An overview of Cybersecurity in GxP Environment

What is Cybersecurity?

According to The National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce, Cybersecurity is the process of protecting information by preventing, detecting, and responding to attacks.

In other words, Cybersecurity is a set of actions taken by Companies, stakeholders and or other third-parties to reduce risk to systems and information in cyberspace. These actions combine all aspects of information security to address needs for Confidentiality, Integrity, and Availability (known as the “CIA triad”) with critical information infrastructure protections [1].

How the cybersecurity is applied to GxP-Regulated environment?

The US Healthcare and Public Health Sector Coordinating Councils and Health and Human Services (HHS) collaborated to provide further best-practice recommendations for preventing data breaches and other cyberattacks in a document published Dec. 28, 2018, and the U.S. Food and Drug Administration addressed the growing IoHT (“Internet of Healthcare Things”) in November 2016 by updating the nearly 20-year-old 1997 guidance document for manufacturers to submit reports about potential defects in medical devices [2].

However, in the context of protecting GxP-regulated computerized systems, cybersecurity is a method of applying technical and procedural controls to reduce risk to both systems and patient safety. This is accomplished in two ways:

• Identifying and addressing system vulnerabilities and data integrity threats
• Providing traceability to established frameworks and technical controls for computerized systems validation (CSV) and corrective and preventive action (CAPA). These activities are implemented via an information security management system (ISMS), which operates according to established cybersecurity frameworks as well as internal company policies and procedures.

This holistic view will be to implementing cybersecurity within GAMP 5 guidelines challenging, because centralized production systems in any industry become problematic due to the individual nature of cybersecurity control requirements [1].

Why Cybersecurity is becoming an important issue for the pharmaceutical industry

In an increasingly interconnected world, the pharmaceutical and biotechnology sectors need to be aware and take care of cybersecurity threats in GxP-Regulated manufacturing Facilities.

Holger Mettler, cybersecurity expert said during an interview he gave to: “Many companies, especially those that need to invest in their existing facilities and machinery, know that their suppliers rely heavily on digitized and IT-based systems. The industry increasingly favours the concept of paperless production but unfortunately, some manufacturers still rely heavily on paper. In my opinion, digitized and IT-based systems have not yet really entered pharmaceutical manufacturing.”[3]

Practically, that means Cyberattacks on the pharmaceutical industry have been common for some time, Holger Mettler said. If cybercriminals are able to access R&D and manufacturing data, companies whose data have been stolen or compromised risk becoming the target of blackmail.

To optimize their productivity, the responsibilities for computer infrastructure and software are now in many cases outsourced to providers “as-a-service”. Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), and Platform-as-a-Service (PaaS) bring new dimensions to the validation process. The questions are “How do I maintain the validated state in the cloud?”, “how do I validate IaaS, SaaS, and PaaS? “how can I ensure data integrity in the cloud” and “what due diligence do I need when I deploy cloud or service based systems I believe the most important questions are on protecting validated systems against cyber-attacks, on providing global agencies with documented evidence that a company has completed the requisite due diligence regarding cybersecurity[4].

Cyberattacks against the pharmaceutical sector: The facts

Hackers are launching cyberattacks against the pharmaceutical sector more than other industries, with phishing campaigns more than doubling in the last year. Phishing attacks and fraudulent business email compromise against the pharmaceutical sector have jumped 149 percent in the past year, making the biopharma sector the most targeted industry by hackers [5].

Some Researchers analyzed attacks against Fortune 500 companies and found that pharmaceutical companies were the most targeted by hackers in the last quarter with an average of 71 fraud attacks per business. In fact, there have been 282 attacks on the pharma industry this year [6]. Drug manufacturers are a prime target given the intellectual property on medicines and new compounds, which could be profitable on dark web markets.

In 2017, one study revealed that about 54% of companies experienced one or more successful attacks that compromised data and/or their larger IT infrastructure at some point in the year. A massive 77% of those attacks utilized file-less techniques— meaning that instead of tricking someone into downloading and installing a virus, the attacks were executed using vulnerabilities that were already there [7].

Charles River Laboratory

According to biospace.com, in May 2019, sophisticated cyber thieves hacked into the database of Charles River Laboratory and compromised some client data. Hacks like this have happened before and they are bound to happen again – perhaps sooner, rather than later. Andrew Douthwaite, chief technology officer for Colorado-based VirtualArmour, a cybersecurity company, told BioSpace that biotech and pharma companies are desirable targets for hackers and cyber thieves due to the value of the intellectual property. Out of five major business sectors, Douthwaite said the pharma industry is the second highest target for hackers. Because of the richness of the targets, as well as gaps in cybersecurity, Douthwaite said it’s only a matter of time before another significant hack occurs within the pharma industry [8]. Following the hacking earlier this month, Charles River said it will aggressively move to further secure its information systems. The company will add enhanced security features and monitoring procedures to further protect its client data.

