A Link To Ponder: Pharma Digitalization – Cyber Threats – Cyber Immunity

Digitalization in the pharmaceutical industry – slowly but steadily, across its various domains, from drug discovery, clinical development, supply chain, sales and marketing to engage with various stakeholders, is a reality today. Consequently, the concept of data as a business asset, is fast taking the center stage, being the nerve center of the business. It encompasses, conceiving data requirement, generation of a massive pool of credible data accordingly, their analysis and finally – putting a robust data security system in place, against any kind of theft or misuse.

While digitalization of pharma business, helps transform the company to an all-time ready and an agile customer-centric business entity, with one ear always listening to customers to delight them with its deliverables. Conversely, the other ear is on its employees with a similar objective. This is a difficult task and mostly involves disruption of status-quo within the organization, but often produces game changing outcomes for the business, as is known to many.

Which is why, one sees a good number of people around, offering expert digital services for the pharma industry – along with a hope of a never before improvement in the future organizational performance. So far so good, but this transformation process also invites a huge technology-related threat to business – ‘Cyberthreat.’ In this article, I shall focus on the critical need of taking guard against this threat, as is often advised by all well-qualified domain experts. This risk is expected to increase further, as the technology keeps advancing.

Although, I had deliberated on Cybersecurity in my article, ‘Exigency of Cybersecurity in Digitalized Pharma,’ in a different context, before delving into the core point of today’s discussion, let us together try to recapitulate what does ‘Cyberthreat’ mean to us, in the real world.

Cyber-threat in the digitalized business:    

Let me paraphrase, especially in context of the pharma industry, what the Cybersecurity and Infrastructure Security Agency (CISA) of the Government of the United States, has stated. It articulates, ‘Cybersecurity’ or ‘Cyber threats’ to a control system, refer to the attempts of unauthorized access to a control system device and/or network using a data communications pathway.

This access can be directed from within an organization by trusted users or from remote locations by unknown persons using the Internet. Threats to control systems can come from numerous sources, including disgruntled employees, and malicious intruders. To protect against these threats, it is necessary to create a secure cyber-barrier around the Industrial Control System (ICS).

Many sources indicate that the threat to cyber security in business, is often triggered to gain access to a company’s digital system to damage or steal data, or even to rattle its digital infrastructure for accomplishing a specific purpose.

Rapid digitalization in pharma may attract more cyber criminals:

According to a senior official of Kaspersky - a global cyber security company: “As rapid digitalization penetrates the healthcare sector, cyber criminals are seeing more opportunities to attack this lucrative and critical industry, which is honestly not equipped enough to face this virtual danger.”

The company further emphasized, with systems are now interconnected and mobile devices extensively used, both for remote access and for data sharing, digitalization in pharma increasingly exposes the organizations to both generic and targeted attacks. Thus, ‘creating Cyber immunity’ to ensure a powerful safeguard against such threats, becomes a top priority area in the digital transformation process of the drug industry.

Interestingly, way back in 2012, another report had also cautioned: ‘Cybercrime costs economy billions annually, with pharmaceutical and biotech companies among the hardest hit.’

Evidences of Cyber-attacks on pharma across the world:

There are numerous evidences of Cyber-attacks on the pharma players, globally. Such as, in June 2017, The Washington Post reported, US-based global pharma major, was among dozens of businesses affected by a sprawling cyberattack, with victims across the globe facing demands to hand over a ransom or have their computer networks remain locked and inaccessible.

Another report of December 13, 2017 wrote, by the third quarter of the year, ‘Merck had a better idea of the financial tab from the attack. While it generally had a very solid quarter, the results were dampened by the impact of the attack. There were $300 million in lost sales and costs.’

The Deloitte paper, titled ‘Cyber & Insider Risk at a Glance: The Pharmaceutical Industry’, also reiterated, the evidence abounds that pharmaceutical companies are the target of sophisticated Internet criminals. Serious cyberattacks are taking place even in the most advanced countries, including the US, Europe and Japan.

In the US, besides Merck, hacking has taken place against other major pharma and medical device makers, such as, ‘Boston Scientific, Abbott Laboratories, and Wyeth, the drug maker acquired by Pfizer Inc. The same group successfully hacked the Food & Drug Administration’s computer center in Maryland, exposing sensitive data (including formulas and trial data) for virtually all drugs sold in the US,’ the paper revealed.

