Global regulations could redirect cyber security and privacy investments and may result in large fines if not adequately addressed
Government-sponsored hackers were seen as the biggest threat to cyber security among executives in charge of technology, information, and security at drug and medical device makers, according to the 2017 Cyber Healthcare & Life Sciences Survey from KPMG LLP, the U.S. audit, tax and advisory firm.
As more sophisticated threats emerge, some life sciences organizations say they are well prepared, but regulations can compound some of the difficulties facing companies. For example, the European Union’s General Data Protection Regulation (GDPR), which goes into effect May 2018, will be able impose fines up to 4 percent of global revenue upon organizations that compromise personal data. This regulation has deservedly raised the attention of executives, and it has influenced and reshaped cyber security and privacy priorities.
Nation states topped the list of threats from 53 percent of respondents, followed by individual hackers and “hacktavists” – computer hackers aimed at promoting a political or social cause. The data that hackers are seeking are mostly tied to financial information (69 percent) followed by patents and clinical research (63 percent), the survey of 100 U.S. tech, data, security executives from life sciences companies found.
“Some nations desperately want intellectual property to support local life sciences organizations without incurring R&D costs and challenges,” said David Remick, a KPMG partner who works with life sciences companies.
“Drug and medical device makers have significant volumes of valuable financial and clinical information,” said Life Sciences Advisory Leader Alison Little. “Recent cyber events targeting the life sciences industry demonstrate that market capitalization can be immediately eroded depending on the nature of the cyber-attack and extent of damage.”
“The life science industry is increasingly engaging patients directly through web portals and apps to help them better manage their conditions, but this opens the door to new risks,” said Michael Ebert, a KPMG partner who leads cyber for the Healthcare & Life Sciences Practice.
Life sciences organizations listed multiple priorities required to be more effective in cyber security. Better technology (36%) was cited as the highest priority for medical device makers, followed by an overarching strategy on data collection/protection (28%). Pharma organizations cited stronger processes (24%) as the biggest need, followed by more funding and better technology tied for second at 22 percent. Greater staffing was seen as a priority among only 9 percent of respondents.
“Many organizations prioritize technology solutions over improving processes and training staff. This is a grave mistake,” Remick said.
Execs say they’re secure
Despite 62 percent of executives saying they are feeling “more secure” even after the reports of high profile breaches, about 40 percent of life sciences companies said their overseas security protocols are not as strong as those in the United States, making EU data privacy rules much more significant. The survey found more than a third (34 percent) described their organizations as under-resourced internationally.
KPMG issued its findings in Life Sciences Innovation and Cyber Security: Inseparable, where 100 U.S-based chief information, technology and information security executives from medical device and pharmaceutical/biotech companies with revenue more than $500 million were asked in February about their concerns and priorities about cyber security.
Of the executives surveyed, approximately half were solely responsible for cyber security, of whom only 36 percent were in their position for more than 24 months.
Bill Borden/Ann Marie Gorden