Bayer AG, German Company

Bayer has revealed an attempt to compromise the company’s networks through a cyberattack but has assured interested parties that the breach has been contained. The German drug manufacturer said in a statement that infectious software was discovered on Bayer systems back in early 2018. Rather than remove the malware, the company elected to keep a covert eye on the software to try and work out its purpose, as well as who was responsible for implanting the malicious code. The malware was removed at the end of March, concluding Bayer’s espionage activities on its own networks. Damage is currently being assessed [9].

Merck Cyber Attack

In June of 2017, word first broke that Merck was just one of more than a dozen businesses that were hit with a massive ransomware attack that ultimately ended up affecting organizations all over the world. One morning, Merck employees arrived in the company’s offices all over the world to find a ransomware message on their computers. There was not a single location within the company that managed to get by unscathed. Merck was quick to discover what so many other organizations already know: ransomware attacks are not to be trifled with. By the time the incident was said and done, the organization suffered a total worldwide disruption of its operations and this forced a halt on the production of new drugs, which ultimately made a significant impact on its revenue for the year. But Merck wasn’t the only entity affected by this incident. It was estimated in October of 2017 that insurers could be forced to pay out as much as $275 million to cover the insured portion of the drugmaker’s loss from the ransomware attack [7].

Tandigm Health

Data of 7,000 Tandigm Health Patients Exposed by Site Vulnerability: A phishing attack and website flaw were behind two breach notifications this week, but a third-party vendor hack caused the biggest healthcare data breach of 2018. On Sept. 25, 2018, Tandigm officials discovered a potential website flaw and launched an investigation alongside a forensics investigation team to determine whether the data was breached. While officials did not discover evidence of unauthorized access, they couldn’t rule out compromise [10].

Atrium Health

A total of 2.65M Atrium Health Patient Records Breached in Third-Party Vendor Hack”: The largest healthcare data breach of 2018 was caused by a hack on billing vendor AccuDoc Solutions, compromising patient data for a week. According to the Atrium notification, AccuDoc told Atrium Health on October 1 that some of its databases were compromised in a cyberattack. Upon discovery, access was terminated and officials launched an investigation. AccuDoc also took steps to secure the impacted database and systems [11].

Key Dental Group

Dental Breach Notification Sparked by EMR (Electronic Medical Records) Vendor Refusal: The vendor, MOGO, refused to return a patient database after the end of its contract with Key Dental Group in October, a violation of HIPAA (US Health Insurance Portability and Accountability Act -1996) and the end user license agreement. According to officials, Key Dental received a notification from its EMR vendor MOGO that it would not return the dental group’s EMR database as required at the termination of its end user license agreement. It violates both the EULA and several portions of HIPAA. As Key Dental can no longer view or monitor the database to ensure the security of patient data, officials have begun to notify patients [12].

So, you should know that this is not a problem that discriminates. Hackers and other people with malicious intentions are regularly targeting a lot of specialized industries like biotechnology and pharmaceuticals because the value of the information they can obtain is very high on the black market [13]. Knowing that, do you still think you’re too small to consider the impact cyber security has on your organization? According to another recent study, an estimated 60 percent of all small businesses in particular that suffer a cyberattack will be totally out of business within just six months.

Medtronic implantable cardiac devices

In October 11, 2018, the U.S. Food and Drug Administration issued a safety communication regarding cybersecurity vulnerabilities in two models of Medtronic programmers, specifically Carelink and Carelink Encore, used with cardiac implantable electrophysiology devices, which include pacemakers, implantable defibrillators, cardiac resynchronization devices and implantable cardiac monitors [14].

In addition to the safety communication, today, the FDA approved a software update from Medtronic to reduce the risk that the current vulnerability could be exploited. The software update will allow providers to continue using the programmers without connecting to the internet. The FDA considers this corrective action by the company to be a voluntary recall.

Cybersecurity framework

According to FDA, All medical devices carry a certain amount of benefit and risk. The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks. FDA also stated that threats and vulnerabilities cannot be eliminated, therefore, reducing security risks is especially challenging. The heath care environment is complex, and manufacturers, hospitals, and facilities must work together to manage security risks.