The real impact of the attack often doesn’t come out:

Outside world often doesn’t get to know about the comprehensive impact of numerous cyber-attacks for various reasons. Some of which may include, it’s possible aftermath on both the corporate image and also the brands, besides share prices. At the same time, the situation may prompt many to question the company’s capability to protect its business in the digitalized world.

The key reasons:

As the 2018 Data Security Incidence Report highlights, healthcare-led all industries accounted for around about 25 percent of more than 750 reported incidents, in volume. As identified by Kaspersky from various cyber-attack techniques and behavior of cyber-criminals, on the digital infrastructure of pharma players, let me paraphrase below the three key motivators, besides a few others:

  • Getting Intellectual Property (IP) related strategic details, including R&D, unpublished clinical trial results and formulation development processes.
  • Detailed business plans for pre-identified products.
  • Or, may even be for ransom.

Where does India stand?

According to reports, India ranks 6th for highest cyber-attacks on pharmaceutical companies. Nearly 45 per cent machines in the Indian pharmaceutical organizations more than four in 10 devices were detected with malicious attempts. Ahead of India features - Pakistan (54 per cent), Egypt (53 per cent), Mexico (47 per cent), Indonesia (46 per cent) and Spain (45 per cent).

Such attacks are taking place even in India, as cyber-criminals “are slowly realizing that pharmaceutical companies house a treasure trove of highly valuable data such as the latest drugs and vaccines, the newest researches, as well as medical secrets,” the report says.

Likewise, another article, published in Health Issues India, on September 17, 2019, made some interesting points. The article is titled, ‘Cyberattacks: A crisis in Indian pharma?’ It flagged in the following three areas, in this regard:

  • Numerous cracks exist in the cyber-security armor of Indian pharmaceutical companies.
  • Just five to ten percent possess security systems strong enough to protect information from hackers.
  • And many do learn about a breach for several months.

Quoting a top expert, the paper reemphasized that generally in the Indian pharma companies “current systems don’t have security control and visibility in place to immediately detect the attack and respond on a real-time basis.” Thus, ‘it is unsurprising that Indian pharma has been so hard hit by cybercrime,’ the article further commented.

Conclusion:

Echoing many others, Booz Allen also advised in its article – ‘Understand the risks, and stay ahead of the game.’ This is a critical requirement in the digital age. Although, most pharma companies agree on the possibility of huge business losses from a cyber-attack, the industry continues to lag behind other industries when it comes to cyber-security implementation, the paper reiterated.

On the other hand, just strengthening a company’s IT systems, alongside an installation of powerful anti-virus software may still not be enough. Nor will it be adequate to working closely with the vendors who help protect cyber-security of the digital infrastructure of various companies. Even a robust system of forensic audit and analysis and reevaluating cyber-security protocols on an ongoing basis, may not be able to prevent cyber-attacks.

This is primarily because, a company is run, managed, looked after and cared by its employees. Although, it always remains the endeavor of any company to hire good, trustworthy and high performing employees, it does not always happen that way. It is also equally possible that some of them, at some time, for some reasons, may misuse the digital network for others or personal gain.

Thus, besides putting in place all other safeguards, as stated above, to attain desirable ‘Cyber-Immunity’, it is crucial for the organization to ensure buy-in of each employees a vital concept. This is – protecting cyber-security is everybody’s responsibility in a digital business framework, both individually and collectively. The process should start from the CEO and percolate down to the lowest rung in the ladder of hierarchy.

Hence, the reality is – ongoing digital transformation process of the pharma business would open the door of cyber-threats – often leading to crippling cyber-attacks. Thus, developing a comprehensive and strong cyber-immunity framework becomes essential for the organization. From this perspective, right from the start of this process – and not later on, drug companies need to ponder over the critical link between digitalization and cyber threats to provide adequate cyber immunity to its digital systems, for game changing outcomes.

By: Tapan J. Ray   

Disclaimer: The views/opinions expressed in this article are entirely my own, written in my individual and personal capacity. I do not represent any other person or organization for this opinion.

