In the last decade, “big data” and “data & analytics” dominated the life sciences sector, and with increasing digitisation and liberation of data, the sharing of medical information will take center stage going forward. But it comes with great responsibility, particularly from a security and privacy perspective because health data is highly valued, especialty by hackers.
Whilst personal identity numbers can fetch around US$15 on the dark web, personal health records are worth upwards of US$100 each because identity theft becomes more specific to the individual. The SingHealth incident, where 1.5 million patient records were exposed, goes to show no one is safe.
How can life sciences companies prevent threats to their own data and that of partner stakeholders from derailing growth ambitions and advancements in connected care? How should they tackle the shift in mindset such that cyber security becomes an enabler of innovation, rather than an inhibitor?
Security by design
In a study conducted by Forbes Insights and KPMG on cyber security in life sciences, findings indicate that whilst life sciences organisations are elevating cyber security as a strategic imperative, it is at a pace that lags behind the desired adoption of broader digital technologies. Further, according to the International Association of Privacy Professionals, life sciences organisations spend about US$8m on privacy compliance programmes annually though it is expected to be more like US$15m for digitalty-transformed companies, and upwards of US$2m for fast-growing biotechs.
“Healthcare breaches around the world are unfortunate,” said Rob Suarez, Global Head of Product Security at BD (Becton, Dickinson and Company). “But it is an opportunity for the industry to come together to make an impact. There must be continuous efforts to improve security by design, taking into account the clinical workftows and patient experience. Industry collaboration is the key to progress as there will never be enough resources individually."
"It's a multi-faceted evolution for vertical industries like life sciences," observed Christopher Martin, Asia Pacific Director for Access Partnership, a global technology policy consulting firm. “Not only are they improving internal systems to be more secure, but there is a realisation that engaging with other sectors and governments on cyber regulation is imperative to ensure policy does not conflict with business."
The lack of proper cyber security programmes at the organisational level is hurting business and consumers in numerous ways. These range from the halting of clinical trials due to poor technology infrastructure and fear of intellectual property (IP) theft, to valuation concerns during mergers & acquisitions when one of the companies reveals data privacy violations, and the removal or recall of medical devices from data streaming services because of tampering concerns. Common amongst these examples are the concepts of data sharing, Internet of Things (loT) and underlying it all, the people element.
Data sharing for the win
Forward-looking life sciences companies are betting their future on being integrated, data-driven service organisations rather than as mere product sellers. Many are looking for new sources of data, even direct from consumers through wearables and social media. Unfortunately, as breaches have shown, whilst data is valuable and available, ineffective governance will prevent open sharing. The damage arising from data loss include reputational, regulatory and eventually, the removal of social license to hold such information.
“The fourth industrial revolution is data driven,” remarked Floor van der Wind, a member of the KPMG Life Sciences Digital Enablement team in Singapore. “The value of data tends to increase as digitalisation increases and organisations are starting to actively explore the possibilities of sharing data to enhance innovation and growth. One such example is Google Maps, which now serves as a platform for Google's partners to do business”
However, laws governing data localisation threaten to undo much of the progress made in areas like telemedicine and remote servicing of medical devices, Caitlin Asjes, Director of Public Affairs for BD Greater Asia, pointed out. “Data localisation denies small and mid-sized companies the many benefits, including increased security, that come with more advanced technologies that are available when using the cloud.”
Progress in innovation for life sciences companies will see them mature from data analysis to data sharing across borders, with competitors, on the cloud and in real-time. Whilst this may sound daunting for some, 76% of the participants in the Forbes insights-KPMG study believe moving to the cloud actually improves their security profile. However, nearly half of these same executives have not increased cyber security budgets despite their knowledge of high-profile breaches.
B&D’s portfolio, which now includes over 200 products with software embedded, is trending toward IoT-enabled technologies, hence the laser focus on cyber security initiatives and emphasis on medical device security and transparency. The company regularly publishes results from cyber security vulnerability assessments (CVAs), and outlines the procedures on their website. “No device will ever be 100% secure because the landscape is constantly evolving,” said Asjes. “We need to work with our customers to ensure we stay ahead of the threats.”
loT: Interest of Thieves?
