❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...
Pharmaceutical companies and security
1. Pharmaceutical Companies
and Computer Security
Fidèle DEGNI | Juliette FOINE | Professor Christopher Yukna |
Ecole Nationale Supérieure des Mines de Saint Etienne
2. Why IT Security is Primary for
Pharmaceutical Companies?
“If you have anything of value, you will be targeted. You won't necessarily know by who.”
John Stewart, Chief Security Officer, Cisco Systems
3. Digitalization (1/2)
• Digital = hot topic in healthcare
• Devices -> connected into a medical Internet of
Things (“IoT”)
3
4. • Big Data analytical techniques, in order to collect and process large
amounts of data
• Personalised drugs
Digitalization (2/2)
4
5. At the same time... (1/2)
• There are cyber security breaches into sophisticated and well-
managed companies by hackers, criminals and nation states
• Intellectual property is stolen, confidential emails are shared publicly,
and medical records used to create fraudulent new identities
• For example US retailer Target’s data breach of 2014 involving a
reported 70 million credit card records, JP Morgan Chase’s data
breach involving 76 million accounts and Anthem’s loss of personal
information of its clients and employees earlier this year are some of
the recent major security breaches
5
6. • In 2011, the UK government estimates its pharmaceutical,
biotechnology and healthcare sector suffered ₤1.8b in losses arising
from theft of intellectual property (IP)
• The global market for pharmaceuticals is estimated to hit USD $1.1
trillion in 2015. Strong demand for new cures and high profits
associated with marketing new, patent-protected drugs drive fierce
competition in product development
• It is not surprising then that criminal elements have increasingly
targeted the intellectual property of pharmaceutical companies. The
cost of IP falling into a competitor’s hands, however, is difficult to
calculate
At the same time... (2/2)
6
7. Cyber security risks (1/2)
• Compromising information leads to financial losses and reputational
damage, but compromised production systems could have far
reaching impacts including loss of life
• One key problem is that the use of manufacturing systems often HAS
technology which is older than the internet itself,
meaning that these systems are inherently insecure
7
8. • Another concern is integrity and availability.
• The same risks apply to medical devices
Cyber security risks (2/2)
8
9. Data security (1/2)
• In all sectors of pharmaceutical industries, the use of IT systems
(Enterprise Resource Planning, ...) creates new needs in terms of
data security and working tools.
• There is no much difference between banks and pharmaceutical
industries : they have needs for traceability and confidentiality.
For pharmaceutical companies, there is intellectual property too.
9
10. Nothing is more valuable to a pharmaceutical company
than the formula for one of its new drugs
Data security (2/2)
10
11. What is the priority? (1/2)
• R&D phases
• Manufacturing
Indeed : we can imagine the panic, if a computer virus destroyed
research data on drug candidate developed for several years, or if a
computers crash forced to halt production for several days to solve the
problem...
11
12. Pharmaceutical companies have a strong dependence on
computers. Any interference (availability, confidentiality,
integrity) at these systems can have serious
consequences on the various processes !
What is the priority? (2/2)
12
13. What can be done?
Company insiders, not outside hackers, are involved in more than two-thirds of all cyber cases
involving theft of intellectueal property… Wether driven by opportunism, greed, a desire for
revenge, or a combination of all three, these insiders exploit their position of trust to obtain acces
their organization’s most valued digital assets
14. Regulations for IT security
• 21 CFR Part 11 (electronic
records and signatures)
• : It ensures the laboratories
traceability of all changes in the
system. Indeed, any changes
made by a manufacturer must
be drawn: who, what date and
time, why, etc. This allows for a
history of everything about a
product or action "
Norme ISO 27 001
• This international standard
provides a framework and
methods to identify and maintain
a level of security appropriate to
the constraints that meet the
obligations and requirements of
stakeholders
14
15. These IT security companies are involved including for audit of existing
systems missions.
They play penetration tests, which consist in trying to penetrate the system by
all means to detect security vulnerabilities.
Then, they study the practices, and also provide governance services, risk
analysis, often attending the computer security manager of the company .
Finally, they work on operational safety for support on the security infrastructure
or for reaction to incidents "
Testing the IT security with audits
15
16. Organizations need to do their
part 1/2
• Cyber risks resulting from interconnectivity to the internet and
enterprise systems must be taken into account as we increasingly
interconnect devices
• Organisations should analyse and understand the risks of increasing
connectivity together with assessing how their key assets are being
protected. It is crucial that security must be included during the
design process and as an inherent part of any system
16
17. • Educate and regularly train employees on security or other protocols
• Ensure that proprietary information is adequately, if not robustly,
protected
• Use appropriate screening processes to select new employees
• Provide non-threatening, convenient ways for employees to report
suspicions
• Routinely monitor computer networks for suspicious activity
• Ensure security (to include computer network security) personnel
have the tools they need
Organizations need to do their
part 2/2
17
18. Location of the business / context to
become expert in computer security
For several years, the budget of an undertaking allocated to IT security is
increasing much faster than other budgets.
With the explosion of cybercrime, and with the increasing complexity of
information systems, companies are often looking for new computer security
experts. The security of an organization's data has become a strategic
challenge, the IT security expert often will have a special status within a
company, and loyalty to the employer will often be rewarded.
18
Digital health is a hot topic in healthcare offering more effective and more efficient personalised healthcare to patients and careers
Devices such as fitness trackers, heart monitors and insulin pumps are connected into a medical Internet of Things (“IoT”) to enable us to monitor our activity, heart rate, and blood pressure
Pharmaceutical and health companies can apply Big Data analytical techniques to collect and process large amounts of data
Digitisation enables pharmaceutical companies to create personalised drugs based on individuals’ genomic sequences, more effective measurement of drug uptake and efficacy, and enables a closer relationship between pharmaceutical companies and patients
The 2014 JPMorgan Chase data breach was a cyber-attack against American bank JPMorgan Chase that is believed to have compromised data associated with over 83 million accounts – 76 million households (approximately two out of three households in the country) and 7 million small businesses.[1] The data breach is considered one of the most serious intrusions into an American corporation's information system and one of the largest data breaches in history.[2][3][4]
The attack – disclosed in September 2014 – was discovered by the bank's security team in late July 2014, but not completely halted until the middle of August.[3][5] The bank declared that login information associated with the accounts (such as social security numbers or passwords) was not compromised but names, email and postal addresses, and phone numbers of account holders were obtained by hackers, raising concerns of potential phishing attacks.[4][6]
. They were designed as specialised and isolated systems and not built to withstand cyber security attacks
As a patient, I am more concerned if my recorded blood type is changed (integrity) rather than my blood type is divulged (confidentiality).
Médical devices. Vulnerabilities in the design or implementation of a medical device such as an insulin pump or in anything interconnected to such devices could result in loss of device integrity and potential harm to patients if they are exploited in a cyber-attack
Indeed = en effet
FD
CFR = Code of Federal Regulation, edited by the FDA
ISO : international standard organization