In May 2017, Life Science organizations were hit by one of the biggest cybersecurity incidents - the WannaCry ransomware attack. WannaCry spread rapidly across networks, encrypting files and demanding ransom payments in Bitcoin to decrypt them. The U.K.'s National Health Service (NHS) was hit especially hard, as the ransomware infected systems used by about one-third of NHS hospital trusts and GP surgeries.
This massive attack caused chaos and disruption, forcing hospitals to turn away non-emergency patients and cancel routine appointments. Ambulances had to be diverted and staff were left struggling with limited access to vital records and systems necessary to provide safe care. More than 19,000 patient appointments had to be canceled, in part due to doctors losing access to electronic records.
The total cost of the WannaCry attack on the NHS alone was estimated at over £92 million, while other life sciences companies had their operations crippled or data stolen and ransomed, costing tens or even hundreds of millions.
The story of WannaCry is a sobering example of why life science organizations must make cybersecurity a top priority in patient well-being and business continuity. In an era where healthcare is heavily intertwined with and dependent on technology, its failures or misuses can have physical, not just digital, repercussions. And that, ultimately, is what makes its future worth safeguarding.
The life sciences industry works with highly sensitive data and intellectual property, making it an attractive target for cybercriminals. Patient records, intellectual property, and trade secrets are all at risk if cybersecurity is not prioritized. According to research from Deloitte, the life sciences sector experienced the second highest rate of targeted cyberattacks of any industry in 2019.
To mitigate these cyber risks, life sciences companies should implement cybersecurity best practices with a focus on protecting sensitive data and critical systems. Here are some of the top ways for life sciences organizations to apply cybersecurity best practices:
#1 Conduct regular cyber risk assessments
As noted by KPMG, life sciences companies should frequently carry out enterprise-wide cyber risk assessments to identify vulnerabilities and determine the potential impact of cyber threats. Assessments should consider technical risks as well as risks from third-party vendors and employees. Companies can then create risk mitigation plans to address the top risks.
Cyber risk assessments identify vulnerabilities, threats and impacts to critical assets so companies can implement appropriate controls and mitigation plans. Life science organizations should perform the following steps to conduct regular cyber risk assessments:
1. Identify high-value assets
Determine critical systems, applications, infrastructure and data that are most important to protect. Focus assessment efforts on threats and risks to essential business functions and highly sensitive information.
2. Define assessment scope and methodology
Decide on tools, frameworks and other means of evaluation; breadth/depth of assessment; involvement of internal teams vs. external assessors; and frequency of assessments. Scope may vary for different asset types or threat landscapes.
3. Use standardized risk analysis frameworks
Apply frameworks like NIST SP 800-30, ISO 27005 or OCTAVE to assess risks in a systematic, repeatable fashion. These provide guidance on the process of identifying, analyzing and evaluating information security risks.
4. Identify vulnerabilities and threats
Analyze assets and environments to detect weaknesses that could be exploited. Monitor for the latest threats like malware, phishing and software flaws that pose risks. Assessments should evaluate both internal and external threats.
5. Analyze potential impacts
Determine what would happen if identified threats took advantage of vulnerabilities. Consider impacts like data compromise, loss of critical services, reputational damage, legal penalties and loss of intellectual property. Rate impact severity.
6. Evaluate risks and risk levels
Analyze threats, vulnerabilities and potential impacts together to assess risk likelihood and severity for each critical asset. Rate risks as high, medium or low using a consistent scoring method. Focus mitigation plans on unacceptable high and medium risks.
7. Develop risk mitigation plans
For priority risks, determine mitigation steps to eliminate threats, reduce vulnerabilities and lower impacts. This may include patching software, implementing new controls, tightening physical security, employee training, data encryption or other actions. Assign responsibility and timelines for rolling out mitigation plans.
8. Monitor and track ongoing risks
Perform assessments regularly to re-evaluate risks based on the latest threats and vulnerabilities as well as effectiveness of mitigation efforts. Make changes to programs, systems or controls accordingly to maintain an acceptable risk posture.
Conducting holistic cyber risk assessments following established frameworks allows life science companies to gain visibility into risks facing critical assets and put data-driven mitigation and security controls in place. By identifying threats, weaknesses and impacts; evaluating risk levels; creating mitigation plans; and tracking risks on an ongoing basis, companies can target resources for maximum benefit and protection of essential systems, data, services and business functions. Overall, cyber risk management anchored in regular risk assessments is a vital practice for life science cybersecurity.
