Pharma data faces a double dose of cyber threat. While profit-motivated actors continue to target pharma companies for monetizable data (last year, Industrial Spy offered to sell stolen Novartis data on the darknet for $500,000), nation-state-sponsored threat actors are also going after the pharma industry to score political points.
The resulting cyber risk can be so vast that it is challenging to quantify. Case in point, Merck is still fighting billion-dollar court battles after some of its subsidiaries became a target for Russian state-backed cyber criminals in 2017.
To fight back against this two-headed hydra of a threat landscape, pharma companies need to zoom in on where data risk comes from and what stands in the way of mitigation.
The Data That Creates the Most Risk
As a rule, if data has business value to your organization, it's at risk.
Threat actors will go after any information that can be sold to your competitors on the dark web, ransomed back to you, or used to create copycat solutions in their home regions.
Two categories of sensitive data specific to pharma companies that are commonly targeted include:
Research and development data (R&D)
Proprietary data is at the heart of drug development—everything from clinical information collected during patient trials to internal financial forecasts and market analysis.
Exposed through a data breach, R&D data can cause indirect financial pain through lost competitive edge. Plus, when leaked R&D data contains personally identifiable information (PII), fines under laws like the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR) will follow.
French laboratory software provider, Dedalus Biologie, was recently fined 1.5 million euros by the GDPR over a data breach that leaked PII of nearly 500,000 individuals from 28 laboratories. In this case, while the data was not leaked by a pharma directly, third-party vendors like Dedalus Biologie serve life science organizations and can inadvertently expose R&D data as it is shared throughout the drug development lifecycle.
Intellectual property (IP)
For drug manufacturers, IP can include technical data like ELN (Electronic Lab Notebook), reports, secret manufacturing methods, PII such as unregistered patient information, and financial information points like pricing strategies.
IP is a primary target for many threat actors. The annual cost of pharma IP leaks (and the resulting production of counterfeit products) has been estimated to be around 4% of the pharma industry’s annual revenue.
The Shift In Where Data Lives
Bringing a drug to market takes over a decade on average, but pharma is moving to the cloud at a record pace.
- Over 83% of pharma companies used public, hybrid, or private cloud environments between 2021 and 2022
- The term "cloud computing" appeared 65% more often in pharma companies' annual reports
Cloud-hosted workloads have unlocked immense benefits for the entire drug development lifecycle. For example, the scalable, almost unlimited computing power that the cloud allows is what helped Moderna bring its COVID vaccine to Phase 1, just 42 days after the coronavirus was first sequenced.
This digital shift happened far faster than most organizations ever planned. According to polls, the pharma industry is roughly five years ahead of pre-covid projections of digital transformation.
While rapid change can create massive benefits, it also fosters new risks. Data breaches are doing more damage than ever. According to IBM, the average pharma data breach cost was just over $5 million in 2022--the third most expensive of any industry.
The Threats to Pharma Data
The downside of rapid cloud migration is that the typical pharma company’s attack surface is far beyond the scope of what security teams can secure with traditional approaches.
There are several threats facing pharma companies today:
Overly permissive access
Excessive access to sensitive data is one example of vulnerabilities that can get past security teams.
Overly permissive access often stems from misconfigurations, for example, when an asset is deployed in a cloud environment without the proper security controls. It could be an internet-exposed cloud storage or an S3 bucket with unencrypted data. And threat actors constantly scan networks for these misconfigured assets.
R&D data drift
Take any pharma company in operation today, and the chances that they host at-risk information in unauthorized environments is extremely high.
What is happening here is that R&D data should be stored in only specific, well-controlled data stores, in line with a company’s internal data governance policies. But unbeknownst to the security team, that data has instead drifted outside to a publicly exposed data store.
Most exposures go unnoticed, but in 2020, Pfizer suffered a massive data breach when researchers found a publicly exposed Google Cloud Storage bucket that contained drug safety information.
Insider threats
Misconfigured cloud assets also increase the risk created by insider threats.
Although organizations are keen to use zero trust to protect data, the reality is almost the opposite in most cases. Pharmaceutical employees can have access to hundreds and thousands of sensitive files. Only a tiny minority of insiders will ever pose a calculated cybersecurity risk. Still, with the cloud making access to sensitive information easier, the blast radius a single malicious individual can create is enormous.
Data mislabeling
Mislabeling drugs endangers patient lives, but mislabeling data sensitivity endangers organizations. This is because IP data is not all created equal.
For example, the latest drug manufacturing methods should be limited to a small internal group, while drug pricing will have to be shared more broadly with vendors along the drug development supply chain. Both types of data are considered IP. But with traditional data discovery and classification methodologies, many pharma companies are forced to apply a blanket sensitivity label for all IP data or manually separate and classify IP data.
How Cyera can help Safeguard R&D and IP Data
To harden your data security posture and reduce risks of data breaches, you need to know where sensitive data lives and how to safeguard it.
Cyera provides a holistic data security solution that can effectively protect R&D and IP data. Cyera dynamically discovers, classifies and establishes rich context on sensitive data across IaaS, PaaS, and SaaS environments, without agents or connectors. Cyera enables you to fix misconfigurations and secure the sensitive data attackers are after. This includes identifying sensitive data that has drifted outside of approved environments and alerting teams of sensitive data exposed to the public internet.
Furthermore, Cyera simplifies and accelerates compliance audits by enabling you to proactively improve your data security and privacy controls with a centralized sensitive data inventory so your team can respond to audits quickly and completely. The platform ensures compliance with policies that highlight exposures for HIPAA, GDPR, and more.
To learn more about how Cyera secures R&D, IP and other sensitive data for pharma companies, schedule a demo today.
