Life Science

Written by Renate Pochert, Senior Risk Engineer and Life Science Practitioner, and Wouter Wissink, Senior Principal Cyber Risk Engineer and Technology Industry Practitioner

Life science companies are exposed to many cybersecurity risks that are particular to their sector. Pharmaceutical and Biotechnology companies, medical device companies and service organisations such as testing laboratories or contract research organisations have a great deal of valuable data, critical Operational Technology (OT) or IT systems or intellectual property (IP) which should be managed, secured and protected. 

While the fundamental principles of cyber security apply to almost every business in any industry, this list highlights specific areas to focus on for life science companies in the UK and Europe. 

IT risk analysis

Common cyber risks for life science companies include:

• Hacks to medical devices such as insulin pumps or pacemakers 

• Theft of patient data from hospital networks or clinical trials’ IT systems via Life Science products or services

• Manipulation of environmental management systems

These attacks can have serious consequences, such as device malfunction, production disruption, financial loss, reputational damage and compromised patient safety. 

Involving IT specialists in the risk analysis process can identify cyber-security vulnerabilities and plan mitigation strategies or implement tighter security measures. IT risk analyses can also help to mitigate IT-related risks that could impact device reliability and functionality. 

OT controls

Monitoring the security of Operational Technology – such as laboratory or dedicated production equipment – is as important as IT for life science companies. Regular system scans, vulnerability assessments and 24/7 network monitoring can help to detect and identify anomalies and facilitate swift response to suspicious activities. Regularly installing security patches and updating software can mitigate any potential vulnerabilities.

Data protection 

Many life science companies can manage vast amounts of medical data which could have serious consequences if seized or tampered with by cyber attackers. Data should be categorised into risk classes, with protected health information (PHI) granted the strictest level of protection and access restricted to only those employees who need it. Using data protection measures such as encryption in databases, laptops and systems that are connected to the internet can make it more difficult for malicious agents to access this information. Also ensure compliance with local data regulation such as GDPR. Highly sensitive corporate information intrinsic to the value of the company also needs strict controls within the corporate network.

Multi Factor Authentication

Multi factor authentication (MFA) can provide an additional layer of security by requiring employees to authenticate their identities through multiple methods. This significantly reduces the risk of unauthorised access. Additionally, MFA can help life science companies to log and trace each authentication event, allowing them to identify individuals who have accessed data or systems. This functionality enhances accountability, helps in identifying potential data corruption or breaches, and enables immediate action to be taken in case of any suspicious or hostile activities.

Physical protections

Ensuring premises are physically secure can help to protect life science companies’ valuable data and intellectual property. Conduct thorough screening of personnel, particularly those that have access to sensitive data. If data storage or critical IT or OT infrastructure is housed on site, it may be useful to purchase an uninterruptible power supply or emergency power generator. Consider secure storage of valuable assets with appropriate access control systems for employees and visitors.

Incident response planning

Life science companies can effectively plan for cyber incidents by implementing a comprehensive disaster recovery plan (DRP) that outlines step-by-step procedures for responding to and recovering from cyberattacks. This includes establishing clear protocols for incident reporting, including to the relevant Data Protection Authority, incident management, and communication strategies. It’s also recommended to regularly test the DRP and provide ongoing training to employees on the response plan. Also implementing a business continuity plan (BCP) can help ensure that business activities continue as much as possible following an incident.

Summary

As life science companies gather and manage PHI data, their own proprietary data and intellectual property, it’s recommended that they take care to protect against cyber vulnerabilities . All the steps suggested here align with the principles of CIA: confidentiality, integrity and availability. It’s also recommended that life science companies familiarise themselves with ISO 27001 on cybersecurity and discuss this with their insurance partner’s specialist risk engineers. 

Specialising in Life Sciences for over 25 years, Chubb offers specialist products, supported by underwriters, risk engineers and claims handlers who are industry specialists. From product liability and clinical trials to professional indemnity, and property insurance to cyber and marine, we have it covered. We can support from the early R&D phase through to complex multinational. Contact us today to learn how you can partner with us to utilise our expertise and experience with the life sciences.