Life sciences firms’ increasing use of sensitive consumer data, valuable intellectual property, and high turnovers make them a potentially lucrative target for cyber criminals. Where cyber-attacks are successful, the cost of damages can be severe; according to IBM, the average cost of a data breach in the pharmaceutical sector (opens a new window) in 2023 was $4.82 million, and was $10.93 million in the healthcare sector.
The below provides some detail around the potential implications of a cyber-attack for life sciences firms, and offers some guidance for proactive cyber risk management.
Intellectual property theft
For brick-and-mortar business, physical assets such as goods and premises play an important role in the company’s value. For life sciences firms, this is not the case. Rather, it is their intangible assets – such as intellectual property (IP) (opens a new window), patents, copyrights, trademarks, and proprietary technology – that are of highest value.
Theft of IP represents an existential threat to any life sciences firm, no matter its size. Following a successful theft, firms may find that critical IP is in the hands of a competitor. What’s more, the affected firm may not realise a theft has taken place until it is already too late. Competitors may use the stolen IP to bring a product to market faster, to innovate a more advanced product, or undercut profit margins. In all cases, the victim of the cyber-attack could lose all competitive advantage in the marketplace, leading to unrecoverable losses.
There may also be indirect losses as a result of IP theft, such as the violation of third-party contracts, legal costs, and reputational damage.
Compromise of personal data
The effective deployment of data analytics is a central component of life sciences growth. By collecting and processing large volumes of complex data, life sciences firms can optimise research and development, create more advanced products, and improve return on investment. Furthermore, by embedding data collection and access within consumer devices – such as sensor-based continuous glucose monitors – firms can transform the quality of care and patient outcomes.
The usefulness of personal data makes it of high value to cyber-criminals, who may seek to steal sensitive information through ransomware and malware attacks. Often, these attacks will deprive life sciences firms of access to their data, before demanding a significant ransom to secure its release.
Where firms are found to have taken insufficient steps to protect against data theft, they may be exposed to regulatory fines. For instance, UK- or EU-based firms, or firms processing the data of UK or EU citizens, may be fined under the General Data Protection Regulations (GDPR), where stolen data is classed as personally identifiable information (PII). For life sciences firms, this may include patient or volunteer medical records, or any data processed for the purposes of scientific research.
The threat of life sciences firms suffering personal data theft is likely to be exacerbated where firms participate in the sharing and exchange of confidential information with research partners.
Clinical trial data theft
The cyber risks to clinical trial software are similar to other forms of software, and include theft of personal data and ransomware attacks. However, cyber criminals attacking clinical trials may also wish to destroy or tamper with patient data. This may cause delays to the trials, and hinder the rollout of new technology or medicine. Worse, where hackers tamper with a wearable medical device, it may put a patient’s health at risk.
Notably, data does not necessarily have to be destroyed or amended for it to become invalid. Access to the data alone by a cyber-criminal may be enough to render it invalid, as signs of tampering won’t always be apparent.
Attacks on clinical trials can also cause significant financial loss for the sponsors of clinical trials, where a loss of trial data or intellectual property occurs.
A cyber-attack against a life sciences firm may involve the encryption of vital operating systems. Affected firms may be unable to continue business-as-usual operations, including research and development into new drugs, production of vital medicines, or processing of user data.
Supply chain infiltration
Typical life sciences organisations operate complex supply chains, often involving the outsourcing of specialist functions such as research and development. This creates several points of exposure that cyber-criminals may look to exploit, and which if attacked, could have knock-on consequences for the firm concerned.
For instance, the products or data provided by a supplier could be critical to the delivery of a vital drug or medicine. Should that supplier suffer a significant cyber-attack, a life sciences firm may not have the raw materials or ingredients required to continue production or meet consumer demand. Third-party suppliers are also more likely to operate outdated IT systems, or lack the technical support required to quickly combat cyber-attacks.
Once a supplier’s systems have been infiltrated, hackers may also be able to gain access to those belonging to their partner organisations.
“A ransomware attack can be nothing short of devastating for a business. It can lead to lost revenue, reputational damage, and in some cases, permanent data loss. The impact of ransomware on the cyber insurance market has been significant, too, as the number of claims made by organisations continue to grow. In Q1 of 2023, our security partners Kroll noted a 56% increase in the number of unique ransomware variants observed, with phishing continuing to lead the pack when it comes to initial access across all cases.”
Jack Bassett, Assistant Vice President, Lockton Global Cyber & Technology
Securing the life sciences against cyber threats
Given the threat facing life sciences firms, measures to limit the risk and potential damage of a cyber-attack include:
Ensure access to expert internal IT resources and external specialists to assist with implementing, monitoring, and updating technical security measures.
Implement multi-factor authentication (MFA), requiring authorised users to provide more than one method of validating their identity, whether that be a link sent via SMS or the use of an authenticator app.
Regularly test networks and systems for vulnerabilities.
Restrict access to critical data to a small number of trusted employees in order to better track points of access and minimise risk of a security breach.
Build medical devices with cybersecurity in mind from the earliest stages of design.
Conduct supply chain mapping to build out an understanding of which third parties are being engaged, the nature of the services they provide, their access to underlying data and information. This can be used to identify and remove ‘high-risk’ suppliers and partners.
Train employees to recognise and avoid common cyber threats, such as phishing emails and malicious links, and ensure they are aware of their obligations to maintain the security and confidentiality of data and information.
Create a cyber response plan to limit the impact of a cyber-attack should one occur by mobilising ‘first responders’ and proceeding with containment activities.
Cyber insurance for life sciences firms
A well written cyber insurance policy provides you with a risk transfer solution to protect your business against damages associated with a cyber-incident, including both first party and third-party coverage, as well as access to incident response experts:
Practical support in the event of a data breach, including forensic investigations to identify what went wrong and whose data has been put at risk. We also provide support and legal advice on notifying clients and regulators and can introduce you to post incident public relations support.
Compensation for loss of income should a hacker target your business and prevent you from carrying out your usual business activities.
Payment of costs associated with regulatory investigations should you breach GDPR regulations and fail to keep your client data secure.
Reimbursement for the cost of repair, restoration, or replacement if a hacker causes damage to your websites, programmes, or electronic data.
Cyber extortion protection, should you receive a ransom demand from a hacker who has hijacked your computer system.
Notably, although life sciences firms’ IP is a likely target of a typical cyber-attack, cyber insurance itself does not cover the loss of IP. Instead, dedicated IP insurance can provide cover for the revocation of intellectual property rights, liability (including settlements and damages), emergency costs, defence and investigation costs, and product withdrawal.
For more information, please visit our Lockton Life Sciences (opens a new window) page, or contact:
Darci Edwards, Business Executive of Life Sciences
T: +44 (0)117 906 5016