#2 Implement strong access control and authentication
One of the best ways to prevent unauthorized access is through strong access control and multi-factor authentication, especially for systems that contain sensitive data. Role-based access control should be used to ensure users only have access to the data and applications required for their role, as recommended by Aon.
Life science companies should institute the following practices to implement strong access control:
Use role-based access control (RBAC)
Provide access to systems and data based on job roles and responsibilities. Restrict highly sensitive data and privileged functions only to those who explicitly require them. Review and update RBAC policies regularly as roles change.
Require multi-factor authentication (MFA) for critical systems
MFA adds an extra layer of protection for networks, applications and servers hosting regulated or confidential data. Common methods include security keys, one-time codes via SMS or mobile apps, and biometrics.
Create unique credentials for each employee
Do not reuse usernames, temporary passwords or other short-term credentials across multiple accounts or employees. Unique IDs per user account are easier to monitor and revoke if compromised.
Implement the principle of least privilege
Grant employees only the minimum level of access needed to fulfill their job duties. This limits how much data or how many systems are affected if accounts or credentials are compromised. Review accounts periodically to check for privilege creep.
Establish a strong password policy
Require employees to set long, complex, unique passwords for each account and 2FA method. Forbid reuse of previous passwords and change all default passwords. Force password changes every 60-90 days.
Monitor account login activity
Keep a log of successful and failed login attempts for critical systems and networks. Monitor for abnormal activity which could indicate compromised credentials or brute force attacks. Configure systems to lock accounts after a certain number of failed logins to prevent cracking.
Restrict data access based on source
Not all users or systems require access to sensitive data and resources. Configure multi-factor and role-based controls to limit access based on device types, locations, IP addresses or other attributes. Provide remote access through secured, managed networks only.
Disable or remove inactive accounts
Have a process to promptly shut off accounts for terminated employees or those who transfer to other roles. Monitor for and disable stale or unused accounts that could be targets for takeover leading to access or privilege escalation.
Strong yet flexible access control and multi-factor authentication are essential for defending sensitive systems and data. By using a tailored combination of technologies and policies including RBAC, MFA, unique credentials, least privilege principles and account activity monitoring, life science companies can achieve defense-in-depth and minimize risks of unauthorized breaches or access. Reviewing and updating access controls regularly helps ensure they continue meeting security and compliance goals as roles, technologies and requirements change. Overall, access control and authentication done right are fundamental to cybersecurity best practices.
#3 Encrypt sensitive data
Any sensitive data like patient records, trade secrets, or employee records should be encrypted, both when stored and in transit according to guidance from Deloitte. This helps ensure that even if there is a data breach, the stolen data cannot be accessed or used. Full disk encryption and encryption for removable media like USB drives is also recommended.
Best practices for encrypting sensitive data include:
Identify sensitive data types and locations
Know what data needs encryption such as personal information, health data, trade secrets and financial records. Locate where this data is stored, processed and transmitted. Focus encryption efforts on the most critical and at-risk data.
Encrypt storage systems and backup media
Use strong encryption solutions, especially full disk encryption, to encrypt hard drives, USB drives and other storage hosting sensitive data. This includes backup drives/tapes in case they are lost or stolen.
Encrypt data in transit
Use a VPN or other encryption tunnel when sensitive data is transmitted over the network internally or externally. Encrypting only storage is not enough. Interception of unencrypted transmissions can still expose the data.
Choose strong ciphers and keys
Select advanced encryption standards like AES (256-bit) over older standards. Longer, complex keys provide much more protection than short, simple ones. Change default keys to unique custom keys where possible.
Encrypt archives and files containing sensitive data
Use file-level encryption, compression utilities, encrypted containers or other solutions to encrypt files such as spreadsheets, documents and databases holding personal and confidential information.
Encrypt laptops, tablets and portable media
Full disk encryption should be mandatory for any device that may leave company premises like laptops as well as USB drives, smartphones and other removable media. Encryption prevents data exposure if devices are lost, stolen or seized.
Have a key management strategy
With many encryption solutions deployed, managing keys can become complex. Label keys, store them securely in a central location and limit access only to those who need them. Change keys periodically according to a defined policy.
Monitor and audit encryption controls
Continually check that required data types are encrypted, keys are managed effectively, and solutions are applied consistently and properly. Watch for new or updated encryption standards and upgrade where necessary.