 

Exigency of Cybersecurity in Digitalized Pharma

Digitalization – as it unfolds and imbibed by most drug companies, is presumed to herald a whole new ballgame in the Indian pharma business. Equally significant is the quantum benefit that the process will deliver to pharma stakeholders – right from drug companies to patients. It has already hastened the process of new drug discovery and will also help charting newer ways to meaningfully engage with stakeholders, besides enhancing treatment outcomes for patients, appreciably.

However, the flip side is, more benefits a company accrues from digitalization, greater will be the risks of cyber-attacks. Thus, preventive measures should also be equally robust. Otherwise, hackers can bring a company’s digital system to a standstill, causing not just a temporary loss in revenue and profit, but also valuable data leak, with considerable impact on even long-term business.

Strangely, associated risks of digitalization to pharma companies are seldom outlined in any discussion, leave aside alternatives for salvaging such untoward situation, if or as and when it comes. Unless, it is felt that the scope of such discussion doesn’t cover the implementors and falls totally on cybersecurity experts.

Nonetheless, it is intriguing in the pharma space. The reason being, pharma industry believes, while talking about the efficacy of any drug, its vulnerability in terms of side-effects, contraindications or drug interactions, should also be known to its users. That’s the purpose of a packaging leaflet. It’s a different reason though, that most drug companies in India have virtually jettisoned this practice as a cost saving measure, even for drugs that are not under price control. That apart, in this article, I shall explore the relevance of cybersecurity in the digitalized pharma world.

A question that help understand its implication:

During organizational transformation through digitalization in pharma, just like any other business, all crucial documents get transferred from paper to digital formats. The key question that follows in this regard is – what happens to these digital documents post cyber-attacks, if any? Any attempt to answer this question holistically will help people realize its implication – that ‘cybersecurity must be more than an afterthought.’

‘Cybersecurity must be more than an afterthought’:

The article, ‘Cybersecurity in the Age of Digital Transformation,’ published by MIT Technology Review Insights on January 23, 2017, stressed upon this critical point. It highlighted: “As companies embrace technologies such as the Internet of Things, big data, cloud, and mobility, security must be more than an afterthought. But in the digital era, the focus needs to shift from securing network perimeters to safeguarding data spread across systems, devices, and the cloud.”

Thus, while discussing the need to digitally transform a company’s business, cybersecurity must be part of that conversation from the very start – the paper underscored in no uncertain terms. That’s exactly what we are deliberating today - ‘as companies embark on their journeys of digital transformation, they must make cybersecurity a top priority.’

The cybersecurity threat may cripple innovation and slow business:

Cisco explored the concept of Cybersecurity as a Growth Advantage by a thought leadership global study. While assessing the impact of cybersecurity on digitalization, it surveyed more than 1,000 senior finance and line-of-business executives across 10 countries. Some of the key findings, as captured in the Cisco report, may be summarized, as follows:

  • 71 percent of executives said that concerns over cybersecurity are impeding innovation in their organizations.
  • 39 percent stated that they had halted mission-critical initiatives due to cybersecurity issues.

Interestingly, 73 percent of survey respondents admitted that they often embrace new technologies and business processes, despite cybersecurity risk. However, as we shall see below, pharma executives are quite confident of cybersecurity, probably because of inadequate experience in this area, as on date.

Companies are struggling with their capabilities in cyber-risk management:

The paper published in the May 2014 issue of the McKinsey Quarterly journal, titled “The rising strategic risks of cyberattacks”, also flagged this issue. It said: “More and more business value and personal information worldwide are rapidly migrating into digital form on open and globally interconnected technology platforms. As that happens, the risks from cyberattacks become increasingly daunting. Criminals pursue financial gain through fraud and identity theft; competitors steal intellectual property or disrupt business to grab advantage; ‘hacktivists’ pierce online firewalls to make political statements.”

McKinsey’s research study on the subject, conducted in partnership with the World Economic Forum also upheld that companies are struggling with their capabilities in cyber-risk management. As highly visible breaches occur with growing regularity, most technology executives believe that they are losing ground to attackers. Its ongoing cyber-risk-maturity survey research also ferreted out the following important points:

  • Large companies reported cross-sector gaps in their risk-management capabilities.
  • 90 percent had “nascent” or “developing” ones.
  • 5 percent was rated “mature” overall across the practice areas studied.