The FDA encourages medical device manufacturers to address cybersecurity risks to keep patients safe and better protect the public health. This includes monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices once they are on the market.

In general, Biopharma industries do not need to reinvent the wheel. The National Institute of Standards and Technology (NIST) developed a cyber security framework (Fig. 1).

The Framework provides an approach to prioritize cybersecurity resources, make risk decisions, and take action to reduce risk. It enhances cybersecurity communication within an organization and with other organizations (such as partners, suppliers, regulators, and auditors) and helps organizations identify, manage, and assess cybersecurity risks.

One key consideration is the way Pharma Company and Manufacturer will mitigate the cybersecurity risks. In fact, Pharma companies:

• Are responsible for remaining vigilant about identifying risks and hazards associated with the computerized systems, including risks related to cybersecurity.
• Must evaluate their network security and protect their database from data breaches.
• Are responsible for putting appropriate mitigations in place to cybersecurity risks and ensure proper network and electronic device performance.

Cybersecurity Policies and governance

Policies and Governance plays an extremely important role in achieving the security objective of the organization not only for current needs, but also to ensure well-drafted mitigation plans for future cyber-risks. An effective cyber security program should be overseen by the board of directors as part of its oversight of the organization’s risk management activities [16]. As with other risk programs, the board should set its expectations and accountability for management and ensure there are adequate resources, funding and focus for its cyber security activities.

Now every board knows its organization will fall victim to a cyberattack, and even worse, that the board of directors will need to clean up the mess and superintend the fallout, the next step is to put in place cybersecurity governance, policies, practices and procedures that provide a critical indicator of cybersecurity wellness. The cybersecurity policies and governance should be one of the primary focuses of any cybersecurity due diligence effort.

Threat landscapes, activists, random hackers and state sponsored actors constantly evolve, refining their techniques, altering their motivations and shifting their resources, so the best approach for a cybersecurity due diligence team is to avoid checklists and conduct cybersecurity due diligence in a thoughtful and holistic manner. Effective cybersecurity due diligence carefully considers changing threat actors, advance network telemetric and emerging attack vectors. When contemplating cybersecurity, most organizations allocate significant resources to fortifying their networks and to denying access to cyber-attackers [17]. However, it is now a cliché, well-founded in reality, that data breaches are inevitable. As cybersecurity experts have noted, “There’s a saying in the cybersecurity industry that there are two types of businesses today: Those that have been breached and know it and those that have been breached and just don’t know it.”

Lastly, implementing an efficient cybersecurity policies and governance should include, but not limited to the following:

Risk Management: Managing cybersecurity risk is a complex, multi-faceted undertaking that requires the involvement of the entire organization, from senior management to individuals developing, implementing, and operating corporate business systems.

Personnel Security Policy: A Human Resources Information Security program shall be designed and established to reduce the risks of human error, theft or misuse of corporate information assets.

Identity Assurance: Identity assurance ensures strong identification and authentication as well as eliminates anonymity in information systems so that access and access behavior are visible, traceable, and enable continuous monitoring for cybersecurity. 

Incidence Response Plan (IRP): an important starting point for analysis during any cybersecurity due diligence exercise.

Business Continuity Plan (BCP): needs to be evaluated in the context of assessing cybersecurity risks. BCP is important when dealing with the impact of, and recovery from, a cyber-attack.

IT Security Budgeting: C-suite executives need to view cybersecurity as their company’s immune system, which needs flexible funding and talent to avoid the severe losses commonly associated with cyber-attacks.

Drills and Table-Top Exercises: enable organizations to analyze potential emergency situations in an informal environment and allow to determine where to bring some improvements.

Cyber Insurance: a cybersecurity risk response to mitigate and /or reduce cyberattack impact on/in the organization.

Third Party Cybersecurity Due Diligence: Boards should be concerned if any third party vendor has access to an organization’s networks, customer data or other sensitive information or if there exists any sort of other cybersecurity risk of the outsourced function.

Bring Your Own Devices (BYOD): Policy should be in place for controlling BYOD devices including all applications contained therein.

Cloud-based Infrastructure and Application: As cyber-attacks on cloud environments have reached almost the same level as attacks on traditional IT; Boards should probe a company’s cloud related practices.

Integration and Interoperability: cybersecurity will be designed, organized, and managed to enable computerized systems and applications to work together in any combination that events demand and maintain an expected level of readiness so that all required cybersecurity assets can be brought to bear in a rapid and flexible manner to meet new or changing needs. 