Hospital and care provision infrastructure is increasingly reliant on medical device integration and vice versa. Thus, putting in place a secure network is in the best interest of all parties as cyber attacks can take many forms. It can be through a medical device connected to the hospital's IT system, through inappropriate access to sensitive information or device tampering.
Taking a collaborative approach to cyber security and privacy is ideal and starts with the design phase. Of the companies that participated in the Forbes Insights- KPMG study, whilst 92% indicated they are integrating privacy principles during product development, only 15% conduct regular software engineer training on secure development and programming.
“Unlike information security programmes focused on preventing theft of IP or protecting a company’s internal data, product cyber security focuses on keeping devices safe when they are in the customer's environment,” shared Asjes. “We can put all the safety features in the world on a product, but if a customer chooses to write the password on a sticky note and place it on top of the device, it will never be secure. As such, medical device manufacturers not only need to ensure the safety features built into the product are practical and effective, they also need to better engage with and educate customers on protecting their device and data”
Don't overlook the people factor
Companies are continuing to invest in cyber security, focusing on software/technology and improved governance and polices. And interestingly, of all the efforts associated with improved cyber protection for life sciences companies, only 9% of respondents in the Forbes Insights-KPMG study cited greater staffing as a priority. Additionally, just 38% conduct cyber training for leadership, 34% carry out employee response drills, and 28% host desktop drills for the IT department.
Whilst IP loss/leakage remains foremost on the minds of executives, most life sciences organisations are only able to monitor a small percentage of their employee and third-party bases. Not many are directing efforts at insider detection which is much more difficult than tracing external threats. As such, one of the most immediate challenges is getting relevant parts of the organisation to work under a unified approach. At BD, trained cyber security personnel are part of the business and product teams. “The goal is to empower everyone at BD to deliver the highest quality products and services,” said Suarez. “To avoid disrupting innovation, we use our existing well-defined protocols plus the embedded team approach. And this must occur from initial design stage. For example, our R&D people are reviewing software for coding bugs and these are natural opportunities to insert cyber security discussions, and to have these same experts look for security vulnerabilities.”
Two-thirds of employee-based security threats are actually accidental rather than activities with malicious intent. In this regard, organisations must help employees understand that cyber security programmes are designed to protect them and their patients and should not be perceived as initiatives driven by mistrust of employees. Programmes that fail to create this positive position may give rise to disgruntled employees and become part of the problem it is attempting to solve.
“Our ambition for cyber security is to shift fram a mentality of moving out of fear to following a plan of focus, action and multi-stakeholder engagement," said Suarez.
What's your game plan?
Life sciences companies must evolve their cyber security programmes from “treatment” (reactive) to “prevention” (proactive). This entails integrating data security principles into the broader organisation growth strategy and in some cases, even as-a-service itself to customers.
As the recent UL certification for its flow cytometry device indicates, BD is demonstrating increased rigor in addressing cyber security because of its connection to patient safety and privacy, shared Suarez. “Cyber security is the next frontier in patient safety,’ Asjes added. “We are not only responsible for keeping our patients physically safe, but also keeping their personal data safe”
“Multi-stakeholder engagement is critical to improving the overall cyber security environment,” said Martin. “No one can do it alone. But because threats are evolving rapidly, we're seeing knee-jerk reactions from governments; implementing regulations, some of which are ill-informed. At the same time, governments are eager to hear how industries are tackling cyber security threats and incorporating those lessons into better policy responses.”
Ultimately, when it comes to cyber security, there is no substitute for good planning and management. It requires a holistic view of people, processes and technology, and cyber teams must continuously monitor and allow their programme to evolve as new cyber threats emerge. Over the years, KPMG has assisted countless clients in building cyber confidence by working with them through their cyber strategy and governance, organisational transformation, cyber defense and cyber response. Additionally, KPMG has invested in technologies and collaboration spaces where their clients’ cyber security programme, systems and readiness are put to the test.
The views expressed in this column are the author's own and do not necessarily reflect this publication's view, and this article is not edited by Health Care Asia Magazine. The author was not remunerated for this article.
Do you know more about this story? Contact us anonymously through this link.
Chris is the Director for the Life Sciences Practice at KPMG with a current focus on Asia markets. He is also a member of KPMG's Global Healthcare & Life Sciences practice with experience across a variety of jurisdictions and project types, such as commercial strategy, supply chain, workforce, technology, M&A, and compliance.