Open up any newspaper today or flip on the news and you’re more than likely to come across an article or story reporting on a cybersecurity attack. Increasingly these attacks are targeting the life science and medical device industries, compromising hard-earned intellectual property (IP).
As a life sciences or medical device company, it is mission critical to protect lab books, drug and clinical test data, product formulas and production processes that underlie patents, trade secrets and know-how from hackers and others. Given the interconnectivity of corporate data networks, it has become all too easy for cyber thieves to gain access to valuable information in company networks in order to monetize intellectual property (IP) or cause reputational or financial harm.
Recently, Foley & Lardner, an international law firm established in 1842, published a guidebook entitled: Cybersecurity in the Pharma, Biotech and Medical Devices Industries. In the guidebook, Foley’s cybersecurity team takes an in depth look at how pharma, biotech and medical device companies can take measures to protect their IP and confidential information in cyberspace.
The guidebook begins by discussing the importance of protecting vulnerable IP assets in cyberspace. It takes a look at the legislative landscape, with the impact of recent trade secret legislation and a brief discussion of the federal agencies that most frequently operate in the cybersecurity and life sciences space. It discusses some of the tools that can be used for protecting sensitive IP. There is then a discussion of practical policies and procedures, which companies can implement to help avoid loss and comply with regulations.
The guide also includes the following 6 myths that they believe still permeate common perceptions:
Myth #1: “It’s all about the data”
Security must be designed to account for not only the protection of the data or information (including a company’s IP), but for the information system itself. Security should be approached from both a holistic and segmented perspective. By focusing only on certain components, or the data, the entire system will be left vulnerable, which ultimately leaves individual segments and data susceptible.
Organizations also need to consider the reputational harm as a result of the breach. In the U.S., indirect costs, including lost business, the cost to attract or retain customers, and the loss of confidence in a company often accounts for two-thirds of the cost of a data breach.
Myth #2: “It’s all about confidentiality”
Confidentiality of information is only one element. What is equally important is the integrity and availability of the information. The integrity of the information aims to ensure that the information has not been altered, maliciously, accidentally, or due to a system error. Putting security mechanisms in place to address the integrity of the information helps ensure, for example, that sensor information stored in a medical device is providing correct and accurate information to medical professionals, avoiding errors in diagnosis and treatment.
Equally as important is the availability of information when requested. This is especially true in the life science and medical device industries, where the unavailability of information may result in the inability to diagnose a life-threatening condition.
Myth #3: “To be a hacker, you have to be a technology genius”
Vast information and resources exist that allow even technical novices to “hack” systems. Not all hackers are former technology geniuses gone rogue. As described earlier, the age of vulnerabilities and the ease of obtaining exploits opens the doors to “script kiddies” and other average, ordinary, individuals to contribute to security incidents.
Myth #4: “It’s an IT Department issue”
The IT department may be responsible for devising the security mechanisms to guard against external threats, but cybersecurity is an enterprise-wide issue that requires buy-in and direction from the board and upper management. Increasingly, board members are held responsible for neglecting their fiduciary duties when they ignore cybersecurity in their organization. Even if the IT Department implements strict safeguards, the strongest procedures will fail if employees are not educated on the importance of security “hygiene” as security is only as strong as its weakest link.
Myth #5: “I can achieve (need) 100% security”
While there is no one-size-fits-all approach to security, it is also impossible to achieve 100% security. One study estimated that an organization that wanted to achieve the highest possible level of cybersecurity, which itself was only capable of repelling 95% of the attacks, would have to boost their spending on cybersecurity nine times. The study also found that in order to just stop 84% of attacks, organizations would have to double their investments in cybersecurity.
As security protections are increased, the usability of the secured system decreases, and vice versa. Even if it was possible to stop 100% of the attacks, the system would not be usable for its intended purpose. Therefore, organizations should appropriately balance their security efforts with usability, and focus on managing the residual risks that remain after their investments.
Myth #6: “I’m safe. I have great security”
The biggest myth of all is the false belief that an organization is safe because it has “great” security. Thousands of new viruses and exploits are developed every day. According to an Imperva/Technion-Israel Institute of Technology Study, the initial threat detection (zero day) is only 5%. According to a Verizon Study, 83% of intrusions took weeks or more to discover. According to a Trustwave Holding Study, the average time to detect an intrusion is 210 days.
Phillip Bandy is ShareVault’s chief information security officer (CISO) and is responsible for establishing security standards and controls, guiding the implementation of security technologies, and managing the establishment and implementation of security policies and procedures. He is an expert in computer incident response and has implemented computer security controls for NASA’s Mission Control.