Periodic Review Plan: Staying current is the key. The C-suite also should be briefed routinely about current threats, together with practices, policies and procedures for addressing suddenly emerging cybersecurity threats.

Lessons Learned from Cyberattacks: Boards should have an understanding of how many Cyberattacks organization has experienced; the specific actions the organization is taking to deter cyberattacks; and how the organization has learned from prior Cyberattack attempts.

References

1- John T. Patterson, Jason N. Young (2018), Bringing Cybersecurity to GxP Systems, ISPE Pharmaceutical Engineering Magazine, Technical | July / August 2018; https://ispe.org/pharmaceutical-engineering/july-august-2018/bringing-cybersecurity-gxp-systems (accessed: 2019-07-20)

2- Laura French, Associate Editor,  Will Biotech and Pharma Be Prepared for This Year’s Cyber Threat-s?,; https://www.rdmag.com/news/2019/02/will-biotech-and-pharma-be-prepared-years-cyber-threats (accessed: 2019-07-19)

3- Cybersecurity is an important issue for the pharmaceutical industry – Healthcare industry, https://www.gesundheitsindustrie-bw.de/en/article/news/cybersecurity-is-an-importantissue-for-the-pharmaceutical-industry, (accessed 2019-07-19)

4- Valarie King-Bailey, Apr 25, 2018 7:00 am PDT, Cybersecurity and CyQ, http://www.ivtnetwork.com/article/cybersecurity-and-cyq (accessed: 2019-07-20)

5- Jessica Davis, November 30, 2018, Pharmaceutical Companies Most Targeted Industry by Cybercriminals; https://healthitsecurity.com/news/pharmaceutical-companies-most-targeted-industry-by-cybercriminals  (accessed: 2019-07-19)

6- Healthcare Cybersecurity; proofpoint.com https://www.proofpoint.com/us/resources/threatreports/quarterly-threat-analysis (accessed: 2019-07-20)

7- Chris Souza, Nov 15, 2018; Pharmaceutical Executive; What Has Pharma Learned from the Merck Cyber Attack; www.pharmexec.com/print/367726?page=full (accessed: 2019-07-20)

8- Alex Keown; May 22, 2019; More Hacks Inevitable in Pharma Industry; Cybersecurity Expert Says; (accessed: 2019-07-20)

9- Charlie Osborne for Zero Day | April 4, 2019 — 10:53 GMT Pharmaceutical giant Bayer targeted by cyberattack, threat ‘contained’, https://www.zdnet.com/article/drug-firm-bayer-targeted-by-cyberattack-threat-contained/ (accessed: 2019-07-20)

10- https://healthitsecurity.com/news/data-of-7000-tandigm-health-patients-exposed-by-site-vulnerability (accessed: 2019-07-20)

11- https://healthitsecurity.com/news/2.65m-atrium-health-patient-records-breached-in-third-party-vendor-hack (accessed: 2019-07-20)

12- https://healthitsecurity.com/news/dental-breach-notification-sparked-by-emr-vendor-refusal (accessed: 2019-07-20)

13- Chris Souza, Guest Column | October 12, 2018; The State Of IT Security In The Pharma Industry Today; https://www.lifescienceleader.com/doc/the-state-of-it-security-in-the-pharma-industry-today-0001 ; (accessed 2019-07-19)

14- FDA In Brief: FDA warns patients, providers about cybersecurity concerns with certain Medtronic implantable cardiac devices; October 11, 2018; https://www.fda.gov/news-events/fda-brief/fda-brief-fda-warns-patients-providers-about-cybersecurity-concerns-certain-medtronic-implantable; (accessed 2019-08-23)

15- National Institute of Standards and Technology (2014) Framework for Improving Critical 5663 Infrastructure Cybersecurity, Version 1.0. (National Institute of Standards and 5664 Technology, Gaithersburg, MD), February 12, 2014. 5665 https://doi.org/10.6028/NIST.CSWP.02122014

16- Cybersecurity; Deloitte. https://www.corpgov.deloitte.ca/en-ca/Pages/StrategyAndRisk/cybersecurity.aspx; (accessed 2019-08-23)

17- Top cybersecurity concerns for every board of directors, part one: cybersecurity governance by John Reed Stark, https://listingcenter.nasdaq.com › NASDAQ_Series_Part_One_Governance; (accessed 2019-08-23)

About the author: Kossi Molley, PMP., LSSBB., Chemist