Everything you knew about security no longer works, but everything you knew about security can – and does – still apply. That’s an unnerving concept, but it’s something no company – most certainly not life sciences companies – can afford to avoid.
By Will Clark, Managing Associate Partner, Cybersecurity
Let’s briefly review what we know about the life sciences industry in terms of the plethora of data coming at it and how that impacts security.
Firstly, the geographically dispersed nature of the industry means life sciences companies depend on affiliates to keep local product information up to date. But those affiliates are not necessarily adopting the same strict approach to security, and so companies end up with a fragmented and riskier approach to how their data is managed around the world.
Secondly there is the proliferation of external content that’s coming at them – from partners and providers, from customers, including through social media, and other sources – and they need to be able to determine the security profiles necessary for handling this data, while remaining agile.
Thirdly, as life sciences companies seek to build their relationships with patients to drive better health outcomes, the question is how do they establish that dialogue in a secure yet open way?
On the Scent for Threats
So when I say the security landscape for the industry has changed radically, I mean not only must companies consider these specifics, they must also take into account the opportunities for far more aggressive and pervasive security attacks.
Today, automated processes set up by hackers looking for security holes in computer systems have become so pervasive that traditional scanning tools are just not going to be enough to keep threats at bay. As a result, traditional tools are only providing part of the solution and you must have intelligent examination of the activity within your system looking for uncharacteristic behavior. For example, is your system being accessed outside a time of day you would expect, or is a file you’re receiving abnormally large? That could be evidence of a threat in action.
Here’s a scenario most will be familiar with. You have an affiliate in Brazil working on a submission and they send information back that’s six times the size of a normal file. Have they done this before? Does it make sense? How do you know what’s being sent back to you? Given that affiliates can be erratic in how and when they send information and how they bundle that information, how do you ascertain whether that’s a risk?
Encryption in an Unsecure World
With these uncertainties to consider, you need to be extra vigilant. You must have identity validation in your systems that ensures authentication and non-reputability of the files so what was sent and what was received are probably the same thing. That means paying more attention to your encryption standards in the system.
Encryption is becoming more important. In the healthcare industry, for example, messages sent across email servers are encrypted, and that’s a good start, but you can also use encryption to derive hash values from your encrypted file and compare those hash values at the start and the end of a file being sent. If the hash values change in transit, there’s a good chance someone has injected something suspicious along the way.
The problem is it’s cumbersome and until recently, it wasn’t considered necessary, except perhaps when dealing with government secrets. Now, however, with automated “bots” constantly probing for vulnerabilities, there’s a much greater risk that data will get tampered with in flight. Encryption is not just there to protect the content but to prove the content is unchanged through the process of transit.
Protecting the Crown Jewels
Life sciences companies are the sum product of their intellectual property, and that IP is built not just internally but with partners and others, and so interconnected relationships are increasingly integral to the success of the business. But with more data sharing there is also greater opportunity for backdoor advanced persistent threats (APTs). These APTs get into your system and hide, and watch, and that’s how IP gets stolen. As these threats become greater and more persistent, the imperative to protect you data grows. The question you need to ask is, are we doing enough?