When encryption is applied systematically to sensitive data in all locations - at rest, in transit and in use - life science companies can gain a high level of assurance in data security and regulatory compliance. However, encryption is only as strong as the keys and policies that support it. With a comprehensive approach, even if systems are breached, critical information remains protected. Overall, encrypting sensitive data and managing it well is a vital cybersecurity best practice.
#4 Provide regular cybersecurity training
Employee errors and lack of cyber awareness are major causes of breaches in the life sciences sector according to Aon. Regular cybersecurity training should be mandatory for all employees to teach them how to spot phishing emails, use strong passwords, and follow security best practices. Phishing simulations can also be used to reinforce training.
Cybersecurity training for all staff is essential to establish a "culture of security" and minimize human error that leads to data breaches. Life science companies should institute the following practices for regular cybersecurity training:
Require annual cybersecurity awareness training for all employees
This includes training on phishing, malware, strong passwords, compliance obligations and other foundational topics. Make training mandatory to ensure participation.
Tailor training to specific roles
Provide more in-depth training for those with access to critical systems and regulated data. For example, train software engineers on secure coding practices. Educate compliance, legal and HR teams on relevant data regulations.
Use engaging and interactive content
Combine video, simulations, real-world examples and discussion to bring trainings to life. Interactive or gamified learning helps concepts sink in better than passive reading.
Include phishing simulations
Run mock phishing email campaigns to gauge employee ability to detect and respond appropriately to phishing attempts. Provide follow-up training to those who fail to report phishing simulations. Repeat campaigns regularly.
Review and update materials annually
Cyber threats evolve rapidly so training content should be reviewed and refreshed each year to address the latest risks and guidance. Update statistics, examples, best practices and other information.
Track participation and test comprehension
Use cybersecurity training tools and software that can track who has completed required courses and how well they understood the materials. Retrain those with lower scores or long completion times.
Supplement with monthly or quarterly updates
Send regular email updates, newsletters, and reminders to reinforce key points from trainings. Share examples of recent threats and attempted attacks. Keep security top of mind.
Train compliance and security officers additionally
Require ongoing education for personnel directly responsible for compliance, risk management and security programs. They need frequent updates on regulations, standards, technologies and leading practices to fulfill their duties.
Well-executed training and education is one of the most impactful things life science companies can do to boost cyber resilience. With a comprehensive program of mandatory cybersecurity awareness, specialized role-based training, anti-phishing exercises and regular refreshers and updates, companies establish a workforce hardwired to spot and mitigate threats. By investing in your people, you invest in protection.
#5 Stay up-to-date with compliance requirements
The life sciences industry must comply with regulations and standards like HIPAA in the US, GDPR in the EU, ISO 27001, NIST Cybersecurity Framework and others. Companies should have a plan to monitor for updates to relevant regulations and update their compliance programs and technical controls accordingly, notes KPMG. Non-compliance can lead to legal penalties and reputational damage. You should take the following steps to ensure your company remains updated with the latest changes in legal requirements:
Assign responsibility for monitoring updates
Designate compliance staff to track updates and changes to relevant standards and regulations. Subscribe to news feeds from regulatory bodies to receive announcements of revisions.
Review and analyze updates
When changes are made to applicable regulations and standards, review them in detail to understand new or modified requirements and guidelines. Assess how the changes may impact existing compliance programs and controls.
Revise and update compliance programs
Make any necessary changes to compliance policies, procedures, controls, and other measures to adhere to updated regulations and standards. Update technical controls, access management, risk assessments and other areas as needed.
Educate staff on changes
Inform all affected staff members about important updates made to compliance obligations, especially those who work directly with regulated data and systems or have compliance-related responsibilities. Provide guidance on new requirements and how to fulfill them.
Document all reviews and changes
Keep records showing compliance updates were reviewed in a timely manner and modifications were made to accommodate new requirements. These documents can be used to demonstrate compliance to regulatory authorities.
Monitor compliance and effectiveness
Once updated compliance controls and programs are in place, monitor them regularly to ensure continuing adherence to all obligations. Make further revisions as needed to address any gaps. Conduct periodic compliance audits.
Staying up-to-date with an evolving compliance landscape is challenging but failure to do so can result in legal punishment and reputation damage. With procedures in place to monitor updates, review changes, modify controls and review effectiveness, life science companies can maintain strict compliance with laws and standards even as regulations change. Continuous monitoring and improvement is necessary as requirements frequently get more complex. Keeping meticulous records of reviews and revisions aids in demonstrating compliance to regulators. Overall, an up-to-date compliance program is a pillar of good cybersecurity practices
#6 Monitor for threats and take quick action
With constant monitoring for potential intrusions, anomalies, and cyber threats, life sciences companies can detect breaches early on and respond rapidly according to Deloitte. Once a threat is discovered, a predefined incident response plan should be triggered to help limit the damage. Saving a few hours in response time can make a major difference.