Interestingly, the research found no correlation between spending levels and risk-management maturity. Some companies spend less, but do a comparatively good job of making risk-management decisions. Others spend vigorously, but without much sophistication. Even the largest firms had substantial room for improvement – McKinsey reiterated.

‘Corporate espionage’– a prime reason behind cyberattack on pharma:

An interesting article appeared in The Pharma Letter on July 18, 2017 on this subject. The paper is titled “Cyber-attacks: How prepared is pharma?” It said:“The pharmaceutical industry is a prime target for hackers. In 2015, a survey of Crown Records Management revealed that nearly, two-thirds of pharma firms had experienced breaches in data, and that one fourth of these same companies had been victims of hacking.”The paper also highlighted ‘corporate espionage’ as one of the prime reasons behind hacking.

In view of this, the author articulated that the need for pharma and healthcare companies to fortify their security systems has become clear in recent years. The best method of protection is to prevent cyber-attacks from happening, or at least reduce the risk of a hack, he advised.

Instances of cyber-attacks in pharma are many:

To drive home the point that when firms and other organizations fail to strengthen IT systems against attacks, they incur high costs -the above paper cited an example from the year 2016. It said: “The average global cost of data breach per stolen record was US$ 355 for healthcare groups, higher than losses in other fields such as education (US$ 246/record), transportation (US$ 129), and research (US$ 112).”

The author further emphasized that besides financial losses, pharma companies and other healthcare groups risk losing the trust of patients and other stakeholders. With the ongoing digitization in pharma, new threats may become even more pervasive and sophisticated. “Thus, investment in cybersecurity must be a priority, if pharma players are to protect their data and the data of their stakeholders”, he added.

Are pharma executives experienced enough on cybersecurity?

As reported by Pharma IQ on July 31, 2018, one of its recent surveys found that around 70 percent of senior pharma decision makers are “confident” or even “very confident” in their company’s IT security. But, digging deeper, the survey uncovered that:

  • 42 percent of respondents’ companies do not routinely follow IT security policies,
  • 49 percent said that the corporate risk profile is not firmly understood across all departments.

The survey concluded that this could potentially lead to gaps in the security process. To me it appears, this could, as well, be due to inadequate experience of pharma executives in this area.

But, investment in pharma IT is increasing:

The good news is, even in the current scenario, many pharmaceutical companieshave started making investments in IT solutions, in general. This is corroborated by the 2018 survey by Global Data. Some of its important findings are, as follows:

  • 79 percent of them are currently making investments in identity and access management (IAM) solutions
  • 72 percent are considering investment in the solutions over the next two years.
  • 75 percent of the respondents are currently deploying some form of backup, archiving, alongside content and web filtering solutions to store, as well as, preserve their online information. 

Conclusion:

In pharma perspective, digitalization of business promotes paperless culture. It radically changes the basic infrastructure of maintaining critical documents in the workplace. Digital document storage systems become the nerve center of information on the company. All data – strategic or related to operations – internally generated or acquired – right across all critical functional areas, such as IP, research, clinical trials, manufacturing, sales and marketing, finance, supply chain legal and even of the CEO’s office, find a space in this digital data sever.

Although, the benefits of digitalization are well known and much discussed, it has a contraposition, as well – related to the vulnerability of the system to cyber-attacks. This flags a demanding need for protection of digitally stored assets from cyber-attacks, or to frustrate even any misdemeanorfrom amateur hackers. Thus, creating an almost impregnable, well-firewalled digital data storage server assumes prime importance. Equally important is formulating and religiously implementing a robust digital policy for the same.

Creating strong awareness among employees and stakeholders regarding cybersecurity and involving them in tandem with a system-approach, sans an iota of complacency, is expected to mitigate such vulnerability, appreciably. Thus, a sense ofexigency for cybersecurity in the digitalized pharma world, I reckon, is very real.

By: Tapan J. Ray   

Disclaimer: The views/opinions expressed in this article are entirely my own, written in my individual and personal capacity. I do not represent any other person or organization for this opinion.

