life sciences innovation and cyber security: …...2018/10/03 · life sciences innovation and...

Life sciences innovation and cyber security: InseparableBreakthrough drugs and devices present greater opportunities…and risks

kpmg.com

ata sharing and analysis is believed by many to

be the key to innovation in life sciences: Diseases can be treated and even cured more expeditiously when researchers are able to search peer-reviewed studies worldwide using cognitive computing. Clinical trials can be seamless and less expensive if research is transmitted via the Cloud. Pharmaceutical companies can specialize and gain competitive advantage by strategically merging with targeted partners. Patient outcomes are improved through innovative medical devices that allow doctors to monitor medication adherence and vital signs.

Digital innovations such as these are poised to take the life sciences industry into the future. However, it is crucial for organizations to remember that, for all the opportunities these technologies offer, they also come with significant cyber-security and privacy risks.

Biopharmaceutical researchers in the U.S. and Switzerland want to collaborate on a new cancer drug, but they are concerned about exposing their intellectual property to theft during data transmission.

A global pharmaceutical firm considers conducting a clinical trial of its new HIV drug in an emerging economy but is held back by vulnerabilities in the potential trial partners’ infrastructure.

The merger of two global life sciences companies is stalled when one of the companies reveals recent HIPAA violations.

A medical device manufacturer faces difficulties bringing its new continuous glucose monitor to market due to recent news reports on device tampering.

D

© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

“The value of digital assets across life sciences is skyrocketing—as are the risks and costs of regulatory non-compliance, reputational damage, and related cyber and privacy breaches,” says Liam Walsh, Principal and Healthcare & Life Sciences Line of Business Leader, KPMG Advisory. “The challenge is to develop an accurate assessment of an organization’s true risk profile and then consciously weigh its genuine risk tolerance against the existing cyber-security investment. I believe many will find that their investments are falling far short.”

Certainly there are strategies, processes and technologies to mitigate a breach once it has occurred. And, according to research by Forbes Insights and KPMG, organizations believe they are making the needed investments in cyber-security programs. However, to mount a truly effective defense, cybersecurity must become part and parcel of innovation. Effective cyber-security programs are focused on more than just compliance and threat management, but also on the business value cyber security can bring to the new approaches, models, and capabilities that drive life sciences.

This report outlines key findings from the 2017 KPMG/Forbes Insights Cyber-Security Survey of 100 senior executives from the life sciences field. [One-hundred senior healthcare executives were surveyed as well.] The findings indicate that companies are elevating cybersecurity to a strategic imperative but at a pace that lags behind their desire to adopt digital technologies to drive innovation. To illustrate, we take a look at the current and desired states of cyber security in life sciences through the lenses of data sharing, mergers & acquisitions, and medical device implementation. We conclude with our guidance on where organizations should be focusing their efforts.

43% of respondents to KPMG’s survey have not increased their cyber-security budget despite knowledge of recent high-profile breaches2017 KPMG/Forbes Insights Cyber-Security Survey

“The value of digital assets across healthcare is skyrocketing—as are the risks and costs of regulatory non-

compliance, reputational damage, and related cyber and privacy breaches.”— Liam Walsh, Principal, Healthcare &

Life Sciences Line of Business Leader, KPMG Advisory

1Life sciences innovation and cyber security


Life sciences companies have many strategic imperatives that can be addressed through unfettered use of big data. Driving down drug prices. Substantiating demonstrable outcomes. Targeting at-risk populations with educational material about new drugs and self-management. Shifting from treatment to prediction, prevention and real cure.

Making headway on such transformational undertakings requires not just data analysis, but data sharing – across borders, with competitors, via the Cloud, sometimes in real-time. Organizations are committed to this more open environment.

