Wafaa Hasan, MSc, is a senior digital health and thematic analyst in the pharma team at GlobalData. Her responsibilities involve writing reports and providing insights on digital strategy across disease areas and channels. Prior to working in the digital health team, Wafaa worked in the Thematic Intelligence team at GlobalData, where she contributed to quantitative and qualitative analysis reports on disruptive themes and technologies, with a focus on pharma, healthcare and medical devices sectors. 

Lara Virrey: What are the biggest cybersecurity challenges facing pharmaceutical companies today?   

Wafaa Hasan: For biopharmaceutical companies, the primary dangers cyberattacks pose are intellectual property (IP) loss and operational disruption. Losing IP and proprietary information erodes their competitive advantage as innovations are stolen. For example, in December 2020, data related to Pfizer and BioNTech’s Covid-19 vaccine was stolen and released online. Meanwhile operational disruption at any stage of the value chain hinders output and ultimately revenue.   

Undefended breaches will always beget reputational damage and litigation risk, and recent regulation punishes the exposure of personal data more severely, so companies involved in handling sensitive personal health data, such as those conducting clinical trials, have to be aware of the dangers.  

Lara Virrey:  How can pharma companies best defend themselves against cyber threats? 

Wafaa Hasan: Due to the sensitive nature of their research, intellectual property and personal data they handle, there are several practices that pharma companies can use to effectively defend themselves against cyber threats. For instance, pharma companies can conduct regular risk assessments that determine and evaluate any potential weakness and dangers in the organisation’s systems, procedures, and infrastructure. Effective resource allocation and security measure prioritisation will be made possible by this review.   

Pharma companies can also use role-based access controls (RBAC), multi-factor authentication (MFA), and strong passwords to make sure that only authorised users can access sensitive systems.  

Conducting regular training programs for employees is crucial in any pharma organisation to educate employees about common cyber threats, phishing attacks, and encourage employees to report suspicious activities promptly. Another practice is to use security information and event management (SIEM) tools, firewalls, intrusion detection and prevention systems (IDPS), and endpoint protection. These technologies provide proactive defence against cyberattacks by being able to identify and stop threats in real time.  

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Pharmaceutical Technology.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Additionally, DevSecOps has been discussed for several years but will be more broadly implemented in development cycles in the coming years. DevSecOps is a software delivery model that involves introducing cybersecurity early in the software development life cycle. This means security is ingrained in the early stages of app development and involves early collaboration between developers and security teams. DevSecOps has many benefits, including improving security posture and integration, faster delivery of applications as security is already ingrained into the application, and reducing costs by identifying potential vulnerabilities and bugs before deployment.

Lara Virrey: How has the nature of cybersecurity threats to the healthcare industry changed in the past two to three years?   

 Wafaa Hasan: The rush from office-based work to remote working caused by the Covid-19 pandemic significantly increased cyber risk. The increased use of technology such as collaboration tools increased the potential attack surface for hackers, and the high speed of transition required meant that many IT security teams had insufficient time to install adequate security defences. Companies also moved more sensitive operations and information online than before, making attacks more costly.  

Malicious actors took advantage of this environment through cyberattacks such as phishing, ransomware, and supply chain attacks. Companies involved in developing Covid-19 vaccines and therapeutics became targets of cybercriminals looking to steal proprietary information about these products.  

Even after the Covid-19 pandemic, cyber risk is higher than ever, for example, in April 2023 generics drug manufacturer Sun Pharmaceuticals disclosed a ransomware attack compromising its file systems, resulting in the theft of both company and personal data.  

Lara Virrey: Is the pace of innovation in security technologies keeping up with evolving threats?   

Wafaa Hasan: Yes, although it is a constant challenge, the rate of innovation in security technology is generally keeping up with changing threats. Cyber dangers are continually changing, with new attack methods, strategies, and flaws appearing all the time. To counter these growing dangers, security technology vendors diligently create new solutions and updates. It’s crucial to remember that the cyber threat landscape is complicated and evolving quickly. Attackers frequently outsmart security systems and develop new ways to exploit weaknesses.  

There are several areas where security technologies are evolving. For instance, artificial intelligence (AI and machine learning (ML) are becoming particularly popular for incident response, given the increasing number of cyberattacks organisations must deal with every year. Automating incident response with AI makes it easier to resolve more incidents quickly, reducing the organisation’s downtime and resources required to deal with IT security.   

Behavioural analytics tools can also be used to establish baselines of normal user behaviour and identify anomalous activities that may indicate a security breach.   

Companies rushed to adopt the cloud when the Covid-19 pandemic pushed employees to work from home, which increased the attack surface area and exposed entry points for bad actors. The misconfiguration of security settings that fail to provide adequate security for cloud data is a growing problem in cloud security. Without strong security measures, cyberattackers can target those misconfigurations to steal cloud data.   

Endpoints, or entry points, are end-user devices connected to a network. Examples are laptops, smartphones, or IoT sensors and devices. The need to work remotely during the pandemic caused a proliferation of laptop endpoints connected to the cloud. 5G networks will also increase the proliferation of IoT devices as they provide greater capacity for device connection. However, more endpoints mean more entry points for attackers to exploit. Endpoint protection and zero-trust models help contain attacks and protect the entire network in the event of one endpoint being exploited.  

Lara Virrey: Are pharma companies doing enough to protect themselves against cyber threats?   

Wafaa Hasan: In comparison to other industries, news of successful cyberattacks on pharma companies are relatively uncommon. Large-scale attacks such as the NotPetya malware attack in 2017 have been a warning for the industry, with Merck & Co’s estimating that damages from NotPetya amounted to $1.4bn as the company’s supply chain backlogged.   

However, cyberattacks are still increasing in frequency and intensity, so pharma companies need to keep updating and investing in their cybersecurity capabilities, for example through the adoption of zero-trust architecture.   

Companies such as Sanofi and Johnson & Johnson are industry leaders in the theme, investing in comprehensive cybersecurity measures. However, others, such as Shanghai Henlius Biotech and Cadila have been identified as laggards in the cybersecurity theme by GlobalData, and need to do more to protect company operations and sensitive personal data.