Leading Life Sciences Security
Author(s): Tom Patterson, Posted on March 9th, 2015
When a keystroke can kill, a partner website can reveal a billion dollars worth of research, or millions of patient records can be compromised, the stakes are as high as they can get in industry. What are life sciences companies to do?
Fortunately they’ve started taking a page from their adversaries’ manuals, where attackers commonly use tools from one group, privileged information from another and delivery systems from yet a third. These adversaries rent giant botnets, made of millions of personal computers, and aim that wrath at a single website, sometimes simply to distract, while they launch a more damaging attack from another vector.
2014 is the year that life science companies are starting to work together in three key areas to better defend themselves from these ever increasing threats.
First, agreeing “not to compete on security” is life sciences companies’ newest weapon in their arsenal. It’s also a tough concept for a board of directors to approve as they are used to competing on every angle. With boards now recognizing cybersecurity’s risks — and understanding that cybersecurity has become a business issue, not just an IT issue — life sciences CSOs are becoming empowered to share threat and countermeasure data with their peers, partners and law enforcement.
The U.S. Information Sharing and Analysis Centers (ISACs), which are available to each critical component of our economy, and specifically, the National Health’s ISAC are all growing quickly. Member life sciences companies now provide specific direction to the NH/ISAC. It also has added life sciences security executives from Amgen, J&J, McKesson and Merck to its board, and it has begun to deliver vital information sharing services, both between members, and between members and law enforcement.
This collaboration shows the same real successes that the Financial Services ISAC has been delivering to its members for more than a decade. Additional benefits, including spotting and stopping threats before they cause damage, are coming through collaborative work with the security sector and law enforcement.
Second is the attention to eco-system security. Supply-chain security has become a new and formidable challenge to tier-one life sciences companies, and one that is best addressed by their purchasing departments, not their IT departments. The Target thieves didn’t attack Target directly, but rather attacked the company by first attacking one of its suppliers. Criminals are routinely using supply chains to attack tier-one companies. “At this point, life sciences companies need to employ what I call “industrial strength” cybersecurity,” says Dr. Robert Wah, CSC Global Chief Medical Officer. Dr Wah is also President of the American Medical Association (AMA). “We can learn lessons from other industries.”
Life sciences companies’ purchasing and M&A departments are now paying vital attention to cybersecurity, including requiring proven security capabilities prior to selection and integration. No one remembers the name of the air conditioning company that attackers first breached to get to Target’s systems, but everyone remembers that the breech lost Target billions as well as ended C-suite careers.
Third a growing understanding that medical devices, from pacemakers to phone apps, are this industries’ industrial control systems (ICS). While ICS security is usually associated with the energy sector, the same principles apply with medical devices, and therefore the same threats and vulnerabilities exist. ICS systems work differently from traditional compute and communicate enterprise systems. With the latest FDA guidance , life science companies are starting to leverage work and standards from other sectors to get a jump on protecting their own systems. Leveraging the years of learning that security experts have already accomplished towards securing these types of systems is critical to success. Life sciences companies will need to understand their unique ICS risks, and the best way to mitigate them, for the safe advancement of medicine.
For those in the life sciences ecosystem, it’s time to review and adopt these three industry leading security practices:
1) Agree not to compete on security, and then action that agreement with your peers, partners and law enforcement
2) Accept that your supplier’s security risks are your security risks, and start to choose, acquire and manage their apps and services within your security policy
3) Understand that ICS devices are different, are real targets, and must be secured properly.
The global life sciences industry plays a key role in this planet’s critical infrastructure. Getting security right is not just a bottom-line decision, but one that affects our very lives. It’s great to see the industry making such progress.
This post was first published in CSO by IDG Communications, Inc. at http://www.csoonline.com/article/2453990/security-leadership/leading-life-sciences-security.html.