However, some organizations seem to be a bit complacent when it comes to the very real threat of intellectual property and patient data cyber-theft: Despite recent high-profile data breaches, 57 percent of the life sciences companies surveyed feel more secure about their data security than they did in the past. There is some divergence about whether the Cloud increases or decreases an organization’s security profile. Organizations are sharing sensitive information with a much wider variety of partners and vendors. And most life sciences companies are not ready to meet the enhanced data privacy expectations of the new General Data Protection Regulation (GDPR) mandated in the European Union.

1. Sharing and analyzing data

Organizations are sharing sensitive and confidential information with:

Clinical research partners (e.g., universities) 77%

Contract manufacturers 51%

Marketing/detailing organizations 45%

Contract sales people 30%

Staffing agencies/contractors 24%

Business process outsourcers 10%

Outlook on data security profile in light of recent data breaches

Impact of the Cloud

More secure 57%

About the same 31%

Less secure 12%

Improved our security profile 76%

Increased risk 40%

2 Life sciences innovation and cyber security


40

36

24

40

36

24

Overseas cyber-security protocol is:

Weaker than in the U.S.

Stronger than in the U.S.

No overseas outlets

“When CIOs are told that addressing cyber-risk will take a much larger investment, the reaction, increasingly, is to simply resign themselves to accepting greater risk. That’s not the

right answer. Yes, top resources in cybersecurity do not come cheap. Together with healthcare, life sciences is only now in the beginning phases of becoming one of the most data-intensive industries imaginable, which makes it one of the most susceptible to cyber-risks. The investments will hit margins. But the industry as a whole needs to revisit core processes to balance getting value out of data with minimizing risk – starting yesterday.”— Fred Rica, Principal, KPMG Cyber Security Services

WHAT TO DO NOW: To get value from data, make cyber security an urgent priority



The life sciences industry has undergone significant consolidation in the last three years, driven by companies’ desire to focus on particular medical specialties, respond to pricing pressures, maximize economies of scale, and better serve patient populations.

While merger and acquisition activity can enhance a company’s position in a crowded and competitive market, the increasing likelihood of a cyber-attack requires taking a closer look at a deal partner’s cyber-security programs to ensure that all parties are aligned. Further, given the advent of the GDPR, expanding into European markets means that data-protection processes and controls must be significantly improved. As the survey results below illustrate, despite uncovering significant cyber-risks, nearly 40 percent of companies said no action was needed post-merger.

2. Consolidating for competitive advantage

Completed a merger or acquisition in the past year

Biotech/pharma 40%

Medical device maker 38%

2017 KPMG/Forbes Insights Cyber-Security Survey

Yes 61%

No 37%


Deal entailed a technology integration

Cyber-risks uncovered

Insufficient access controls 50%

Cyber-security policy, procedure, and control misalignment 46%

Inability to detect cyber incidents 35%

Poor oversight of trusted third parties 31%

Limited/disjointed governance across operations 27%




“For five or so years, life sciences organizations have been on an acquisition spree, expanding their footprints, defining and realizing synergies, moving into emerging markets, and trying to personalize products and services to get as

close to the patient as possible. M&A of this scale, along with the tidal wave of new technology and data capabilities, means unprecedented advancement and exposure to cyber and privacy risks.

“There are always new and ever more nefarious cyber threats. There are competitors and nation-states scheming to capitalize on organizations’ R&D and IP data assets. There are disgruntled, displaced workers. So, as leaders, you need to help your organizations maintain a keen focus, instilling cyber-risk awareness and action throughout the organization. Don’t check the box. Check the risks.” — Alison Little, U.S. Life Sciences Advisory Leader

WHAT TO DO NOW: Check your partners

No action needed 38%

Ran separate cyber programs 21%

Migrated to the acquired company’s system 17%

Used acquiring company’s system across merged organization 13%

Meshed complex systems 10%

Post-deal cyber-security measures




3. Addressing medical device cyber securityWireless, sensor-based medical devices – both wearable and implantable -- are viewed widely as one of the most significant innovations in patient care. They allow seamless patient management, efficient communication, timely diagnostics, and early intervention. And yet, these devices have the potential to be both a blessing and a curse. From harming patients via device tampering, to using a medical device as an entryway to a hospital’s network, to gaining inappropriate access to sensitive information, cyber-criminals see opportunities in these increasingly ubiquitous devices.

