Pharmaceutical Companies and Computer SecurityFidèle DEGNI | Juliette FOINE | Professor Christopher Yukna |

Ecole Nationale Supérieure des Mines de Saint Etienne

Why IT Security is Primary for Pharmaceutical Companies?

“If you have anything of value, you will be targeted. You won't necessarily know by who.”John Stewart, Chief Security Officer, Cisco Systems

Digitalization (1/2)

• Digital = hot topic in healthcare

• Devices -> connected into a medical Internet of Things (“IoT”)

3

• Big Data analytical techniques, in order to collect and process large amounts of data

• Personalised drugs

Digitalization (2/2)

4

At the same time... (1/2)

• There are cyber security breaches into sophisticated and well-managed companies by hackers, criminals and nation states

• Intellectual property is stolen, confidential emails are shared publicly, and medical records used to create fraudulent new identities

• For example US retailer Target’s data breach of 2014 involving a reported 70 million credit card records, JP Morgan Chase’s data breach involving 76 million accounts and Anthem’s loss of personal information of its clients and employees earlier this year are some of the recent major security breaches

5

• In 2011, the UK government estimates its pharmaceutical, biotechnology and healthcare sector suffered ₤1.8b in losses arising from theft of intellectual property (IP)

• The global market for pharmaceuticals is estimated to hit USD $1.1 trillion in 2015. Strong demand for new cures and high profits associated with marketing new, patent-protected drugs drive fierce competition in product development

• It is not surprising then that criminal elements have increasingly targeted the intellectual property of pharmaceutical companies. The cost of IP falling into a competitor’s hands, however, is difficult to calculate

At the same time... (2/2)

6

Cyber security risks (1/2)

• Compromising information leads to financial losses and reputational damage, but compromised production systems could have far reaching impacts including loss of life

• One key problem is that the use of manufacturing systems often HAS technology which is older than the internet itself,

meaning that these systems are inherently insecure

7

• Another concern is integrity and availability.

• The same risks apply to medical devices

Cyber security risks (2/2)

8

Data security (1/2)

• In all sectors of pharmaceutical industries, the use of IT systems (Enterprise Resource Planning, ...) creates new needs in terms of data security and working tools.

• There is no much difference between banks and pharmaceutical industries : they have needs for traceability and confidentiality. For pharmaceutical companies, there is intellectual property too.

9

Nothing is more valuable to a pharmaceutical company than the formula for one of its new drugs

Data security (2/2)

10

What is the priority? (1/2)

• R&D phases

• Manufacturing

Indeed : we can imagine the panic, if a computer virus destroyed research data on drug candidate developed for several years, or if a computers crash forced to halt production for several days to solve the problem...

11

Pharmaceutical companies have a strong dependence on computers. Any interference (availability, confidentiality, integrity) at these systems can have serious consequences on the various processes !

What is the priority? (2/2)

12

What can be done?

Company insiders, not outside hackers, are involved in more than two-thirds of all cyber cases involving theft of intellectueal property… Wether driven by opportunism, greed, a desire for revenge, or a combination of all three, these insiders exploit their position of trust to obtain acces their organization’s most valued digital assets

Regulations for IT security

• 21 CFR Part 11 (electronic records and signatures)

• : It ensures the laboratories traceability of all changes in the system. Indeed, any changes made by a manufacturer must be drawn: who, what date and time, why, etc. This allows for a history of everything about a product or action "

Norme ISO 27 001

• This international standard provides a framework and methods to identify and maintain a level of security appropriate to the constraints that meet the obligations and requirements of stakeholders

14

These IT security companies are involved including for audit of existing systems missions.

They play penetration tests, which consist in trying to penetrate the system by all means to detect security vulnerabilities.Then, they study the practices, and also provide governance services, risk analysis, often attending the computer security manager of the company . Finally, they work on operational safety for support on the security infrastructure or for reaction to incidents "

Testing the IT security with audits

15

Organizations need to do their part 1/2

• Cyber risks resulting from interconnectivity to the internet and enterprise systems must be taken into account as we increasingly interconnect devices

• Organisations should analyse and understand the risks of increasing connectivity together with assessing how their key assets are being protected. It is crucial that security must be included during the design process and as an inherent part of any system

16

• Educate and regularly train employees on security or other protocols

• Ensure that proprietary information is adequately, if not robustly, protected

• Use appropriate screening processes to select new employees

• Provide non-threatening, convenient ways for employees to report suspicions

• Routinely monitor computer networks for suspicious activity

• Ensure security (to include computer network security) personnel have the tools they need

Organizations need to do their part 2/2

17

Location of the business / context to become expert in computer security

For several years, the budget of an undertaking allocated to IT security is increasing much faster than other budgets.

With the explosion of cybercrime, and with the increasing complexity of information systems, companies are often looking for new computer security experts. The security of an organization's data has become a strategic challenge, the IT security expert often will have a special status within a company, and loyalty to the employer will often be rewarded.

18

Thank you for listening!

Questions?

19

References• http://www.industrie.com/pharma/n-oublions-pas-la-securite,41826

• http://www.usine-digitale.fr/article/industrie-4-0-et-securite-informatique-les-nouvelles-menaces.N337102

• http://www.ordre.pharmacien.fr/Le-patient/La-protection-des-donnees-de-sante

• http://etudiant.aujourdhui.fr/etudiant/metiers/fiche-metier/expert-en-securite-informatique.html

• http://www.europeanpharmaceuticalreview.com/35994/news/blog/cyber-security-in-pharmaceuticals/

• http://www2.deloitte.com/jp/en/pages/life-sciences-and-healthcare/articles/ls/cyber-security-ls.html

• https://www.ft.com/content/a6b09006-e5c9-11e3-aeef-00144feabdc0

20