September 13, 2023 By Sue Poremba 3 min read

Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023.

The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of the most targeted industries. That the pharma industry sits at number three might be a little more surprising.

High stakes for data security

Attacks against the pharmaceutical industry aren’t as well-known as those in healthcare, financial or retail. However, pharma shares a lot of similarities with healthcare. In addition to patient information, pharma’s network infrastructure is host to corporate proprietary data, such as intellectual property for drug patents, clinical trial results, manufacturing IoT and OT devices and information about research subjects. Attacks against the industry could disrupt important research or wipe outpatient prescription records.

Although there is nothing good about a data breach, there are signs that the pharma industry is doing something right when it comes to cybersecurity. The cost of a pharma breach dropped from $5.01 million in fiscal year 2022 to $4.82 million in fiscal year 2023. And the time it takes to detect (189 days) and contain (66 days) is quicker than the overall global average of 204 days to identify and 73 days to contain.

The most common root causes for a pharma data breach are malicious attacks (45%), human error (28%) and IT failure (27%). Threat actors are using phishing, compromised credentials and cloud misconfigurations as the attack vectors of choice. Where you store your data matters, too. On-premise storage and private clouds are breached less frequently than public clouds, but those organizations that use multi-cloud environments are the least secure, and breaches to this environment are the most costly.

Read the report

Compliance and regulations

The costs of any data breach are impacted by the number of compliance regulations an industry must follow. According to the Cost of a Data Breach report, if an industry is highly regulated, 58% of its data-breach costs continue to accrue after the first year.

The pharma industry is considered a highly regulated industry. The Health Insurance Portability and Accountability Act (HIPAA) may be the most visible, but the Health Care Information and Management Systems Society found that cybersecurity professionals lacked training in HIPAA compliance. This oversight further adds to the security risk.

There are also new FDA guidelines to ensure cybersecurity on medical devices. Manufacturing processes for devices and drugs are expected to follow regulations around good manufacturing practices, and the supply chain must apply good distribution practices. And because biomanufacturing falls under the pharmaceutical umbrella, companies must also follow the National Defense Authorization Act. Because many pharma companies have factories, research facilities and offices across states and globally, they are responsible to meet all local ordinances and regulations.

This is just a sample of the regulations the industry must follow. Cybersecurity is taking a higher priority across the many different regulatory areas. Failure to meet compliance can result in license suspensions or felony charges, as well as devastating fines. And again, these penalties can be levied in multiple states or countries, depending on where and how the rules were broken.

Solutions for pharma security

AI is the buzzphrase of the moment, and everyone wants to jump on the AI bandwagon. The pharma industry, however, has already been utilizing AI in its security tools and automation, with 40% of companies saying they extensively use the technology. AI is an especially useful security tool in pharma’s OT and IoT environments.

While other security practices, such as applying systems like IBM’s Security Guardium to protect hybrid and multi-cloud environments or employing a DevSecOps approach to build security into software and hardware development, are a necessary part of any cybersecurity program, expect the pharma industry to be leaders in using automation and AI, especially building generative AI to better analyze data for anomalies and to find intruders in the network.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today