Monitor network activity and system logs
Monitor for anomalies in network traffic, system usage, access logs and other metrics that could indicate an intrusion or data breach. Set up centralized log management and use data analytics tools to spot abnormalities.
Scan for vulnerabilities regularly
Run automated vulnerability scans on networks, systems and applications at least monthly to check for security holes that need patching. Prioritize critical vulnerabilities for systems and software used in important business operations.
Monitor for new threats
Stay up-to-date with the latest threat intelligence on new malware variants, phishing campaigns, software vulnerabilities and other risks that could affect systems and assets. Subscribe to reports from cyber threat analysis firms.
Install intrusion detection systems
Deploy network-based and host-based intrusion detection systems to monitor for and alert on potential unauthorized access or activity on networks and critical systems. Monitor alerts and review/respond promptly.
Have a predefined incident response plan
Develop procedures to follow in the event of detected intrusions or threats. Include steps for analysis, containment, mitigation, notification, recovery and review. Form an incident response team to manage the process.
Take quick action
During an incident, speed and accuracy are vital. Analyze intrusions/threats rapidly to understand scope and impact. Work to contain the incident by isolating affected systems, blocking access, shutting services down if necessary. Recover compromised data/systems as soon as possible to minimize disruption.
Report incidents promptly
If personal or sensitive data has been lost, stolen or accessed improperly, notify those affected as well as relevant regulatory bodies within 72 hours as required by law. Reporting transparency is important to maintain trust and compliance.
Continuous monitoring, rapid detection of threats and quick, effective incident response require close collaboration between IT and cybersecurity teams. With systems tuned to spot abnormalities and plans ready, life science companies can take swift action to handle cyber incidents and curb negative impacts to the organization. Prompt internal review and notification after an incident is also essential to meet legal requirements and rebuild trust.
#7 Develop robust contingency plan
Life science companies should develop robust contingency plans to ensure continuity of critical operations and systems in the event of a cyber attack, data breach, or other incident. Some key steps to developing contingency plans include:
Identify critical business processes and the systems/data that support them
Focus contingency planning on the most important and sensitive areas. Things like manufacturing operations, research data, patient records, etc. should be top priority.
Create data backup and recovery plans
Regularly back up critical systems and data in case of data loss or corruption. Store backups offline for safety. Test the recovery process periodically to ensure backups can be restored.
Establish emergency communication plans
Develop procedures to communicate with internal teams, partners, suppliers, customers and potentially media in a cyber incident. Practice and drill communication plans.
Define incident response procedures
Have written procedures for investigating and responding to cyber threats or data breaches. Include how to contain threats, analyze impacts, recover data/systems, and eradicate problems. Form an incident response team and assign responsibilities.
Test and drill contingency plans
Run drills to execute contingency plans in a simulated environment. This helps identify potential gaps and improve response before a real emergency occurs. Annual drills at a minimum are recommended but quarterly or biannual drills are better.
Provide training on roles and responsibilities
Anyone with a part to play in contingency plans should have training on exactly what they are expected to do in an emergency scenario. Cross-train staff in case key members are unavailable during an incident.
Review and revise plans regularly
Contingency planning is an ongoing process. Plans should be reviewed and updated at least annually or if there are significant changes to business operations, systems, software, laws or other factors.
Contingency planning is a vital part of cybersecurity preparedness for life science organizations. By investing in backup, incident response and emergency planning, companies can continue operating even when cyber attacks and data breaches occur. Regular testing and plan maintenance help ensure a rapid and effective response during a crisis.
Conclusion
Overall, a strong cybersecurity program built on best practices like conducting risk assessments, enabling access control, encrypting data, training employees, staying compliant, and continuous monitoring is essential for any life sciences organization today. With sensitive data, critical infrastructure, and valuable intellectual property at stake, cybersecurity should be a top priority for the industry. Following industry standards and frameworks for life sciences like the NIST Cybersecurity Framework is also important in developing a robust cyber program according to KPMG. By making cybersecurity a strategic imperative, life sciences companies can vastly improve their cyber resiliency and avoid becoming the next victim.
