Small exposé about pharmaceutical companies and computer security system

1. Pharmaceutical Companies
and Computer Security
Fidèle DEGNI | Juliette FOINE | Professor Christopher Yukna |
Ecole Nationale Supérieure des Mines de Saint Etienne

2. Why IT Security is Primary for
Pharmaceutical Companies?
“If you have anything of value, you will be targeted. You won't necessarily know by who.”
John Stewart, Chief Security Officer, Cisco Systems

3. Digitalization (1/2)
• Digital = hot topic in healthcare
• Devices -> connected into a medical Internet of
Things (“IoT”)
3

4. • Big Data analytical techniques, in order to collect and process large
amounts of data
• Personalised drugs
Digitalization (2/2)
4

5. At the same time... (1/2)
• There are cyber security breaches into sophisticated and well-
managed companies by hackers, criminals and nation states
• Intellectual property is stolen, confidential emails are shared publicly,
and medical records used to create fraudulent new identities
• For example US retailer Target’s data breach of 2014 involving a
reported 70 million credit card records, JP Morgan Chase’s data
breach involving 76 million accounts and Anthem’s loss of personal
information of its clients and employees earlier this year are some of
the recent major security breaches
5

6. • In 2011, the UK government estimates its pharmaceutical,
biotechnology and healthcare sector suffered ₤1.8b in losses arising
from theft of intellectual property (IP)
• The global market for pharmaceuticals is estimated to hit USD $1.1
trillion in 2015. Strong demand for new cures and high profits
associated with marketing new, patent-protected drugs drive fierce
competition in product development
• It is not surprising then that criminal elements have increasingly
targeted the intellectual property of pharmaceutical companies. The
cost of IP falling into a competitor’s hands, however, is difficult to
calculate
At the same time... (2/2)
6

7. Cyber security risks (1/2)
• Compromising information leads to financial losses and reputational
damage, but compromised production systems could have far
reaching impacts including loss of life
• One key problem is that the use of manufacturing systems often HAS
technology which is older than the internet itself,
meaning that these systems are inherently insecure
7

8. • Another concern is integrity and availability.
• The same risks apply to medical devices
Cyber security risks (2/2)
8

9. Data security (1/2)
• In all sectors of pharmaceutical industries, the use of IT systems
(Enterprise Resource Planning, ...) creates new needs in terms of
data security and working tools.
• There is no much difference between banks and pharmaceutical
industries : they have needs for traceability and confidentiality.
For pharmaceutical companies, there is intellectual property too.
9

10. Nothing is more valuable to a pharmaceutical company
than the formula for one of its new drugs
Data security (2/2)
10

11. What is the priority? (1/2)
• R&D phases
• Manufacturing
Indeed : we can imagine the panic, if a computer virus destroyed
research data on drug candidate developed for several years, or if a
computers crash forced to halt production for several days to solve the
problem...
11

12. Pharmaceutical companies have a strong dependence on
computers. Any interference (availability, confidentiality,
integrity) at these systems can have serious
consequences on the various processes !
What is the priority? (2/2)
12

13. What can be done?
Company insiders, not outside hackers, are involved in more than two-thirds of all cyber cases
involving theft of intellectueal property… Wether driven by opportunism, greed, a desire for
revenge, or a combination of all three, these insiders exploit their position of trust to obtain acces
their organization’s most valued digital assets

14. Regulations for IT security
• 21 CFR Part 11 (electronic
records and signatures)
• : It ensures the laboratories
traceability of all changes in the
system. Indeed, any changes
made by a manufacturer must
be drawn: who, what date and
time, why, etc. This allows for a
history of everything about a
product or action "
Norme ISO 27 001
• This international standard
provides a framework and
methods to identify and maintain
a level of security appropriate to
the constraints that meet the
obligations and requirements of
stakeholders
14

15. These IT security companies are involved including for audit of existing
systems missions.
They play penetration tests, which consist in trying to penetrate the system by
all means to detect security vulnerabilities.
Then, they study the practices, and also provide governance services, risk
analysis, often attending the computer security manager of the company .
Finally, they work on operational safety for support on the security infrastructure
or for reaction to incidents "
Testing the IT security with audits
15

16. Organizations need to do their
part 1/2
• Cyber risks resulting from interconnectivity to the internet and
enterprise systems must be taken into account as we increasingly
interconnect devices
• Organisations should analyse and understand the risks of increasing
connectivity together with assessing how their key assets are being
protected. It is crucial that security must be included during the
design process and as an inherent part of any system
16

17. • Educate and regularly train employees on security or other protocols
• Ensure that proprietary information is adequately, if not robustly,
protected
• Use appropriate screening processes to select new employees
• Provide non-threatening, convenient ways for employees to report
suspicions
• Routinely monitor computer networks for suspicious activity
• Ensure security (to include computer network security) personnel
have the tools they need
Organizations need to do their
part 2/2
17

18. Location of the business / context to
become expert in computer security
For several years, the budget of an undertaking allocated to IT security is
increasing much faster than other budgets.
With the explosion of cybercrime, and with the increasing complexity of
information systems, companies are often looking for new computer security
experts. The security of an organization's data has become a strategic
challenge, the IT security expert often will have a special status within a
company, and loyalty to the employer will often be rewarded.
18

19. Thank you for listening!
Questions?
19

20. References
• http://www.industrie.com/pharma/n-oublions-pas-la-securite,41826
• http://www.usine-digitale.fr/article/industrie-4-0-et-securite-informatique-les-nouvelles-
menaces.N337102
• http://www.ordre.pharmacien.fr/Le-patient/La-protection-des-donnees-de-sante
• http://etudiant.aujourdhui.fr/etudiant/metiers/fiche-metier/expert-en-securite-informatique.html
• http://www.europeanpharmaceuticalreview.com/35994/news/blog/cyber-security-in-
pharmaceuticals/
• http://www2.deloitte.com/jp/en/pages/life-sciences-and-healthcare/articles/ls/cyber-security-
ls.html
• https://www.ft.com/content/a6b09006-e5c9-11e3-aeef-00144feabdc0
20