As Life Sciences Goes Digital, New Cyber Threats Emerge | Deloitte US has been saved
By John Lu, Life Sciences & Health Care Cyber & Strategic Risk leader, Deloitte & Touche LLP
Pharmaceutical companies are increasingly being targeted for cyberattacks, according to July 7 alert from the FBI, Department of Treasury, and Cybersecurity and Infrastructure Security Agency (CISA).1 Over the past several years, cyberattacks against pharmaceutical, medical technology/device, and other life sciences companies have disrupted supply chains, hobbled manufacturing processes, erased years of research, and resulted in hundreds of millions in damages. Cybercriminals likely assume that these companies, and other health organizations, are willing to pay ransoms because their services are critical, according to the joint alert. These bad actors also know that the life sciences industry has trade secrets/intellectual property, vast amounts of personal health data…and deep pockets.
As the cyber leader for Deloitte’s Life Sciences & Health Care practice, I work closely with various organizations across the industry. Like most industries, life sciences companies are becoming increasingly digital. Late last year, Deloitte surveyed 150 leaders from pharmaceutical companies to learn more about the industry’s approach to digital innovation (see Biopharma digital transformation). The vast majority (77%) of respondents, said their organization views digital innovation as a competitive differentiator.
While a digital strategy can help a life sciences company improve efficiencies in everything from research and development (R&D) to operations and sales, it also can expose companies to new risks as data starts to flow outside of its four walls and into data lakes that sit on various cloud platforms. While many life sciences companies are well aware of cyber risks, some executives still see it as more of an IT or R&D issue, rather than something that requires an enterprise-wide strategy.
COVID accelerated innovation and threats
Compared to other industries such as banking and entertainment, the life sciences industry was slower to incorporate innovative digital technologies such as artificial intelligence (AI), cloud, and the Internet of Things (IoT) in their operations. That all changed during the early days of the COVID-19 pandemic. With lockdowns and physical distancing measures in place, many life sciences companies quickly transitioned to remote work, cloud-based data storage, virtual clinical trials, and other solutions to help maintain progress while many employees stayed away from their offices.
Cloud technologies and platforms provided scalability and agility for organizations to make it possible for employees to work remotely (and collaboratively) from home, store and share data, build data lakes, and even run AI and machine learning (ML) algorithms. Cloud technology also helped to reduce costs, improve time-to-discovery and insight, and collate data for greater visibility into manufacturing and supply chain operations. At the same time, pressure to develop vaccines and therapies required competitors to become collaborators and share digital information with each other. Each of these factors has increased cybersecurity risks. This has helped push life sciences cyber communities to be more agile and innovative in how they approach threats and vulnerabilities, as well as to collaborate even more extensively with peers throughout the industry.
Competition for cyber jobs is heating up
Looking back over the past 20 years or so, cybersecurity has evolved from a “low priority IT risk” to being a top enterprise-wide risk that is typically recognized across the organization. Many life sciences companies are paying much closer attention to data and digital. Having the right people and skillsets dedicated to cybersecurity will continue to increase in importance.
As the cybersecurity industry continues to evolve, finding experienced, skilled talent has risen to become a top-tier issue for chief information security officers (CISOs). The demand for this expertise is astronomical. Every sector is looking to protect its digital data, and competition for top-tier talent is fierce. As many as 3.5 million cybersecurity jobs worldwide are unfilled—up 350% between 2013 and 2021, according to industry researcher, Cybersecurity Ventures.
Life sciences companies are no longer only competing head-to-head with other life sciences companies for talent. They are now competing with a wide range of companies from various industries, some of which are often able to offer dramatically larger compensation packages. Even professional service firms like Deloitte compete for cyber talent. Worldwide, Deloitte has more than 22,000 cyber and risk professionals, and as demand continues to increase, we have developed several alternative talent sources, including a train-to-hire program. This type of innovation will likely be needed to fulfill a skillset demand that continues to increase.
Three cyber questions to consider
I have noticed that health care and life sciences companies are increasingly referring to themselves as digital or technology companies. Virtually every step along the value chain is transitioning to digital, and I expect that this will only increase in the coming years. However, if company leaders fail to recognize the importance of integrating cybersecurity into that digital value chain, even the best tools, technologies, and processes could be defeated by cybercriminals (see Defending against ransomware).
As life sciences companies move forward with new and innovative digital technologies, there are three questions company leaders should consider:
1. CISA, FBI, and Treasury release advisory on North Korean state-sponsored cyber actors use of Maui Ransomware, Cybersecurity & Infrastructure Security Agency, Alert, July 6, 2022
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.