Although manufacturers use a wide variety of measures to continually test devices’ cyber security – including attestation, penetration, vulnerability, and bug bounty testing -- it is of concern that most are not training their software engineers in the latest cyber-security and privacy techniques on a regular basis. It is critical that manufacturers steer away from the view that cyber security and privacy can be bolt-ons to

development efforts. Instead, they should be integrated into device design from the earliest stages. For example, companies can use state-of-the-art encryption, secure operating systems, fail-safe designs, improved development quality assurance processes, and memory protections from malware.

Of course, these approaches don’t apply to older devices as they were not originally designed with this level of security. However, they can, of course, be retrofitted with some cyber-security and privacy capabilities, in accordance with risk-based decision making and coordination with provider and patient populations.

Finally, since both manufacturers and provider organizations have a vested interest in using advanced medical devices to improve patient health, a collaborative approach to cyber security and privacy that starts in the design phase is imperative. Although it is encouraging that 60 percent of manufacturers regularly communicate with providers, most of this communication occurs long after a device is manufactured and sold.

Although device tampering during patient use has received a great deal of media attention, cyber-criminals are much more likely to target the software used during the manufacturing process.

Likelihood of attack on software governing device manufacturing

Likelihood of device label tampering via supply chain partner breach

Likelihood of attack on software governing medical device in operation

52%

32%

16%

Most manufacturers at least consider cyber security during the design stage, but the sophistication of the security mechanisms their software engineers can handle is unclear.

Integrate security and privacy principles during development

Conduct regular software engineer training on secure development and programming

92%

15%2017 KPMG/Forbes Insights Cyber-Security Survey



“The sophistication of cyber-attacks is snowballing on a daily basis. The only way organizations can stay ahead of malicious actors is to incorporate risk identification and mitigation at the earliest stages of medical

device development. Manufacturers cannot do this alone. They need the insight and cooperation of their provider peers to really understand where attack vectors lie and how to keep patients safe.”

WHAT TO DO NOW: Collaborate with providers on cyber security during the design phase

— Sarat Mynampati, Managing Director, KPMG Cyber Security Services

More than half of medical device manufacturers believe that a collective effort with provider organizations is the key to securing medical devices.

51% collaborative effort

36% just medical device manufacturers

10% just healthcare providers



Processes

4. Creating a balanced cyber-security program

Formal processes and continuous technology assessments are critical to cyber security. However, organizations should remember that people issues cannot be an afterthought.

More than 35 percent of medical device makers say that better cyber-security technology is their priority, and 24 percent of drug makers are focused on stronger processes. By contrast, greater staffing was seen as a priority among only nine percent of all life sciences respondents. Further, as the survey data to the right shows, only 15 percent of life sciences organizations are investing in staffing, compared to 51 percent investing in technology solutions and 41 percent investing in improved policies.

In the overwhelming majority of cases, life sciences organizations report that they have the right processes in place to battle cyber-attacks after they’ve occurred. And 61 percent have well-established investigative and forensic cyber programs. It is of concern, however, that most of these efforts are reactive, as opposed to preventive measures taken before vulnerable technologies are put in place.

Reactive cyber-security measures:

Cyber-security investments

Security operations center (SOC) 82%

Business continuity plan 82%

Internal and external investigative and forensic measures 61%



More staffing

Reorganization of IT

Breach response drills

Outsourcing to thirdparties

Improvedgovernance/policies

Software/Technology

33%

51%

41%

15%

31%

22%



WHAT TO DO NOW: Transition from a reactive to a proactive defense

“When 80 or 90 percent of companies say they are taking cyber-threats seriously, that’s heartening. But, we also see that the number and scale of cyber-breaches just keep growing. We need to shift our focus to defining and

achieving a target state operating model for cyber and privacy preparedness that aligns to risk decisions.

