Strengthening Cybersecurity in the Pharmaceutical Industry
In the pharmaceutical industry, the rapid digital transformation brings both opportunities and challenges, particularly around cybersecurity. As companies embrace new technologies, from AI-driven systems to interconnected medical devices, safeguarding sensitive patient data becomes a paramount concern. Despite evolving regulations and advanced security measures, high-profile breaches continue to make headlines, underscoring the need for a proactive, multifaceted approach to data protection. In this Q&A, Brad Gallagher, Partner at Barclay Damon, provides his expert insights on the current cybersecurity landscape in pharmaceuticals, the role of regulations, and the steps companies must take to mitigate cyber risks while driving innovation.
Balancing Innovation and Data Security in Pharma
Pharma IQ: With the rapid digital transformation in healthcare, particularly in the pharmaceutical industry, how do companies strike a balance between innovation and ensuring data security?
Brad Gallagher: Striking a balance between innovation and data security requires a multifaceted approach. The key is to develop a strong data governance framework that ensures data management practices comply with regulations and best practices, particularly as they apply to sensitive information. Data security is also critical, including the use of encryption, multifactor authentication, and threat detection. Given the rapid pace of transformation, incorporating security measures at an early stage that can be built on and progressively updated is also key to development in the future.
We recommend partnering with specialists in cybersecurity to implement safeguards and with compliance and legal professionals to develop appropriate policies and procedures. Regular training of employees is also crucial, as threats are increasingly sophisticated. Conducting regular internal and external audits and assessments to test systems and identify vulnerabilities also aids in creating a secure environment.
The Impact of New Regulations on Pharma Cybersecurity
Pharma IQ: Recent regulations and laws have increased security and reporting requirements. Can you elaborate on how these have impacted pharmaceutical companies, and are they enough to prevent large-scale breaches?
Brad Gallagher: The recent regulations and laws have had significant impacts on pharmaceutical companies, as they have increased the compliance burden requiring an investment in infrastructure that includes updated technology, training, and auditing. The regulations have necessitated the adoption of more-robust cybersecurity measures, such as multifactor authentication and access controls. Mandatory reporting requirements have also created an environment of increased accountability and transparency, which encourages companies to take these events seriously.
While the laws and regulations are helpful to establishing a baseline, they certainly will not prevent a large-scale breach. Threats are constantly evolving and becoming more sophisticated. Human error is a constant threat, and training will not eliminate that risk. We can all fall for a phishing attack or utilize the same password over multiple devices or access points. Moreover, regulators will always be playing catch-up.
Healthcare Data Breaches: Rising Threats and Underlying Causes
Pharma IQ: Despite new laws, healthcare data breaches are on the rise, as demonstrated by incidents involving major firms like Cencora and Change Healthcare. What do you think are the underlying reasons for this increase, and what more needs to be done?
Brad Gallagher: My understanding of these attacks is that some companies are still utilizing legacy systems that are outdated and are not compliant with current security standards. This creates vulnerabilities. Investing in advanced technologies, education, and training are paramount to strengthening this essential infrastructure. Preparedness training for a cyber incident and knowing what to do and how to handle it are also imperative to safeguarding data and limiting the damage after an event occurs.
Safeguarding AI Systems and Medical Devices in Pharmaceuticals
Pharma IQ: Why are AI systems and medical devices particularly vulnerable to cyberattacks, and what can pharmaceutical companies do to safeguard these technologies?
Brad Gallagher: These systems and devices are often interconnected to networks or platforms that can provide access to attackers. The complexity of these systems and devices creates unforeseen vulnerabilities, as they are still new to many of us and are constantly being tested by attackers. Some systems and devices being used may also be relying on outdated software or insufficient security protections that reveal vulnerable entry points.
To protect against these threats, incorporating security in the initial design and development of the system or device, while also providing regular security updates and patches, are important. In addition to incident preparedness and employee training, active surveillance and assessments will also help to prevent an attack. As part of effective preparedness measures, having the right partners in the event of an attack is also key to protecting against, stopping, and recovering from cyberattacks.
The Rise of Multifactor Authentication in the Pharma Sector
Pharma IQ: Multifactor authentication is a vital aspect of securing sensitive data, especially for companies handling controlled substances. How widely is this being adopted, and are there challenges in implementation?
Brad Gallagher: Multifactor authentication (MFA) has become increasingly essential for securing sensitive data. Our experience is that MFA is becoming increasingly adopted among our clients, as they recognized the heightened risk of data breaches and the regulatory scrutiny that can follow. Many businesses are implementing MFA to comply with HIPAA, DEA regulations, and other requirements.
The challenges of implementation are employees who push back because of the extra steps for authentication, integration with legacy systems, and cost—particularly for smaller businesses. We continue to reassure clients that the benefits outweigh the drawbacks and demonstrate that protecting against cyber threats is a top priority.
Pharma Cybersecurity: Emerging Trends and Technologies
Pharma IQ: What emerging cybersecurity trends or technologies should pharmaceutical companies keep on their radar to stay ahead of potential threats?
Brad Gallagher: The emerging trend is artificial intelligence and machine learning. These technological advances are going to help lead the next wave of prevention, detection, and response. They will hopefully make it harder for attackers to be successful; however, the counterpoint is that they also may result in more sophisticated attacks as well.
Another emerging trend is employing access controls to verify user identity and device integrity. Limiting employees to access only information that they need to perform their job and compartmentalizing systems to segment data can also help in the event of a breach.
Also, as more businesses continue to move their data to the cloud, it is critical to ensure that cloud systems are safe and encrypted and to monitor the data being stored in the cloud versus locally. Investing in backup solutions to ensure a rapid recovery in the event of a ransomware attack is also being done. This minimizes downtime and data loss.
Conclusion: Proactively Preparing for Pharma Cybersecurity Threats
The pharmaceutical sector faces unique cybersecurity challenges as it continues to integrate new technologies and adapt to evolving regulations. As Brad Gallagher points out, a proactive, security-first mindset is essential in reducing vulnerabilities and building robust infrastructure. While compliance with laws provides a foundation, the industry must go beyond regulations to address emerging threats, including those posed by legacy systems and human error. For pharmaceutical companies, safeguarding sensitive data isn’t just a regulatory requirement—it’s key to maintaining trust with patients, partners, and regulators in an increasingly interconnected world.