5 Ways to Protect Your Company’s Valuable Life Sciences Data

Despite increasing cybersecurity awareness across the industry, Life Sciences firms continue to experience significant cyberattack volume. In fact, published reports indicate that average Life Sciences data breach now costs more than $5 million, while Life Sciences and Healthcare organizations perennially top the annual list of data breach costs by industry. In order to protect your organization from potential attacks, the blog presents practical approaches you can take now to protect your mission-critical data. 

Five Easy Ways to Protect Your Data

#1: Quantify the level of data risk in your organization.

At first glance, this might seem like a very tall order, but it’s not difficult to do if you break the project down into its components. To do so, follow the game plan below:

●      In order to understand your data landscape, the first step is to create a “Service Catalog” of all of the technologies at your company and to ensure that the catalog remains up-to-date.  

●      Once the catalog is completed, analyze which of your company’s systems contain data and determine what types of data (such as product-related, financial, or clinical information) that those systems actually contain. You’ll also want to work closely with your user community to determine how they utilize the systems on a day-to-day basis.

●      Similarly, you’ll need to determine which compliance regulations apply to the various data-sets that your company manages, such as US Food and Drug Administration requirements like GxP, along with GDPR, HIPAA, etc.

●      Next, you’ll assess the exposure of the data in your environment, by utilizing a data governance solution such as Egnyte to identify the potential exposure of your company’s most sensitive data. In addition, you should perform vulnerability scanning and detection of new devices within your entire IT environment, along with conducting penetration testing for your applications.  

●      Finally, you’ll cross-reference vulnerabilities against your company’s overall data profile, to assess your overall level of risk.

Throughout the process, it’s helpful to keep this in mind: If an application/system has a significant impact on your organization, then you need to make provisions to protect it. In other words, you’ll want to focus remediation efforts on areas where you face the highest level of risk against the lowest level of protection.

#2: Gain insight into the types of cyberattacks that can impact your organization.

The business reality is that laboratory systems involve a myriad of cloud-based platforms, and Life Sciences companies’ growth can easily outpace the cybersecurity protection that such platforms have in place. This is especially true in the AI-centric world in which we live.

Here are several cyber-threats that you need to take seriously:

Ransomware:

If time and budget permit you to focus on only one type of cyberattack, then focus your efforts on preventing ransomware, especially ransomware that’s propagated by phishing emails. Why is that? The 2017 NotPetya ransomware attack on Merck-which is still being litigated amongst Merck and its cyber insurers- has resulted in more than $1 billion in losses for the company to date. In addition, familiarize yourself with snapshot ransomware recovery solutions that can get you up and running quickly, in the unfortunate event of an attack.

Unusual Access:

In addition to preventing ransomware attacks, you need to be able to detect unusual access to your systems and data. This includes securing your company’s network endpoints and detecting remote sign-ins to your network. A simple example is as follows: If one of your users signs in from New York at 9:00 a.m. and then signs in again from Tokyo at 10:00 a.m., one of those network sign-ins is likely to be suspicious, since it’s impossible to travel from New York to Tokyo in just one hour.

Insider Threats:

As you know, a collaborative research environment is required to generate your company’s valuable Intellectual Property. But, it only takes a single disgruntled employee, business partner, or contractor to derail all of the hard work that you’ve put into your development.

In particular, special protection mechanisms need to be put in place for company insiders, like the following: 

●     Data access should be categorized by “Business Need to Know.” For example, if a user works on a single project within a group, there’s no need for that user to have access to all of the group’s projects.

●     If you have a remote or quasi-remote workforce, it’s especially important for Bring Your Own Device (BYOD) technology to be subject to equivalent security protection as your users’ on-premises devices, if not a higher level of protection.

●     Insider Threats are also minimized by traditional cyber-hygiene practices, such as locking down IT system access, reducing administrative access to systems, eliminating users’ utilization of USB ports, and establishing processes to onboard and offboard users effectively. 

#3: Design and/or update your company’s data footprint with IT Security in mind. 

Now that you have a better sense of your current environment, you can design (or update) your IT environment, with cybersecurity factored in.

Here are several approaches that you can follow:  

●     Choose technology providers that take IT Security seriously and have cybersecurity protection “baked into” their offerings. Technology partners who take cybersecurity seriously are less likely to present you with supply-chain vulnerabilities that can impact your infrastructure later on down the road.

●     Prioritize your technology updates on mission-critical systems that could be impacted most significantly by cyberattacks.

●     If you’re looking for a solid technological place to start, Identity and Access Management is a good place, since it forces you to address access and permissioning for all of your organization’s IT users right off the bat.  

#4: View cybersecurity as a team sport. 

No matter how well-designed a network is, you need to have your users’ support, in order for your program to succeed. Here’s how:

●     Company contractors, business partners, and employees should have clear IT Security guidelines in place, along with a quarterly cybersecurity training program that keeps pace with rapidly-evolving vulnerabilities. Gamifying your training program- including making the program fun and giving prizes for desired user behavior- go a long way toward achieving the involvement that you need.

●     Communicate to employees why you’re making the decisions that you make, including accepting their feedback for potential improvements.

●     Trust But Verify: In addition to involving users in cybersecurity protection, you need to Always be Checking (the ABC rule) their activities,  especially since vulnerabilities can evolve quickly.

●    Conduct Continuous Testing: For a cybersecurity program to succeed, it can’t be a “one and done” proposition. You need to perform continuous testing of your IT environment, within a broader cybersecurity strategy.

#5: Aim for the best, but prepare for the worst.

As you know, the best-laid plans don’t always result in success. If you’re the victim of an unfortunate cyberattack, you need to do the following:

●     Formally declare the incident, which will activate your company’s Incident Response plan. If you don’t have a plan, it’s imperative that you create one now. You can find essential elements of an Incident Response plan in my blog.

●     It’s extremely important to communicate accurately and quickly to your employees, business partners, and customers if you experience a potential breach, and to keep them updated.  

●     In particular, you should reach out to your largest customers, to explain the situation (with quick, factual details) and also keep them up-to-date throughout the process.

●     The best cybersecurity incident is one that never happens. Tabletop exercises are a great way to practice an attack response without going through the pain of enduring an actual attack.

‍

‍