies, they also risk integrity of these products in case of cyberattack.
With the cybersecurity threats that the sector faces every day, it is imperative for Life Sciences organizations to address these concerns and strengthen their cybersecurity framework. In this article Arithmos outlines the top three cyberthreats that became the biggest menace to Life Sciences in 2019:
- Information security measures and awareness;
- Unsecured and unmanaged devices used as part of BYOD approach;
- Ransomware attacks.
Limited spending on cybersecurity
Trends in the industry show that a lot of Life Sciences companies are still not willing to make the investment in cybersecurity.
Limited spending may lead to risks that could have been avoided. For example, on average, healthcare organizations spend anywhere between four to seven percent of their budget on information security. The financial sector, on the other hand, budgets in around 15 percent.These budgets are not proportionate considering that healthcare organizations have the highest costs associated per patient, per breach.
Not investing in company training and information security awareness means that employees are not informed on their contribution to security, current cyber threats and ways to identify possible attacks in time. Most of the time, employee training is equal to a couple PowerPoint presentations and videos, certainly not providing them with enough resources to tackle possible breaches. 27 percent of data breaches are associated with human error.
Properly training employees, investing and partnering with capable providers that comply with regulatory requirements and international standards (providers that are ISO/IEC 27001:2013 certified, for example), and training these employees regularly might allow for less room for errors.
Bring Your Own Device
As of 2018, 71 percent of hospitals allow for some form of “Bring Your Own Device”. Previously, doctors and nurses relied on the use of hospital-owned devices to communicate and share patient data.
When it comes to clinical trials, the BYOD is also becoming a standard strategy for data collection with the introduction of wearables.
BYOD approach has number of advantages:
- In hospitals, it allows for greater efficiency amongst co-workers in different shifts;
- Facilitates medical staff in tracking patients even when out of office;
- Promotes cost savings as the organization does not finance the devices;
- For patients, it ensures user-friendliness, since they know the devices;
- It increases patient retentions in clinical trials.
Despite offering solutions to many challenges, the lack of regulations on the security and privacy of the information being shared is a growing concern of BYOD. There are a few guidelines that can be used to avoid cybersecurity threats. They should specify:
- Which devices are allowed and secured;
- Who has access to them;
- What type of information can be stored on them;
- How they are secured;
By strictly following these guidelines, healthcare organizations can at least be certain that they know their devices. This ensures they are better equipped to understand and assign appropriate technical support related to the devices if and when they encounter probable breaches and leaks of information that could be caused by any of these devices being lost, stolen, or misplaced.
In May of 2017, the WannaCry cyberattack, an incident involving the “WannaCry” ransomware cryptoworm, infected over 300,000 computers encrypting valuable data (including patient data from hospital computers) and demanding payment in bitcoins for the data to be returned safely.
Although WannaCry demanded $300 in bitcoins to every computer it infected, money is not always the only driver in ransomware infections. These malware infection can cause data exfiltration or alter patient data, possibly misdiagnosing individuals.
Although cyber-attacks are unpredictable, running the newest software and upgrading computers and programs continuously are some measures that should be taken to be to decrease an organizations likelihood of being affected. An information security risk assessment on the Company’s information done by qualified personnelis the first step towards decreasing the risks.
Cybersecurity is a major concern for all industries, but especially for the healthcare industry as they hold highly appealing information to cybercriminals.
Whether that means budgeting more money for IT maintenance and information security, providing training services for employees, partnering up with companies that offer protective services, updating computes and programs more frequently, or regulating unprotected devices more closely, it is necessary for healthcare organizations to prioritize the protection of their data and to start taking the right steps in the direction of prevention.
For its solutions, Arithmos provides hosting services ensuring compliance with international standards. The Information Security Management System (ISMS), certified according to the ISO/IEC 27001:2013 standard, assures desired level of information security.
Arithmos also offers data migration services for companies still using legacy systems, in order to move to up-to-date systems thus improving data security and granting the compliance with continuing evolving regulations.
Susan Morse, (2019). “Healthcare’s number one financial issue is cybersecurity”;