September 7, 2021
Life Sciences cybersecurity, knowing your first line of defense and continuously improving it
This fourth and final blog in this series, Security and Privacy strategies: how to overcome challenges faced in Healthcare and Life Sciences, discusses the role end users have in cybersecurity — they are the best front-line defense, but human nature being what it is, users present an additional set of challenges. Harnessing the best behaviors of end users and continuously assessing, reassessing, and evolving cybersecurity practices are pivotal practices in a successful cybersecurity effort and round out the other strategies discussed in the prior installments.
- Cybersecurity challenges in advanced therapies — introducing five strategies for success
- Cybersecurity success in advanced therapies starts by prioritizing security as a “Way of working”
- Key industry and government regulations provide a cybersecurity foundation in advanced therapies
Strategy 4: Help users follow security best practices
Users are the front-line defense against security breaches and an easy target for cyberattacks. About 88% of all security breaches are initiated via user access of some kind.1 According to Matthieu Guitton, an expert in cyberbehavior and a Professor at Universite Laval in Canada, “The main issue with data security in biotech is that most people focus their attention on technology, while the weakest link of the cybersecurity chain is the behavior of people.” The shift towards remote work during the pandemic has increased this problem.2
The importance of providing built-in tools and processes to support users in safe security practices is paramount, but this remains a challenging area. Ideally, users are equipped with the knowledge and tools to avoid security vulnerabilities, but ensuring security should not hinder them in performing their job efficiently.
Prioritizing security as a “way of working,” is a multi-faceted approach as discussed in an earlier blog post. An organization’s culture, the leadership, and the right security team create the larger structure from which to begin. And the specifics matter in how the culture is developed and how users behave around security in their day to day. Every company should have three foundations in place:
- Training, training and more training: keeping the importance of security issues top of mind for employees and updating them on current threats increases their effectiveness on the security front lines and builds a security culture. A major key to success is to offer training that is engaging and fun. Encouraging employees to be active participants — through gamification of training — helps them understand and retain the material, and gets them more excited to do their part.
- Security policies and procedures: robust security policies and training programs can be an effective tool for educating employees and other stakeholders on potential issues and how best to avoid them. This also reinforces the culture and encourages users to be partners in security.
- Personal and professional safeguards: it is a balancing act to provide users with robust security but not make security such a blocker that is ultimately circumvented because it blocks progress and productivity. Users require choices and realistic options. The two most important “must haves” in this area are enforced patch and update management and multi-factor authentication (MFA), ideally using a hardware authentication token. MFA is the most reliable way to secure systems and data against common cyberattacks.
Strategy 5: Assess, reassess, and evolve
As technology expands and evolves, so will potential security issues. Cybercriminals are constantly seeking —and finding — new ways to breach systems. Regulations change, and as companies expand to operate globally, they become subject to additional regulatory jurisdictions. The external landscape can change as well, a significant recent example being the mass shift to remote work during the pandemic. Technology providers must continuously assess, reassess, and evolve. This is done by prioritizing security as a way of working throughout the organization, implementing industry and regulatory standards, employing current best practices, and providing users with security options that work for them, not against them.
System and data security in advanced therapies are significant responsibilities, especially when supporting patients, healthcare providers, and the delivery of life-saving treatments. Personal health information, including biological data, is often considered more valuable than other types of personal data, including credit card numbers, and is reported to be worth over 300 times more on the black market.2 The important IP which underpins life-saving treatments has made the biopharma sector a top target for cybercrime. In order to protect patient safety and privacy, and for biopharma companies to remain able to develop and bring therapies to market, all stakeholders in the technology supply chain — from providers to end users — must strive to build and maintain security as a way of working.
Standards and regulations can help enforce a practice of security and privacy, but they cannot enforce a culture of security. Nor can security be an exercise in chasing a “gold star” certification for a regulation or a standard. Regulations often cannot evolve as fast as cybercriminals and technology itself. Fundamentally, the work to safeguard data and digital assets cannot just be the responsibility of a CISO or a security department. Many exploits prey on unsuspecting people. Any system is only as strong as its weakest link.
Security and privacy must be seen as a business imperative, driven by a culture that has to percolate through all aspects of the business ecosystem and all stakeholders, from suppliers to end users. It is an ever-evolving, constantly learning, course-correcting initiative that needs the appropriate resourcing and executive sponsorship to prevent as well as quickly recover from an attack. In the end, advanced security and privacy are a core component of developing advanced therapies, and are essential to the success and scale of these new treatments.
Blog series posts:
Post #1 Cybersecurity challenges in advanced therapies — introducing five strategies for success
Post #2 Cybersecurity success in advanced therapies starts by prioritizing security as a “Way of working”
Post #3 Key industry and government regulations provide a cybersecurity foundation in advanced therapies
- Hancock, Jeff. The Psychology of Human Error: Understand the mistakes that compromise your company’s cybersecurity. Stanford University and Tessian: https://www.tessian.com/research/the-psychology-of-human-error/
- Smith, Jonathan. Biotech Startups Face a Growing Wave of Cyberattacks. Labiotech.eu 2020 October 21: https://www.labiotech.eu/in-depth/cyberattack-biotech-startups-covid/