IT in Pharma

Countering the Information Security Risk

Pamela Campbell,  Partner Life Sciences Compliance Practice BusinessEdge Solutions, Inc USA.

iT breaches lead to identity theft, counterfeit drugs, low productivity and revenue loss.

Routine security procedures and regulations fall desperately short of securing a pharmaceutical company’s IT systems, putting trade secrets as well as employee and customer information at risk of devastating losses.

Electronic thieves and hackers have evolved from juveniles taking a joyride through corporate networks into organised criminals in remote regions of the world tapping into your IT systems, stealing confidential company and employee information and either selling it or using it to counterfeit drugs, commit identity theft or fraud. Hidden behind national boundaries and laws, many crime syndicates operate without fear of retaliation. Data thieves maliciously hack pharma IT systems, confident that the governments of many countries, notably those in Asia, will be unable or unwilling to extradite or prosecute them.

Consequently, security violations continue to explode in terms of severity and number, meaning that even apparently secure pharmaceutical companies remain at risk of potentially catastrophic losses. Unfortunately, most companies do not realise the severity of these risks or the frequency of occurrences, as many of their counterparts choose not to report these crimes, thereby drastically distorting the difference between reported scenario and reality.

Common security violations

Talk to any seasoned IT security professional in the pharmaceutical world and you will uncover a host of security violations, which plague companies worldwide and often originate within their own walls. Overall, employees and contract workers pose the greatest security risk to pharma and account for the majority of security violations and approximately 50% of all data thefts.

Some violations are relatively harmless, such as an employee’s kin hacking into an HR database after he spotted his relative’s user ID and password, posted next to the home PC. If malicious, the hacker could have sold employee social security numbers, home addresses, salary and other personal information to identity thieves and scalpers in moments, long before the network administrator noticed an unauthorised breach into the confidential database, tracked it to the executive’s home office, and verified the executive was working onsite during the breach.

Unfortunately, most intruders do not stumble into confidential data out of curiosity but rather seek to exploit a weakness for profit. For example, a security professional at a large pharmaceutical company in north-eastern United States caught an IT subcontractor who was literally stealing networking equipment from a company closet and selling it on eBay. The company investigation after an internal audit revealed the missing equipment and tracked it to the subcontractor. A subsequent search uncovered the equipment in his garage. Although subcontractors are considered a greater security risk than regular employees, this individual subcontractor was not considered a high risk, as he passed a thorough background security check prior to being hired at the pharma company.

Though bold, this move is not uncommon as many pharma IT departments buy and install hardware without following company procedures, simply because servers are inexpensive and provide fast and easy fixes for bandwidth constraints. Therefore, unused equipment can reside for months in a closet or warehouse, representing a temptation to the criminally minded working inside the company.

To make matters worse, just before his arrest, the same subcontractor accessed a backdoor into the enterprise network, which he previously created using an undocumented account, and deleted numerous files. Only aggressive network monitoring and security practices can stop a malicious, internal hacker in his tracks. Regulations and out-of-the-box security software provide only partial protection against many crimes that originate behind pharma firewalls although they do represent an important part of a more comprehensive security framework, discussed later.

Identifying global threats

National and international crime syndicates find pharmaceutical companies especially appealing for two reasons. Pharma develops, manufactures, sells and distributes billions of dollars of drugs every year. Pharma companies also maintain personal information on thousands of employees and clinical trial participants—a valuable commodity for identity thieves.

Common incidents like a stolen laptop or lost magnetic storage tape, can lead to costly losses, as thieves seek any opportunity to seize classified and proprietary information. Information on drug distribution channels now represents an open door for thieves and a potentially catastrophic risk for the pharmaceutical industry.

Organised crime now routinely exploits pharma operational weaknesses to infiltrate pharma IT systems and seize lucrative prescription drug data so they can resell the drugs on the black market. Crime syndicates now use hackers to extract data that they can use to steal drugs, often replacing them with counterfeits that are sold to pharmacies and eventually patients. Recent counterfeit drugs include life-saving anti-rejection, cancer and diabetic medications as well as popular drugs, such as Viagra and Cialis. Knock off or counterfeit drugs are often sold on the Internet as well as the black market.

Emerging threats: Using technology against pharma

Pharma risks continue to intensify with emerging technologies that provide access to company data, whether residing on remote devices or on the network. New viruses and worms are attacking cell phones and spreading quickly using wireless technology to contact compatible cell phones and install the bug. For example, Cabir is a malicious piece of code that jumps from one Bluetooth-enabled phone to another, draining the phone’s battery and searching for more victims.

New bluesnarking viruses spread more malice as they exploit security holes in the phones to steal personal information. Another new threat, bluebugging enables hackers to execute files that attack a victim’s phone from another phone. Meanwhile bluejacking invades upon the user’s privacy by forcing long messages onto the victim’s phone without requesting permission.

Instant Messaging (IM) within the pharma walls is not immune to security breaches, as viruses have been penetrating networks through IM and stealing data or planting malicious rogue code.

