Please enable JavaScript to view the site.

Posted: 16 Aug. 2022 6 min. read

As life sciences goes digital, new cyber threats emerge

By John Lu, Life Sciences & Health Care Cyber & Strategic Risk leader, Deloitte & Touche LLP

Pharmaceutical companies are increasingly being targeted for cyberattacks, according to July 7 alert from the FBI, Department of Treasury, and Cybersecurity and Infrastructure Security Agency (CISA).¹Over the past several years, cyberattacks against pharmaceutical, medical technology/device, and other life sciences companies have disrupted supply chains, hobbled manufacturing processes, erased years of research, and resulted in hundreds of millions in damages.Cybercriminals likely assume that these companies, and other health organizations, are willing to pay ransoms because their services are critical, according to the joint alert. These bad actors also know that the life sciences industry has trade secrets/intellectual property, vast amounts of personal health data…and deep pockets.

As the cyber leader for Deloitte’s Life Sciences & Health Care practice, I work closely with various organizations across the industry. Like most industries, life sciences companies are becoming increasingly digital. Late last year, Deloitte surveyed 150 leaders from pharmaceutical companies to learn more about the industry’s approach to digital innovation (see Biopharma digital transformation). The vast majority (77%) of respondents, said their organization views digital innovation as a competitive differentiator.

While a digital strategy can help a life sciences company improve efficiencies in everything from research and development (R&D) to operations and sales, it also can expose companies to new risks as data starts to flow outside of its four walls and into data lakes that sit on various cloud platforms. While many life sciences companies are well aware of cyber risks, some executives still see it as more of an IT or R&D issue, rather than something that requires an enterprise-wide strategy.

COVID accelerated innovation and threats

Compared to other industries such as banking and entertainment, the life sciences industry was slower to incorporate innovative digital technologies such as artificial intelligence (AI), cloud, and the Internet of Things (IoT) in their operations. That all changed during the early days of the COVID-19 pandemic. With lockdowns and physical distancing measures in place, many life sciences companies quickly transitioned to remote work, cloud-based data storage, virtual clinical trials, and other solutions to help maintain progress while many employees stayed away from their offices.

Cloud technologies and platforms provided scalability and agility for organizations to make it possible for employees to work remotely (and collaboratively) from home, store and share data, build data lakes, and even run AI and machine learning (ML) algorithms. Cloud technology also helped to reduce costs, improve time-to-discovery and insight, and collate data for greater visibility into manufacturing and supply chain operations. At the same time, pressure to develop vaccines and therapies required competitors to become collaborators and share digital information with each other. Each of these factors has increased cybersecurity risks. This has helped push life sciences cyber communities to be more agile and innovative in how they approach threats and vulnerabilities, as well as to collaborate even more extensively with peers throughout the industry.

Competition for cyber jobs is heating up

Looking back over the past 20 years or so, cybersecurity has evolved from a “low priority IT risk” to being a top enterprise-wide risk that is typically recognized across the organization. Many life sciences companies are paying much closer attention to data and digital. Having the right people and skillsets dedicated to cybersecurity will continue to increase in importance.

As the cybersecurity industry continues to evolve, finding experienced, skilled talent has risen to become a top-tier issue for chief information security officers (CISOs). The demand for this expertise is astronomical. Every sector is looking to protect its digital data, and competition for top-tier talent is fierce. As many as 3.5 million cybersecurity jobs worldwide are unfilled—up 350% between 2013 and 2021, according to industry researcher, Cybersecurity Ventures.

Life sciences companies are no longer only competing head-to-head with other life sciences companies for talent. They are now competing with a wide range of companies from various industries, some of which are often able to offer dramatically larger compensation packages. Even professional service firms like Deloitte compete for cyber talent. Worldwide, Deloitte has more than 22,000 cyber and risk professionals, and as demand continues to increase, we have developed several alternative talent sources, including a train-to-hire program. This type of innovation will likely be needed to fulfill a skillset demand that continues to increase.

Three cyber questions to consider

I have noticed that health care and life sciences companies are increasingly referring to themselves as digital or technology companies. Virtually every step along the value chain is transitioning to digital, and I expect that this will only increase in the coming years. However, if company leaders fail to recognize the importance of integrating cybersecurity into that digital value chain, even the best tools, technologies, and processes could be defeated by cybercriminals (see Defending against ransomware).

As life sciences companies move forward with new and innovative digital technologies, there are three questions company leaders should consider:

How is cyber integrated into our innovative approach? Whether it is a digital transformation, a shift to the cloud/migrating out of the data center, or moving forward with virtual clinical trials, each innovative approach has the potential to expose a company to new, diverse attack vectors. These threats should be considered throughout the process—from requirements to architecture and design, to development, to testing, and to deployment—as the company moves to operationalize. Gaps can occur when cybersecurity is not integrated from the beginning. Such gaps could be exploited, which could potentially negate any gains or trust that would have been obtained through the new approach.
Who can access the data? Digital data has become consumable like banking information and accessible from almost anywhere through various devices. The more accessible data becomes, the more security is needed to protect it. A company might not know exactly what is in the data because data often is not tagged correctly. Moreover, how do companies ensure that only the designated person can access the designated data through a designated channel? Can data be retrieved if an audit needs to be conducted?
Are consumers, patients, and/or customers our top priority? Do they trust us? About 50% of US consumers do not trust biopharma companies, according to our report, Overcoming biopharma's trust deficit. As life sciences companies get closer to consumers, patients, and customers, garnering end-user trust can become an even more important value for companies to harness. Making it possible for end-users to securely access their data when they want it can be important. This might be one of the first interactions a consumer has with the company. Finding the perfect balance of accessibility, while protecting critical information, brings cybersecurity to the forefront of building and growing trust.

End notes:

^{1. CISA, FBI, and Treasury release advisory on North Korean state-sponsored cyber actors use of Maui Ransomware, Cybersecurity & Infrastructure Security Agency, Alert, July 6, 2022}

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Return to the Health Forward home page to discover more insights from our leaders.

Subscribe to the Health Forward blog via email

Recommended for you

Please enable JavaScript to view the site.

Viewing offline content

Tax

Consulting

Audit & Assurance

Deloitte Private

M&A and Restructuring

Risk & Financial Advisory

AI & Analytics

Cloud

Diversity, Equity & Inclusion

Consumer

Energy, Resources & Industrials

Financial Services

Government & Public Services

Life Sciences & Health Care

Technology, Media & Telecommunications

Spotlight

Topics

Industries

More from Deloitte Insights

Careers

Students

Experienced Professionals

Job Search

Life at Deloitte

Alumni Relations

As life sciences goes digital, new cyber threats emerge

Return to the Health Forward home page to discover more insights from our leaders.

Subscribe to the Health Forward blog via email

Recommended for you

{{prevTitle}}

{{nextTitle}}

Link your accounts

Viewing offline content

As life sciences goes digital, new cyber threats emerge

Return to the Health Forward home page to discover more insights from our leaders.

Subscribe to the Health Forward blog via email

Recommended for you

{{prevTitle}}

{{nextTitle}}

Link your accounts

You previously joined My Deloitte using the same email. Log in here with your My Deloitte password to link accounts. | | Deloitte users: Log in here one time only with the password you have been using for Dbriefs/My Deloitte.

You've previously logged into My Deloitte with a different account. Link your accounts by re-verifying below, or by logging in with a social media account.

Looks like you've logged in with your email address, and with your social media. Link your accounts by signing in with your email or social account.