Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023.

The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of the most targeted industries. That the pharma industry sits at number three might be a little more surprising.

High stakes for data security

Attacks against the pharmaceutical industry aren’t as well-known as those in healthcare, financial or retail. However, pharma shares a lot of similarities with healthcare. In addition to patient information, pharma’s network infrastructure is host to corporate proprietary data, such as intellectual property for drug patents, clinical trial results, manufacturing IoT and OT devices and information about research subjects. Attacks against the industry could disrupt important research or wipe outpatient prescription records.

Although there is nothing good about a data breach, there are signs that the pharma industry is doing something right when it comes to cybersecurity. The cost of a pharma breach dropped from $5.01 million in fiscal year 2022 to $4.82 million in fiscal year 2023. And the time it takes to detect (189 days) and contain (66 days) is quicker than the overall global average of 204 days to identify and 73 days to contain.

The most common root causes for a pharma data breach are malicious attacks (45%), human error (28%) and IT failure (27%). Threat actors are using phishing, compromised credentials and cloud misconfigurations as the attack vectors of choice. Where you store your data matters, too. On-premise storage and private clouds are breached less frequently than public clouds, but those organizations that use multi-cloud environments are the least secure, and breaches to this environment are the most costly.

Read the report

Compliance and regulations

The costs of any data breach are impacted by the number of compliance regulations an industry must follow. According to the Cost of a Data Breach report, if an industry is highly regulated, 58% of its data-breach costs continue to accrue after the first year.

The pharma industry is considered a highly regulated industry. The Health Insurance Portability and Accountability Act (HIPAA) may be the most visible, but the Health Care Information and Management Systems Society found that cybersecurity professionals lacked training in HIPAA compliance. This oversight further adds to the security risk.

There are also new FDA guidelines to ensure cybersecurity on medical devices. Manufacturing processes for devices and drugs are expected to follow regulations around good manufacturing practices, and the supply chain must apply good distribution practices. And because biomanufacturing falls under the pharmaceutical umbrella, companies must also follow the National Defense Authorization Act. Because many pharma companies have factories, research facilities and offices across states and globally, they are responsible to meet all local ordinances and regulations.

This is just a sample of the regulations the industry must follow. Cybersecurity is taking a higher priority across the many different regulatory areas. Failure to meet compliance can result in license suspensions or felony charges, as well as devastating fines. And again, these penalties can be levied in multiple states or countries, depending on where and how the rules were broken.

Solutions for pharma security

AI is the buzzphrase of the moment, and everyone wants to jump on the AI bandwagon. The pharma industry, however, has already been utilizing AI in its security tools and automation, with 40% of companies saying they extensively use the technology. AI is an especially useful security tool in pharma’s OT and IoT environments.

While other security practices, such as applying systems like IBM’s Security Guardium to protect hybrid and multi-cloud environments or employing a DevSecOps approach to build security into software and hardware development, are a necessary part of any cybersecurity program, expect the pharma industry to be leaders in using automation and AI, especially building generative AI to better analyze data for anomalies and to find intruders in the network.

More from Data Protection

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Advanced analytics can help detect insider threats rapidly

2 min read - While external cyber threats capture headlines, the rise of insider threats from within an organization is a growing concern. In 2023, the average cost of a data breach caused by an insider reached $4.90 million, 9.6% higher than the global average data breach cost of $4.45 million. To effectively combat this danger, integrating advanced analytics into data security software has become a critical and proactive defense strategy. Understanding insider threats Insider threats come from users who abuse authorized access to…

One simple way to cut ransomware recovery costs in half

4 min read - Whichever way you look at the data, it is considerably cheaper to use backups to recover from a ransomware attack than to pay the ransom. The median recovery cost for those that use backups is half the cost incurred by those that paid the ransom, according to a recent study. Similarly, the mean recovery cost is almost $1 million lower for those that used backups. Despite this fact, the use of backups is actually falling. This was one of the…