Innovative use of the new-age ‘Social cyber-media’ as a pharmaceutical marketing tool has the potential to open a goldmine of opportunities.

The new-age marketing tool:
With more and more doctors not giving adequate time and even showing reluctance to meet the medical representatives and the important hospitals following suit, the global pharmaceutical companies are now in search of new marketing tools.

To get the marketing communications across to important target audiences, many of them have started experimenting, quite seriously, with the digital world. Effective networking media like ‘Facebook’ , ‘YouTube’, ‘MySpace’ and ‘Twitter’ are showing promises to become powerful online pharmaceutical marketing tools. Recent report of Pfizer’s new RSS feed and the plan for a unique ‘Pfacebook’ site for internal communication perhaps is an important step towards this direction.

Global pharmaceutical companies have already started ‘testing the water’:

Some global pharmaceutical giants who have already started using this new age media for pharmaceutical marketing are as follows:

1. Bayer uses ‘Facebook’ page to promote its Aspirin for women

2. Merck is using ‘Facebook’ to promote its cervical cancer vaccine, Gardasil

3. GlaxoSmithKline is using ‘YouTube’ for ‘restless-legs syndrome’ awareness film. The popularity of this video spot perhaps has prompted the company to come out with its own ‘YouTube’ channel last year with a name, ‘GSKvision’.

4. AstraZeneca is also using ‘YouTube’ for their anti-asthma drug Symbicort

5. Johnson & Johnson and Novartis use ‘blog’s, ‘YouTube’ and ‘Twitter’ to channel patient groups and deliver news.

Why have these pharmaceutical companies started using the social media as a marketing tool?

This is because social media like, ‘Facebook’, ‘Twitter’, ‘YouTube’ etc. provide a very important platform towards patients’ outreach efforts of the pharmaceutical companies exactly in a format, which will be preferred by the target group.

With the new-age social media these companies are now joining communities to begin a dialogue with the important stakeholders. It has been reported that some of these companies have already created un-branded sites like, silenceyourrooster.com or iwalkbecause.org, to foster relationship with patients’ group through online activity, the contents of which have been generated by the users themselves of the respective social medium. With the help of click-through links these sites lead to the branded sites of the concerned companies.

As reported by TNS Media Intelligence, internet media spending of the global pharmaceutical companies had increased by 36% to US$137 million, in 2008, which is significantly higher than their spending in Television advertisements.

Why is the entry of pharmaceutical companies in the new-age social media so slow?

Pharmaceutical companies are currently delving into marketing through cyber media with a very cautious approach, though the new social media will become more central to many global marketing strategies in not too distant future. The cautious approach by the pharmaceutical companies is primarily due to evolving regulatory requirements in this new space

In the USA, very recently the FDA cautioned the major players in the industry to refrain them from publishing any misleading communication through social media. This is primarily because of absence of any published guidelines for online pharmaceutical marketing. How to use this powerful social media for maximum marketing and other benefits will indeed be quite a challenging task, at this stage. Many pharmaceutical companies are, therefore, slow to use the social media to the fullest extent.

Not only in the USA, there are no specific regulatory guidelines to promote a pharmaceutical brand or create brand awareness through these media in most of the countries of the world, including Europe and Japan. In this much uncharted territory, as there are not enough foot-steps follow, the pharmaceutical companies are now just ‘testing the water’. Most probably to fathom how far regulatory authorities will allow them to explore with this new media.

Effective use of social media is expected to be financially attractive:

Low costs associated with creating internet promotional inputs will make social media quite attractive to pharmaceutical and biotechnology companies, not only as a marketing tool, but also in their other outreach program for the stakeholders. The role and power of social media are expected to play a significant and cost effective role in creating pharmaceutical brand awareness and brand marketing to appropriate target segments.

‘Proof of the pudding is in the eating’:

A recent report indicates that in 2007, well reputed computer maker Dell’s ‘Twitter’ activity brought in US$ half-million in new business to the company.

Thus the innovative use of the new-age social cyber-media indeed has immense potential to open a goldmine of opportunities for the global pharmaceutical industry.

By Tapan Ray

Disclaimer: The views/opinions expressed in this article are entirely my own, written in my individual and personal capacity. I do not represent any other person or organization for this opinion.