Managing Cyber Risk for Life Sciences Companies

Travelers umbrella logo.
By Travelers
5 minutes
Medical professional using a touchscreen computer

Life sciences companies, including medical technology, digital health and pharmaceutical firms, hold vast amounts of vitally important information, and that data is a high-value target for cybercriminals. The average cost of a data breach in the pharmaceutical industry, including biomedical life sciences, is $5.2 million.1 Intellectual property (IP) is highly prized data and the object of 95% of all cyberattacks in the life sciences sector.2

A cyberattack can be devastating to a life sciences organization. Stolen IP can cause a firm to lose exclusive control over proprietary and confidential information, as well as its competitive advantage in the marketplace. Breaches of medical records can be costly to remediate and may lead to regulatory fines, reputational damage and loss of customer trust.

Because the odds of a cyberattack are high and the potential losses are so great, life sciences firms need to understand the risks and take proactive measures to protect their interests.

Understand the risks

Several key factors are behind the growing cyber threats facing the life sciences sector:

  • Life sciences IP is incredibly valuable. It may include formulas for drugs and blueprints for medical devices that are backed by years of research and clinical trials. These may be potentially life-changing for patients and could generate billions of dollars in revenue, which is why this information is of huge interest to hackers.
  • Increasingly sophisticated cybercriminals are launching attacks for corporate espionage or that are financially motivated. These attacks can be crippling for life sciences companies and cost valuable time as companies work to restore critical files.
  • Life sciences organizations often need to exchange confidential information with a wide range of partners and vendors, across borders and via the cloud. While the sharing and analysis of this data may expedite research and development, it can also increase the chances of IP and Protected Health Information (PHI) falling into the wrong hands.
  • Supply chains are typically global, composed of many different international suppliers, which can add to a firm’s cyber vulnerability. Just one supplier without effective security controls presents a weak link that could allow cybercriminals to infiltrate organizations along the chain. Firms can also be at risk if a supplier has access to their networks, or they may experience business continuity issues if a supplier falls victim to a cyberattack.
  • Wireless, sensor-based medical devices, such as insulin pumps, are transforming patient care. But if security isn’t properly addressed, these devices run the risk of being tampered with, potentially harming patients and exposing sensitive patient information.
  • The proliferation of consumer health and wellness technologies, including wearable devices, may present attractive targets for hackers. Infiltrated devices could create additional vulnerabilities for medical providers, device manufacturers and app or software companies if their connected data is also compromised in the hack.
  • The risks associated with mergers and acquisitions (M&A) that are frequent in the life sciences industry could include a data breach in a newly acquired company that could compromise the value of the IP for which the company was acquired.3
  • Supply chain disruptions as a result of the COVID-19 pandemic could present new cyber exposures as life sciences companies re-shore their supply chains or seek new domestic suppliers.

Plan for the inevitable

“Given the high value and sensitive nature of life science data, firms should engage strong cybersecurity controls on par with those of other highly regulated industries,” said Kirstin Simonson, Professional/Cyber Lead for Business Insurance at Travelers.

Taking these steps can help prepare for a cyberattack:

  • Inventory your network assets and identify those that are critical. A third-party consulting firm can be especially helpful in bringing an objective perspective to this essential process.
  • Segment your network to isolate critical and sensitive data from the data and tools that employees use every day. Segment backup data completely and store it offline.
  • Restrict access to your organization’s most critical data to a small number of trusted employees.
  • Require multifactor authentication (MFA). The basic principle of MFA is that an authorized user must provide more than one method of validating their identity. Even if a cybercriminal has obtained a user ID and password, MFA decreases the risk that an attacker can gain access by requiring an additional means of validation.
  • Work with your suppliers, vendors and cloud providers to create a security-first culture. Require them to maintain, at a minimum, the same security standards that your business maintains.
  • Actively scan your network for unauthorized activities and anomalies, including any systems that remote workers may download to their devices, which could put security at risk. Take prompt corrective action. Consider deploying an endpoint detection and response (EDR) solution.
  • Continually update your patchwork management strategies.
  • Use a well-defined, customized framework of standards, guidelines and practices to reduce your firm’s cyber vulnerability and keep it up to date to ensure ongoing compliance. Make sure all involved are well-educated on their roles and have trained backups who can readily step in if the need arises. This includes development of strong remote access protocols.
  • Build medical devices with cybersecurity in mind from the earliest stages of design through production.
  • Train your employees to recognize and avoid social engineering tactics, such as phishing emails and malicious links that allow hackers to penetrate your network or otherwise create security vulnerabilities.

To further protect your business, set spam filters on high to discard as much junk mail as possible, and clearly identify emails coming from an outside source before opening.

Get insured

Even with the most rigorous security measures in place, no life sciences business is completely protected from the threat of cybercrime. That’s where cyber insurance comes in. It can help cover the costs of an attack and legal claims resulting from a breach.

Travelers CyberRisk TechTM offers broad, flexible coverage options to help protect your business against damages associated with an incident, including cyber extortion, data restoration, breach notification, business interruption, reputational harm and more. And as a policyholder, you can take advantage of services to help mitigate the effects of cyber risk before, during and after an incident.

Contact your independent agent to learn more about CyberRisk Tech and other industry-specific coverages for all stages of the life sciences product lifecycle.

Sources
1 Ponemon Institute 2019 Cost of a Data Breach Report

2, 3 https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/life-sciences-health-care/deloitte-uk-lshc-cyber-risk-ma.pdf

Picture of a laptop with an urgent notification, Gone in a Keystroke: Inside a Business Email Hack.

Top stories

How to Protect Your Company from Business Email Compromise

Business email compromise is a growing threat to companies, which unknowingly grant a hacker access to their business email account that can be used for wire transfer fraud.

Related products & services

Life science companies face unique risks every day. Learn how life science insurance from Travelers can help protect your business.

MedFirst® offers protection against injury, property damage, economic loss, and unauthorized access to personal information.

More Prepare & Prevent

4 Technology Errors and Omissions Insurance Risks

Get smart on technology E&O coverage with these four items for tech companies to look for in the coverage.

Woman from tech company considering E&O risks.

More Prepare & Prevent

How to Help Protect Your Intellectual Property

Registering intellectual property (IP) and using written agreements can help protect intellectual property.

Man on computer protecting intellectual property.

More Prepare & Prevent

Risks Facing Pharmaceutical Companies, from Trials to Commercialization

As pharmaceutical companies grow and transition to commercial production operations, they can address the risks they face with planning and insurance coverage.

Professionals in lab coats working with text tubes in a lab.