The Importance of Cyber Security in the Pharma Industry
Great technological advances carry great risks in terms of information security. We must properly manage and mitigate them to maintain the confidentiality, integrity, availability and resilience of information Cyber security is the practice by which we defend electronic information storage devices in order to safeguard it from malicious attacks or unauthorized access.
Those sectors that deal with sensitive information or that have a great value in the market as part of their activity, will always be the target of cyber attackers. The sophistication that cybercrime has reached in recent years complicates the prevention, detection and response efforts of companies and online medical store in Karachi to face these great threats.
The information handled by the pharmaceutical sector is highly sensitive and highly desirable for the black market of cybercrime, as it is one of the most valuable and highest paid. Industrial espionage and computer piracy have reached alarming figures, which is transcendental in this sector, where research, development and financial investment are key to its positioning in the market. Some computer security statistics indicate that the cost of a successful cyber-attack is more than 5 million dollars. Likewise, other sources estimate that the damage related to cyber-attacks will reach 6 trillion dollars annually by 2021. At the beginning of 2019 it was estimated that there would be a ransomware attack every 14 seconds for the last months of the year.
Are Pharmaceutical Companies legally obliged to invest in Cyber Security?
Cyber-attacks can be aimed at stealing personal data or business secrets.
With regard to data that can identify natural persons, the General Data Protection Regulation (Federal Trade Commission Act) and Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPGDD) are applicable. The first rule is applied at the US level, while the second has a strictly national scope. These regulations impose a series of obligations on companies that must be implemented in order to preserve the security of information relating to individuals. Pharmaceutical companies generally process data from employees, customers, suppliers, candidates for selection processes and even process health data related to research studies, drug testing phases, control of reported adverse effects and data from patients.
The measures that must be implemented in accordance with the Data Protection regulations cover both the legal and organizational as well as the technological sphere. Neither the Federal Trade Commission Act offers the obligated subject a detailed catalog of technological measures, but rather leaves the ball in the hands of the companies when they say that these should be applied with a risk approach. This supposes the necessary performance of a risk analysis to determine that are the technical measures that are appropriate to the identified risk.
The Federal Trade Commission Act establishes penalties of up to 20 million dollars or 4% of the annual turnover of the previous year for non-compliance with the aforementioned obligations.
Business secrets, for their part, refer to information that is not generally known by people belonging to the circles in which it is used, nor easily accessible to them. In addition, it will be considered secret when it has a business value, whether real or potential, and has been the subject of reasonable measures by its owner to keep it secret.
Unlike what happens with personal data, there is no legal obligation for the company regarding the protection of its business secrets, but it will be the very nature of the business that requires a certain level of safeguarding. Data related to any information or knowledge, including technological, scientific, industrial, commercial, organizational or financial, business plans, pharmacovigilance reports, and investigations and testing phases of new drugs, patents and know how. Law 1/2019 on Business Secrets provides the owner of the secret with legal protection against any illicit method of obtaining, using or disclosing the information. This norm does not establish an obligation of protection, nor does it establish sanctions for the owner of the secret for lack of measures, but rather offers legal support a posteriori by way of response, punishment and compensation against illegal acts that violate the secret. It is important to note that it will only be possible to take legal action based on the aforementioned law if previously this information has been the subject of measures to maintain its status as a secret by the company.
What are the consequences of little or no Information Protection?
Damages derived from the absence of security measures can be classified as economic and reputational damages.
Economic damages: As mentioned, the Federal Trade Commission Act establishes millionaire sanctions for data protection infractions, whose economic impact can seriously affect the organization. Keep in mind that the mere fact of not implementing the appropriate organizational and technical security measures for the risk is already a serious offense.
The theft, kidnapping or loss of information classified as a business secret could paralyze the business, devalue the information, diminish the value of the company or even cause the definitive closure of the company.
When a cybercriminal takes advantage of a vulnerability in a company's systems and manages to steal data, he knows that the competition will pay gold for the opportunity to snatch a million-dollar patent from its rivals. The competitor may not use the illicitly acquired information as it is designed, but it may mark a roadmap to make similar developments or inventions, so that the affected company, after years of investment in its research, will see its competition grow immediately.
The cybercriminal also knows that he can choose to kidnap information and request a ransom by agreeing a huge price, since the affected company could pay large sums of money for the return of the stolen information if it turns out to be critical for the business. It is necessary to point out that the payment of the ransoms in no case guarantees the recovery of the information.
Lastly, if in the best of cases the information can be recovered, the mere temporary stoppage of the activity can lead to financial damages of high amounts.
Reputational damage: Data protection sanctions not only entail economic damage but also, since they are public, they can cause damage to reputations, loss of customer trust and market position. Reputational damage could be irreversible or require a significant investment in communication to recover corporate image and reputation.
Recommendations on Cyber Security
Although most technological risks cannot be eliminated, work must be done to reduce them to an acceptable level for the business. For this, it is recommended, first of all, to carry out an analysis of the existing risks in order to design the appropriate technical measures that seek to reduce the probability that the identified threats will materialize, as well as reduce the impact of possible security incidents.
Developing a Security Master Plan can be an ideal tool to reduce risks through a deep and detailed study of the company, mainly its strengths and vulnerabilities. To know more about such vulnerabilities, you must consider cyber security trainings .
The Master Plan must be aligned with the strategic interests of the entity and include the obligations and good practices that all employees must comply with.
It is impossible to guarantee total security, so companies must be prepared to recover from possible technological disasters. For this reason, it is also convenient to draw up a Business Continuity Plan that contains the guidelines for action in the event of a failure that compromises the continuity of business activity. These plans are essential to be able to recover, within a reasonable time, the normal operations of the companies. However, if you lack experience or skills to draw up a Business Continuity Plan, considering an outsource assistance is always the best choice. There are tons of advantages of outsourcing software Development Company that one can avail.
It is also recommended to have an effective Data Protection Plan that documents all the procedures implemented since, in the event of a complaint to the Spanish Data Protection Agency, it will be necessary to prove the level of compliance prior to the incident as a basis for a good legal defense.
Particular attention should be paid to employee training, as a large part of security incidents are caused by human failure as a result of their lack of awareness and poor training. The constant training of the staff and the development of training plans will allow maintaining a level of alert for those issues that cannot be technically resolved, especially when cybercriminals resort to social engineering to enter systems, deceiving or manipulating users. Employees to achieve their goals.
Pharmaceutical companies should, in short, develop projects at a technical level that guarantee security, because it is a sector where information is a key asset for continuity and, precisely because of this, they are the perfect target for cybercrime and industrial espionage. It should not be forgotten that there are only two types of companies: those that have been attacked and those that do not know that they have been attacked.
Written By: Dr. Muhammad Shaheer Waqar