“This will be more effective than the non-stop firefighting and ‘whack-a-mole’ exercises that most organizations play every day. This is an interesting challenge. How can we focus our people, processes and technologies on proactive, predictive and ultimately more effective defense?”

— Sarat Mynampati, Managing Director, KPMG Cyber Security Services



Technology

Creating a balanced program (continued)

Since most life sciences organizations believe that intellectual property is a major target of cyber-criminals, it is appropriate that securing network infrastructures housing R&D is a top priority. On the other hand, many believe that financial information is targeted by more cyber-criminals than IP. In fact, attacks targeting IP are likely to increase as hostile nation states escalate their nefarious methods. Finally, much of the technology that facilitates innovation, such as the Cloud and cognitive computing, also introduces potential attack vectors. It is, therefore, of the utmost importance that organizations prioritize and address these vulnerabilities before an attack occurs.

Hierarchy of at-risk technology infrastructures:

59% R&D/IP

33% Desktop computing

33% Medical device technology

31% Corporate

29% Sales enablement

22% Supply chain




Likely source of cyber-attack

Nation-states 53%

Individual hackers 49%

Hacktivists 47%

Insider threats 44%

“It’s not enough that organizations detect their risks. There has to be a tight linkage to business strategy to ensure

that the most risk-laden assets are prioritized. This is about establishing and maintaining security of key information assets, not simply treating all breaches equally.

“Life sciences firms need to take inventory – rate the risk of each set of software, devices and associated networks – and then develop a strategy for minimizing, isolating and controlling the risks.”— Phil Lageschulte, Partner, Emerging Technology Risk

Network Leader, KPMG Advisory

WHAT TO DO NOW: Prioritize risks by business value

Assets perceived as vulnerable



Employee information

Supply chain

Patient information

Internal controls

Clinical research

Intellectual property

Financial information

49%

47%

82%

79%

24%

41%

28%



PeopleLife sciences organizations are aware that many breaches stem from human error or malicious intent. Effective leadership and training on prevention and detection would help mitigate these risks. And yet, 25 percent of life sciences organizations do not have a chief information security officer (CISO). Most are not providing training in cyber-security practices on a regular basis. And drills are focused more on senior leadership and IT staff than on the employee population as a whole.

Creating a balanced program (continued)

Cyber-incident preparation

Frequency of cyber-security training



On an annual basis

On a quarterly basis

Monthly

Weekly

As needed

32%

15%

11%

16%

26%

34% conduct individual employee response drills

38% conduct cyber-security programs for top leadership

28% conduct desktop drills for the IT department



“One of the recurring themes that we’ve seen in life sciences is that staffing has taken a low priority. It’s not a good approach, since a strong cyber-security program needs people, processes and technology. Failing to balance

those elements increases the risk of cyber-attack and stands in the way of a coordinated response.” — Phil Lageschulte, Partner, Emerging Technology Risk Network Leader,

KPMG Advisory

WHAT TO DO NOW: Ramp up staff training



Conclusion:Building a cyber-security-focused culture



The life sciences industry is transitioning from treatment to cure, collaborating across organizational and geographical borders, and pursuing mergers & acquisitions that elevate competitive advantage. This requires digital technologies that allow data to flow freely. However, for every step forward organizations take, cyber-criminals are progressing right alongside them with ever more aggressive means of system infiltration and data theft.

Organizations who ignore this reality are opening themselves up to unfathomable damage to their reputations, their finances and even their viability. From our perspective, a mindset shift must occur so that cyber security is viewed as an enabler of innovation. Whether organizations are focused on internal risks, risks associated with mergers and acquisitions, or risks arising from insufficient people, technology and procedural resources, addressing cyber security should be inseparable from pursuing growth.

“Many organizations believe they can address cyber security through a focus on technology alone,” concludes Liam Walsh. “However, if they are going to pursue an aggressive innovation agenda, it’s equally important to create a pervasive culture of cyber security, and that starts with people.

