September 13, 2023 By Sue Poremba 3 min read

Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023.

The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of the most targeted industries. That the pharma industry sits at number three might be a little more surprising.

High stakes for data security

Attacks against the pharmaceutical industry aren’t as well-known as those in healthcare, financial or retail. However, pharma shares a lot of similarities with healthcare. In addition to patient information, pharma’s network infrastructure is host to corporate proprietary data, such as intellectual property for drug patents, clinical trial results, manufacturing IoT and OT devices and information about research subjects. Attacks against the industry could disrupt important research or wipe outpatient prescription records.

Although there is nothing good about a data breach, there are signs that the pharma industry is doing something right when it comes to cybersecurity. The cost of a pharma breach dropped from $5.01 million in fiscal year 2022 to $4.82 million in fiscal year 2023. And the time it takes to detect (189 days) and contain (66 days) is quicker than the overall global average of 204 days to identify and 73 days to contain.

The most common root causes for a pharma data breach are malicious attacks (45%), human error (28%) and IT failure (27%). Threat actors are using phishing, compromised credentials and cloud misconfigurations as the attack vectors of choice. Where you store your data matters, too. On-premise storage and private clouds are breached less frequently than public clouds, but those organizations that use multi-cloud environments are the least secure, and breaches to this environment are the most costly.

Read the report

Compliance and regulations

The costs of any data breach are impacted by the number of compliance regulations an industry must follow. According to the Cost of a Data Breach report, if an industry is highly regulated, 58% of its data-breach costs continue to accrue after the first year.

The pharma industry is considered a highly regulated industry. The Health Insurance Portability and Accountability Act (HIPAA) may be the most visible, but the Health Care Information and Management Systems Society found that cybersecurity professionals lacked training in HIPAA compliance. This oversight further adds to the security risk.

There are also new FDA guidelines to ensure cybersecurity on medical devices. Manufacturing processes for devices and drugs are expected to follow regulations around good manufacturing practices, and the supply chain must apply good distribution practices. And because biomanufacturing falls under the pharmaceutical umbrella, companies must also follow the National Defense Authorization Act. Because many pharma companies have factories, research facilities and offices across states and globally, they are responsible to meet all local ordinances and regulations.

This is just a sample of the regulations the industry must follow. Cybersecurity is taking a higher priority across the many different regulatory areas. Failure to meet compliance can result in license suspensions or felony charges, as well as devastating fines. And again, these penalties can be levied in multiple states or countries, depending on where and how the rules were broken.

Solutions for pharma security

AI is the buzzphrase of the moment, and everyone wants to jump on the AI bandwagon. The pharma industry, however, has already been utilizing AI in its security tools and automation, with 40% of companies saying they extensively use the technology. AI is an especially useful security tool in pharma’s OT and IoT environments.

While other security practices, such as applying systems like IBM’s Security Guardium to protect hybrid and multi-cloud environments or employing a DevSecOps approach to build security into software and hardware development, are a necessary part of any cybersecurity program, expect the pharma industry to be leaders in using automation and AI, especially building generative AI to better analyze data for anomalies and to find intruders in the network.

More from Data Protection

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

Cost of data breaches: The business case for security AI and automation

3 min read - As Yogi Berra said, “It’s déjà vu all over again.” If the idea of the global average costs of data breaches rising year over year feels like more of the same, that's because it is. Data protection solutions get better, but so do threat actors. The other broken record is the underuse or misuse of technologies that can help safeguard data, such as artificial intelligence and automation.IBM’s 2024 Cost of a Data Breach (CODB) Report studied 604 organizations across 17…

Cost of a data breach: The industrial sector

2 min read - Industrial organizations recently received a report card on their performance regarding data breach costs. And there’s plenty of room for improvement.According to the 2024 IBM Cost of a Data Breach (CODB) report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.These figures place the industrial sector in third place for breach costs among the 17 industries studied. On average, data breaches cost industrial…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today