Building cyber resilience is a key priority for most industries and the life sciences sector is no different. It deals with protected health information (PHI) daily, and the burden of safeguarding this sensitive information is growing in the face of increasing cyber-attack threats and data privacy concerns.
Consumer health data, such as insurance or prescription information, R&D intellectual property, and preclinical and clinical trial data, are particularly vulnerable to cyber-security attacks.
According to Cybersecurity Ventures, global cybercrime costs will reach $10.5trn a year by 2025. Current geopolitical uncertainty, increased digitalisation and a lack of skilled talent are likely to contribute to the situation.
In 2020, the World Health Organization (WHO) reported that the number of cyber-attacks directed at the company had increased fivefold since the outbreak of Covid-19, after 450 active WHO email accounts and passwords were exposed online, along with thousands of others connected with work on the novel coronavirus response.
So what can organizations in the life sciences sector do to defend against these data protection challenges? And perhaps more importantly, how can they assure patients that their most sensitive personal data is secure with them?
1. Enabling consent and building trust
Building trust is integral to providing healthcare services. By establishing trusting relationships with patients, healthcare professionals can communicate transparently and address their data privacy concerns. This helps ensure that patients feel confident in voluntarily consenting to the collection and storage of their medical data.
To establish data protection, obtaining explicit consent is the most crucial step, since it ensures that information flows in accordance with regulations and with respect for the rights of the data subject. A lack of valid consent can lead to legal challenges and liability claims against the organisation. Such issues may also cause significant reputational harm.
Organizations are likely already collecting some form of consent, however with the technology ecosystem across departments constantly scaling, it’s likely they’re now collecting disparate and disconnected consent. You may have consented to email someone on one system, however on a different platform, the same individual has revoked email consent. This leads to fragmented user experiences and frustration that their preferences aren’t being adhered to.
Pharmaceutical companies need to adopt consent management platforms that can centralise consent and preferences across every system used within the business.
2. Verifying records and establishing accuracy
A secure and efficient data-management system requires the accurate tracking, storage and analysis of large amounts of patient information. Growing volumes of digital data can create substantial hurdles for the healthcare system in terms of selecting and interpreting it effectively.
In the digital age, poor data-entry methods can have a severe impact on operational efficiency. If a database is filled with duplicated, inconsistent or inaccurate patient data, the organisation may have to go through several verification rounds to fix the errors.
There is a possibility of unreliable data being published in clinical trials or patients being treated in a hospital setting with incorrect information. Current and up-to-date records also assist healthcare providers in ensuring they have obtained the appropriate consent from their patients before administering treatment.
3. Failure to keep informed on compliance regulations
When collecting and storing personal information across the enterprise, life sciences organisations must follow state, federal and international privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA) in the US, as well as the General Data Protection Regulation (GDPR) in the EU. Data privacy regulations are continually evolving, with US-based organisations subject to new individual state legislation coming into play each year that enforces variations.
Non-compliance with a specific country or region’s data privacy laws can lead to penalties or lawsuits, or even close operations in a particular location. Despite the complexity of privacy regulations, all organisations must be fully aware of them.
4. Keeping up with evolving cyber attacks
Digitally connected hospital systems and smart devices with access to health data can be extremely vulnerable to attacks such as malware and ransomware. Phishing emails are frequently used in cyber attacks, and these can be used to target both patients and hospital workers.
Messages can mean that recipients click on links to counterfeit websites, install malware and/or supply sensitive information, such as their user identity and password.
IBM’s report, A Cost of a Data Breach, estimates that the global average cost of a data breach this year was $4.45m, a 15% increase over three years.
Despite the looming threat of cyber attacks, a survey by the World Economic Forum found that 59% of businesses would struggle to respond due to the shortage of cyber-security talent and skills.
5. Third-party data exposure risk
Most healthcare organisations and hospitals have a vendor network that supplies the resources and technologies required to care for patients. Without adequate encryption configurations and protocols to handle health information sharing and exchange with third-party and cross-border partners, supply chain vulnerabilities can lead to breaches in health data protection.
According to the US Department of Health and Human Services (HHS), third-party contractors were responsible for ten of the top healthcare data breaches reported to them in 2022.
In such a scenario, informed third-party relationships and stronger internal measures can provide more robust security for all.
How building a resilient information system can mitigate cyber risks
According to GlobalData’s Emerging Technology: Sentiment Analysis, Q4 2022 survey, 53% of respondents believe cyber security is already disrupting their industry. The survey shows that cyber-security technologies are already well integrated into most industries but have the potential to expand further over the next few years.
A growing number of businesses provide cyber-security awareness training to their employees. In addition to incorporating indemnity provisions and data use restrictions into vendor contracts, conducting frequent contract reviews can also be beneficial for reducing third-party risk.
Medical SaaS platforms can be used to store and protect health records efficiently. These cloud-based software solutions give an extra degree of security, enabling sensitive data to be stored off-site with access restricted to authorised individuals.
Another proactive step towards mitigating cyber attacks is to use consent management platforms (CMP) such as Cassie to safeguard patient data. With the help of Cassie, organisations can streamline the consent collection process, and maintain compliance when managing complex and high-volume data.
Cassie can act as the connecting link between all platforms and can enable interoperability. Through hundreds of out-of-the-box integrations and custom APIs, Cassie will update all consent data in real time, whether they’re offline-to-online updates or medical vs. commercial consent values. This means that life science companies can safely access and share data, knowing that the patient’s consent and preferences are being honoured across every technology platform used.
Discover more about how to safeguard healthcare data while staying compliant with regulations by downloading the whitepaper below.