“A quarter of life sciences organizations don’t even have a CISO. You can have great technology for detection and response, but, if you don’t have the right people in place, empowered and engaged, organizations cannot correctly calibrate processes and focus efforts on the right risks and assets.

“Just as the most successful life sciences leaders are weaving innovation into the fabric of their organizations, a cyber-security mindset must be equally entrenched. Pursuing disruptive innovation without cyber security is like tightrope walking without a net.”



This cyber-security report is based on two separate surveys: one for life sciences organizations, which includes pharmaceutical makers, biopharma and medical device makers, and a second for healthcare payers and providers. A total of 200 executives were polled, 100 from each from these two core groups. Though many of the questions were asked of both sectors, others are unique to either the individual life sciences or healthcare samples. The data was analyzed by KPMG and fielded by Forbes Insights.

Life Sciences Sector (100 executives)

Title (200 executives) Annual Revenue (200 executives)

1 Payer 1 Provider1 Biopharma/pharma 1 Medical devices

1 Chief Technology Officer

1 Chief Information Officer

1 Chief Information Security Officer

1 Chief Security Officer

1 Over $10 billion

1 $5 billion to under $10 billion

1 $2 billion to under $5 billion

1 $500 million to under $2 billion

Healthcare Sector (100 executives)

Methodology

50

30

13

4030

17

29

22

20

50 50 50

50

30

13

4030

17

29

22

20

50 5050



How KPMG can helpKPMG’s Cyber-Security Services practice assists organizations in transforming their security, privacy and business continuity controls into business- and innovation-enabling platforms. We view security as a process, not a solution. Therefore, safeguarding IT networks and sensitive data from electronic attack should allow organizations to take control of uncertainty and turn risk into advantage. In particular, our clients are able to take cyber security to the next level and use it as a means to transform the enterprise.

Our teams have significant on-the-ground credentials in the cyber-security space, from pre-breach to post-breach, having been retained by some of the world’s largest organizations in life sciences, healthcare and other industries. Our work runs the gamut from strategy and governance, to large-scale security transformation programs, to a full range of cyber-risk and response services, including on-demand malicious code analysis, host- and enterprise-based forensics, network forensics, threat intelligence, and expert testimony.

KPMG Cyber Response Services professionals have experience working on all forms of cyber-crime, including insider threats, data breaches, hacktivism, and advanced persistent threat intrusions. On top of this foundation, KPMG has developed a proprietary cyber-security process refined through real-world experience and a focus on actionable results, rules of evidence, and intensive on-going security testing.



To learn more about our Healthcare & Life Sciences practice and capabilities, visit us at www.kpmg.com/us/healthcarelifesciences

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.

©2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative(“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

Contact us

Liam A. WalshPrincipal, Healthcare & Life Sciences Line of Business LeaderKPMG [email protected]

Fred RicaPrincipal, KPMG Cyber Security Services KPMG LLP 973-912-4524 [email protected]

Sarat MynampatiManaging Director, KPMG Cyber Security ServicesKPMG [email protected]

Phil LageschultePartner, Emerging Technology Risk Network Leader, KPMG AdvisoryKPMG [email protected]

Katie DahlerPrincipal, U.S. Life Sciences Advisory LeaderKPMG [email protected]

kpmg.com/socialmedia

http://www.kpmg.com/us/healthcarelifesciences

https://home.kpmg.com/xx/en/home/social.html

https://home.kpmg.com/xx/en/home/social.html

https://www.linkedin.com/company/kpmg

https://www.facebook.com/KPMGUS/

https://www.youtube.com/user/KPMGMediaChannel

https://www.youtube.com/user/KPMGMediaChannel

https://twitter.com/KPMG_US

https://plus.google.com/+KPMGUSA/posts

http://www.instagram.com/kpmgus

life sciences innovation and cyber security: …...2018/10/03 · life sciences innovation and...

Documents