August 24, 2021
Cybersecurity success in advanced therapies starts by prioritizing security as a “Way of working”
The first blog of this four-part series discussed the current state of cybersecurity in healthcare and life sciences, and why this topic is so important for biopharma companies and technology providers to the industry. Protecting patient and company data, including IP, is critical and challenging. This installment looks more closely at the ways all companies — technology providers and purchasers — can implement the first strategy: Prioritize security as a “Way of working.”
Strategy 1: Prioritize security as a “Way of working”
A culture of security
Companies that prioritize security and privacy do so intentionally and make significant investments in the effort. And it’s not easy. It is challenging to stay current with technology and stay ahead of the methods used by cybercriminals to breach systems. It is also challenging to ensure that the people involved, everyone from developers to users, view security and security practices as an enabler and a responsibility rather than a blocker.
Companies — technology providers and purchasers — that prioritize security make investments early on to demonstrate their dedication to security. They prioritize security because it is the right thing to do and it’s a fundamental belief. One clear indicator is the degree to which a dedicated security team has been established and built out proactively, in step with the company’s situation, and the visibility and voice this team has throughout the organization. Too often, companies build this team much later than is needed to be effective, leaving the security team to play catch-up when they are finally in place. According to a survey published by Biosecure in 2019, 90% of the participants — leaders in biotech and cybersecurity firms — felt that insufficient time and resources were devoted to cybersecurity in their companies.1
Leadership plays a critical role in setting the tone around security and establishing it as a priority — and maintaining visibility for security on an ongoing basis. Establishing solid governance is a first step and leaders at all levels of the organization must support the structure and set the right example with both their attitudes and their actions. Every individual in an organization is accountable for security and privacy and this is driven by the example and expectations set at the top. Security is a part of the culture.
Utilize leading methodologies and tools
For technology or SaaS providers, a “Secure by Design” (SbD) approach to the software development life cycle (SDLC) is the most effective and comprehensive way to maximize system security. Simply put, this means that software products and capabilities have been designed to be foundationally secure — even before a single line of code is written — and the goal is to reduce security vulnerabilities, rather than reacting after the fact. Both technology suppliers and consumers benefit from reduced costs and improved security when quality and security are built in from the start.
This concept is not new. It is similar to a successful approach the biopharma industry already utilizes — Quality by Design (QbD). QbD is used to design and develop biopharmaceuticals by building quality into the process and product in a systematic, science-and risk-based manner from the planning stages. The primary focus is on patient needs and product safety and efficacy.3,4,5
SbD starts at the design phase and has to be approached from end to end. The infrastructure, platform, and software components and features are comprehensively assessed for risk and designed with security as a fundamental goal. One important element of an SbD program is called threat modeling. This process provides companies with a framework to determine things like where they are most vulnerable to attack, what are the most relevant threats, and how to safeguard against threats. Threat modeling shares many similarities with a method frequently used in biopharma called Quality Risk Management used to identify and address risks called the Failure Mode Effect Analysis (FMEA) process (read more here Supply chain management readiness, Part 4: quality risk management). Threat modeling involves assessing a system or process for resiliency against identified risks through simulating attacks and malicious behaviors. The results of this activity are used to increase defenses in areas of greater risk as well as guide the deployment and configuration of security controls. Threat models vary from company to company, but a software supplier should take this into consideration by allowing for flexible security controls and functionality. As the system is pressure-tested and gaps are identified, teams evaluate the issues in context and prioritize where to put effort first. Identifying and solving the problems at this very early stage saves both time and money later on and provides customers with a more secure solution from the start.
The concept of Continuous Integration/Continuous Deployment for software development is a more streamlined and cohesive approach to software development in general. In this approach, developers are provided with security tools that integrate with their development toolchains to ensure real-time security checks as features and functionality are created. This enables developers to continuously build in, and improve security as software is developed, replacing the old approach of writing code and doing a security check at the end. It is more cost-effective and less resource-intensive than making changes after an application is built and provides a more comprehensive approach with fewer potential gaps. Proactively assessing security on both the infrastructure and applications continues throughout the testing and validating phases, then becomes part of routine operations.
The use of software as a service (SaaS) or cloud based applications has some advantages for ensuring security as well. Features and functionality designed to address new security risks can be implemented quickly and globally, ensuring that all deployments are up to date and do not lag behind with security updates. It is also more cost-effective and there is little to no interruption for updates.
The challenge here, as with all aspects of cybersecurity, is finding the balance between enough security, but not so much that the development process and applications are unwieldy, overbuilt, and costly. There is a parallel here with Quality Risk Management in biopharma, where the goal is to provide patients with safe and efficacious treatments efficiently while carefully managing the most important risks. One way to right-size security is to start with the applicable security and privacy design requirements (SPDRs). This will lay out the known requirements and components to ensure basic safety and security. Developers then have a set of options from which to choose to ensure that security is applied appropriately to each feature and functionality.
As discussed here, the responsibility for cybersecurity rests primarily with experts, but also extends to the entire team. Carefully curating a culture and way of working around security is a paramount first step. However, there is also governmental, industry governance, and regulatory requirements to consider. The next blog in this series will provide an overview of the key external regulations and standards in this field.
Blog series posts:
Post #1 Cybersecurity challenges in advanced therapies — introducing five strategies for success
Post #3 Key industry and government regulations provide a cybersecurity foundation in advanced therapies
Post #4 Life Sciences cybersecurity, knowing your first line of defense and continuously improving it
- Smith, Jonathan. Biotech Startups Face a Growing Wave of Cyberattacks. Labiotech.eu 2020 October 21: https://www.labiotech.eu/in-depth/cyberattack-biotech-startups-covid/
- National Institute of Standards and Technology (NIST). NIST Releases Version 1.1 of its Popular Cybersecurity Framework. U.S. Department of Commerce. April 2018: https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework
- International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use. ICH Harmonised Tripartite Guideline: Pharmaceutical Development Q8(R2). ICH. August 2009: https://database.ich.org/sites/default/files/Q8_R2_Guideline.pdf
- International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use. ICH Harmonised Tripartite Guideline: Quality Risk Management Q9. ICH. August 2009: https://database.ich.org/sites/default/files/Q9%20Guideline.pdf
- International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use. ICH Harmonised Tripartite Guideline: Pharmaceutical Quality System Q10. ICH. August 2009: https://database.ich.org/sites/default/files/Q10%20Guideline.pdf