Designed to streamline inventory management and secure distribution, RFID has now become a target of thieves who have learned how to break into and corrupt the RFID tag, enabling thieves to swap the products for counterfeits or less valuable products.

Initially, RFID appeared poised to prevent counterfeit drugs from compromising shipments by authenticating each product, unit, case and pallet repeatedly throughout the distribution chain, via embedded RFID tags and scanners. Now RFID has become a target of savvy thieves who have learned how to break into and corrupt the numbering scheme on the shipment or product and thereby swap good drugs for counterfeit ones without being detected.

Establishing a line of defense

Even though the pharma companies cannot protect themselves against every virus or new attack, they can ward off some threats by aggressively pursuing available security measures. The pharma industry can also minimise losses by deploying appropriate procedures and technologies to catch violations in progress, identify areas breached and work to fortify them against further attacks.

However, security measures for many pharma companies stop at the research and development department. Pharma recognises the need to protect drug formulas and routinely blocks off access to labs and related classified data. Unfortunately, it has yet to provide the same due diligence to their overall network or fully grasp the potential damage security violations can cause to manufacturing and the business.

The pharma industry should establish a security framework for the entire organisation, which implements procedures and technology for securing data, improving data recovery, defining and restricting data access, as well as user training. Securing the physical equipment represents an important first step and related best practices should extend to all IT hardware and software, including remote devices.

Start minimising risks now

Enhancing security can begin with simple, ongoing practices, such as installing and updating antivirus software, spam and pop-up blockers and monitoring the internal network and ancillary devices for suspicious activities. Conducting routine inventory and asset management audits presents another routine practice that can help pharma identify vulnerabilities and breaches. Pharma should also immediately leverage existing technology to identify and trace all authorised access to the data and immediately notify officials for unauthorised access attempts as well as breaches. Data recovery measures should be in place to recover any data lost by a user, application or network problem.

Putting regulations to work

National and international regulations provide the first line of defense against security threats, making compliance to voluntary standards, as well as government mandates, a cornerstone. The Asian pharma can start with the Japanese Ministry of Health’s Guideline on Control of Computerised Systems in Drug Manufacturing. Another key regulation for South Asian facilities originates in India from the National Good Laboratory Practice (GLP) Compliance Monitoring Authority, Department of Science and Technology. Since many pharma companies span multiple borders, they should also abide by national regulations within each operating region. Therefore, the pharma industry should track and support recommendations from the Council of Europe Convention on Cybercrime. This Convention presents the only legally-binding, multilateral regulation addressing computer-related crime.

Another important global source is the International Standardization Organization (ISO), which regularly develops new standards that, though not legally binding, receive widespread adoption on a global basis. Standards within the 17000 series lay a good business practice foundation for network security, with the ISO/IEC 17799:2005 defining a code of practice for information security management.

Even though these standards and regulations represent a great starting point for building a security framework, they cannot alone provide the protection companies need, as they cannot provide the evidence needed to successfully prosecute cyber criminals nor can they guarantee protection to all pharma assets at all times.

The effectiveness of security measures and regulations revolve around the pharma industry's ability to monitor their implementation and effectiveness while proactively monitoring IT resources. In addition to deploying network monitoring software, IT staff must continually monitor the network for unauthorised access, security breaches and any abnormal activity. All pharma employees should be trained to recognise abnormal behaviour by their peers and understand the reporting process.

Balancing security needs and costs

Numerous software packages and tools claim to protect IT from security breaches. Instead of randomly deploying security tools and hoping they block intruders, identifying breaches and preventing unauthorised network access, companies would better protect their resources by devising the end-to-end strategy before implementing new technology solutions. Pharma companies should perform a detailed risk analysis that evaluates impending threats against:

  • Attack probability
  • Potential loss
  • Remediation costs
  • Long-term impact to business goals
  • Damage to reputation
  • Liability to litigation

Studying each threat from its organisational impact can help the pharma company identify vulnerabilities that it could easily overlook. For example, failure to prevent access to shipping information could make it easier for organised crime to swap drug shipments with counterfeit drugs. Substituting life-saving medication with a look-alike could result in serious harm or death, which would expose the company to hefty lawsuits if a court rules that the company did not take adequate measures to protect its shipping information.

After analysing risks, the pharma company can determine how to allocate available financial and human resources as it will probably not have adequate funds to counter every potential threat with software and personnel. The company must address internal risks as well and can implement policies that minimise risks of employee theft, such as background criminal checks, reference checks, routine asset and inventory management and ongoing network monitoring.

Pharma companies face many of the same security risks confronting other large companies, ranging from theft of sensitive information to IT equipment. However, the nature of the business and value of the pharmaceutical intensifies these risks by attracting sophisticated, crime syndicates as well as disgruntled employees who can use stolen information to hijack drug shipments and replace them with dangerous counterfeits. Management must provide leadership that “does the right thing,” beyond the traditional confines of ROI, and even well beyond the boundaries of the company itself, to include partners, suppliers, customers and communities. Pharmaceutical companies can’t just buy security, but must genuinely buy into security.

Author Bio

Pamela Campbell
TOP