Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023.

The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of the most targeted industries. That the pharma industry sits at number three might be a little more surprising.

High stakes for data security

Attacks against the pharmaceutical industry aren’t as well-known as those in healthcare, financial or retail. However, pharma shares a lot of similarities with healthcare. In addition to patient information, pharma’s network infrastructure is host to corporate proprietary data, such as intellectual property for drug patents, clinical trial results, manufacturing IoT and OT devices and information about research subjects. Attacks against the industry could disrupt important research or wipe outpatient prescription records.

Although there is nothing good about a data breach, there are signs that the pharma industry is doing something right when it comes to cybersecurity. The cost of a pharma breach dropped from $5.01 million in fiscal year 2022 to $4.82 million in fiscal year 2023. And the time it takes to detect (189 days) and contain (66 days) is quicker than the overall global average of 204 days to identify and 73 days to contain.

The most common root causes for a pharma data breach are malicious attacks (45%), human error (28%) and IT failure (27%). Threat actors are using phishing, compromised credentials and cloud misconfigurations as the attack vectors of choice. Where you store your data matters, too. On-premise storage and private clouds are breached less frequently than public clouds, but those organizations that use multi-cloud environments are the least secure, and breaches to this environment are the most costly.

Compliance and regulations

The costs of any data breach are impacted by the number of compliance regulations an industry must follow. According to the Cost of a Data Breach report, if an industry is highly regulated, 58% of its data-breach costs continue to accrue after the first year.

The pharma industry is considered a highly regulated industry. The Health Insurance Portability and Accountability Act (HIPAA) may be the most visible, but the Health Care Information and Management Systems Society found that cybersecurity professionals lacked training in HIPAA compliance. This oversight further adds to the security risk.

There are also new FDA guidelines to ensure cybersecurity on medical devices. Manufacturing processes for devices and drugs are expected to follow regulations around good manufacturing practices, and the supply chain must apply good distribution practices. And because biomanufacturing falls under the pharmaceutical umbrella, companies must also follow the National Defense Authorization Act. Because many pharma companies have factories, research facilities and offices across states and globally, they are responsible to meet all local ordinances and regulations.

This is just a sample of the regulations the industry must follow. Cybersecurity is taking a higher priority across the many different regulatory areas. Failure to meet compliance can result in license suspensions or felony charges, as well as devastating fines. And again, these penalties can be levied in multiple states or countries, depending on where and how the rules were broken.

Solutions for pharma security

AI is the buzzphrase of the moment, and everyone wants to jump on the AI bandwagon. The pharma industry, however, has already been utilizing AI in its security tools and automation, with 40% of companies saying they extensively use the technology. AI is an especially useful security tool in pharma’s OT and IoT environments.

While other security practices, such as applying systems like IBM’s Security Guardium to protect hybrid and multi-cloud environments or employing a DevSecOps approach to build security into software and hardware development, are a necessary part of any cybersecurity program, expect the pharma industry to be leaders in using automation and AI, especially building generative AI to better analyze data for anomalies and to find intruders in the network.