Cybercrime is an ever-evolving epidemic. Pharmaceutical companies face threats like phishing emails that pose as mail from reputable companies as well as malware and insider hacking. Some attackers will encrypt files and ask for a ransom to decrypt them, but not all cybersecurity threats are financially motivated—rather, such hackers seek proprietary information like product formulas. Cybersecurity threats can cause major business problems, creating discontent among customers or outright errors in the flow of their products or services in the supply chain.
The proliferation of cyberattacks on major U.S.-based pharmaceutical manufacturers underscores the importance of taking a holistic approach to cybersecurity. In the first quarter of 2017, cyberattacks directed at private healthcare organizations outstripped those against public organizations.1 The theft of intellectual property, as well as disruption of operations stemming from hackers, are of extreme concern to companies throughout the healthcare sector. The more digitized the manufacturing process becomes, the greater the potential for an attack if a manufacturer is not able to assure security measures on their identified assets, define and enforce who can access assets, and equip themselves and reputable third-parties beyond the organization with professional monitoring.
Identifying Valuable Assets and Setting Restrictions
As cyberattacks become stealthier, more sophisticated, and impactful, it is critical for brand owners and manufacturers to implement a layered approach to security and put up as many hurdles as possible for potential intruders. The first step is identifying the company’s most valuable digitized assets. The company should identify and locate their “crown jewels,” and determine what the firm is obligated to protect from a regulatory perspective.2
PMMI, The Association for Packaging and Processing Technologies, helps equip members with the knowledge to navigate the global marketplace through the OpX Leadership Network. There is an expanding need to monitor events in the network and in the business and to make sure that there is a buffer between suppliers and companies. This is especially important now that many pharmaceutical companies outsource their packaging operations.
Restricting access to important data to only those who are required to have it is another key action. Cybersecurity starts with people. There is a need for both constant training and reinforcement of that training for everyone working with electronics. While people are a company’s greatest asset, they can also constitute a company’s biggest vulnerability. Any time data interacts with the outside, it becomes a point of concern. Both outsiders and internal groups should have secure systems and understand how to use them.
Companies should also recognize the vulnerability that comes with allowing a PC maintained by a service provider/OEM to connect to their systems. To resist attacks stemming from this practice, Consumer packaged goods (CPGs) companies have begun to mandate that any service engineers can only use PC’s belonging to the customer on the customer’s network.
Profit is not the motivation of all hackers. Some are simply looking for challenges and will play around in networks to see what they can find, and others are former or disgruntled employees seeking revenge.3 Adopting a coordinated practice to teach staff how to safely and properly maneuver digitally, and implementing policies for handling sensitive information, represent best practices for limiting vulnerability and preventing attacks.
Pharmaceutical giant Merck & Co was hit by a massive cyberattack in June 2017, just a few weeks after a senior executive at the firm discussed the pharmaceutical sector’s vulnerability at a U.S. government committee meeting, pointing to more than a million health records exposed by breaches in recent years. The attack had an impact on Merck’s ability to supply its human papillomavirus (HPV) vaccine Gardasil, used to prevent cervical and related cancers.4 Implementing remediation measures in the wake of the attack cost around $175 million, pegging back the company’s gross margin in the third quarter of 2017, and forced Merck to borrow $240 million worth of Gardasil from U.S. government stockpiles. The event led to a disruption of its worldwide operations, including manufacturing, research, and sales operations, and affected both final product and active pharmaceutical ingredient manufacturing.
Looking Outside for Trained Resources
To avoid cyberattacks like the one that afflicted Merck, pharmaceutical manufacturers should employ tools that detect trouble beyond traditional security measures such as firewalls, access authentication, and anti-virus tools. Businesses should allocate security budget towards advanced intrusion detection systems that can reliably detect an ongoing intrusion and alert security.1 Exploring these practices will reduce the chances of an attack, or at the very least, alleviate impact in the event of one.
Pre-selecting a specialized vendor to assist in incident response and recovery is recommended. Working with a cyber incident vendor to install sound logging practices and other measures will facilitate both forensic analysis and risk mitigation. This will position the firm to respond quickly to an attack, ascertain what happened and, to the extent possible, limit the harm done.
There is a booming industry of businesses that offer solutions across all ranges of data sources to help organizations mitigate digital risk. Often, cybersecurity threats and risks span data sources and cannot be detected in full context by any one-point solution or even by multiple solutions used in isolation. Additionally, monitoring social media for mentions of your company can help you determine if you have or may be targeted, so you can proactively strengthen defenses.2
Find Solutions at Healthcare Packaging EXPO
As the pharmaceutical industry seeks new, advanced cybersecurity measures, PMMI’s OpX Leadership Network is developing a work product that guides OEMs working with CPGs to provide remote access in as secure a fashion as possible. The OpX Leadership Network is a catalyst for transformative solutions that improve operational excellence in today’s “do more with less, faster” environment. As companies struggle to add more security layers, OpX Leadership Network professionals can help outline the ways OEMs and customers can interface to keep their equipment operating without suffering problems associated with cyberattacks.
Pharmaceutical companies seeking the latest cybersecurity solutions can visit the PMMI-produced Healthcare Packaging EXPO, co-located with PACK EXPO International 2018 (Oct. 14-17; McCormick Place, Chicago). Healthcare Packaging EXPO provides access to a wide range of pharmaceutical and packaging technologies and offers real-world examples of how to deal with cybersecurity. Healthcare Packaging EXPO will showcase 300 exhibitors in one place from markets ranging from pharmaceuticals, biologics, and nutraceuticals to medical devices.
In addition to packaging solutions, the event will feature serialization insights and solutions in track-and-trace, automation and continuous processing, advanced automation, sensor-enhanced packaging, blockchain technology, and more.
About the Author
Tom Egan is Vice of President Industry Services at PMMI, The Association for Packaging and Processing Technologies.