For Health and Life Sciences Companies, Cybersecurity is not Just an IT Issue | Deloitte US has been saved
By Amry Junaideen, Risk & Financial Advisory Life Sciences and Health Care leader, Deloitte & Touche LLP
In a My Take earlier this month, I explained that cybersecurity and risk should be part of the conversation when life sciences and health care leaders discuss their long-term business strategies. But communicating the value of investments in cybersecurity to senior leaders and board members can be challenging because cyber is often perceived as being highly technical. Moreover, some leaders might see cybersecurity as an IT issue rather than a critical component of business strategy. While we are seeing a shift in the mindset among many board members and executives, there is considerable room for further evolution.
Cyber criminals tend to see tremendous value in the patient data collected and stored by health and life sciences organizations. Electronic health records (EHRs), for example, could contain a wealth of exploitable information—everything from demographic information to work history to financial information. This information can be worth substantially more on the black market than bank records and other types of data.1 While there is tremendous value in patient data (and in other types of sensitive information, such as drug-development pipelines), there are often fewer safeguards to protect it when compared to other industries. This has made health and life sciences companies prime targets for cyberattacks. At the same time, pressure to reduce health care and health coverage costs could make it difficult to get leadership’s attention when it comes to cybersecurity. Moreover, the proliferation of connected medical devices, wearables, and data-gathering health apps could create a bigger opening for threats.
In 2018, health care led all industries in the volume of cybersecurity breaches—accounting for about 25 percent of more than 750 reported incidents, according to a report released last month.2 That year, about 15 million patient records were impacted—nearly triple the number reported just one year earlier.3
Seven strategies for creating a culture of cybersecurity
So what works and what doesn’t work when it comes to communicating key priorities around cybersecurity? The Deloitte Center for Health Solutions recently posed that question to chief information security officers (CISOs), chief information officers (CIOs), and C-suite executives from biopharma, medical device manufacturers, health plans, and health systems who are involved in making decisions around cybersecurity. Our interviewees agreed that having a cyber-literate board and cyber-savvy leaders is important. From our conversations, we distilled seven themes that could help prepare boards and senior leaders to make the decisions needed to counter growing cyberthreats.
While organizations should take measures to prevent breaches, the reality is not all cyberattacks will be prevented. Part of a cybersecurity plan should be to minimize the damage from potential breaches by having documented and tested resilience and crisis-management strategies. The role of CISOs and CIOs has expanded beyond the walls of the IT department, and these professionals could play an invaluable part when it comes to helping board members and leadership understand potential threats and respond to them appropriately.
Endnotes
1. Security trends in the healthcare industry, IBM X-Force Research (https://www.ibm.com/downloads/cas/PLWZ76MM)
2. Data Security Incident Response Report
3. Erin Dietsche, 11 cybersecurity tips from the first federal chief information security officer, Med City News, February 13, 2019
4. Frederick Schnoll, Better security through storytelling, CSO Online, January 30, 2017
Amry is the managing principal of Life Sciences & Health Care for the Risk & Financial Advisory business for Deloitte & Touche LLP. Amry has over 26 years of diversified global experience in the private and public sector having served large multi-national and public sector clients on many risk management and information technology related initiatives. Amry has extensive international experience including in-country leadership roles in Australia and India. Amry has had numerous client and practice leadership roles, having worked on Pfizer, Amgen, Beyer Pharmaceutical, Genzyme Corporation, Astra Zeneca, the Centers for Medicare & Medicaid Services, and the Australian Regional Public Health System. He was also the National and Global Security & Privacy leader for life sciences. Amry’s specialties include risk management, systems integration, internal controls transformation, and talent management. Amry has a bachelor of science degree in accounting and also is a certified information systems security professional, certified in risk and information systems control, a certified information systems auditor, and a certified practicing accountant (Australia).