Third-party Vendors Are a Growing Cyber Risk for Pharma
Pharmaceutical companies regularly outsource critical business functions to third-party vendors. Outside companies are often responsible for research, product development and distribution, sales, and IT (to name a few) — and these third-party vendors pose an enormous cyber risk for pharma. Over half of all data breaches in 2021 were traced back to third-party vendors.
Pharmaceutical companies store valuable data on their networks, from patient information to sensitive data about patent filings. Attacking pharma through a third-party vendor — who has access to a company’s proprietary information and internal networks — is low-hanging fruit for cybercriminals looking for an easy payday. Even worse, the average cost to bring a new drug to market is roughly $1 billion. A cyber attack that delays the approval process — or puts approval at risk— can be enormously expensive.
Despite strict regulatory compliance requirements, a record number of pharmaceutical companies lost millions of dollars in data breaches last year. The average cost of a data breach in the pharmaceutical industry rose to $5.04 million in 2021 — nearly $1 million more than the average cost across all sectors.
Mitigate Third-Party Cyber Risks
Mega data breaches, supply chain attacks, and devastating ransomware regularly make the headlines, especially when the healthcare industry is under siege. By now, pharmaceutical security experts know many cybersecurity hygiene basics, like keeping software up to date, following zero-trust best practices, performing penetration tests, patching early and often, and educating employees, to name just a few.
But every pharmaceutical company should take additional steps to mitigate third-party risks and ensure a chain of trust with companies offering essential services in the supply chain. If an attack shuts down a critical system used in the approval process for a new drug, the financial consequences can be enormous. The best third-party vendors will take all necessary security measures to keep your company safe.
Here’s what you need to do to minimize risk:
1. Make a list of your vendors and update it regularly.
Keep a list of vendors — including the details of your business relationship and what data they access — complete with representatives’ names and contact information. This will make it easier to identify attacks (like phishing attempts disguised as your vendors or unauthorized data transfers). It will also help your IT team with investigations in the event of an attack.
2. Identify the risk factor for each third-party vendor.
Discuss the following topics with your vendors’ representatives to gauge their cybersecurity preparedness:
What cybersecurity measures are you taking? All pharmaceutical companies should be using encryption and 2FA, testing against potential attacks, employing least-privileged access, and performing routine employee awareness training and audits.
Do you use VPNs or desktop sharing tools? These tools pose potential security risks, creating vulnerabilities that cybercriminals can use to access your data.
Has your network been breached before? What was the outcome? It is important to know if a vendor has experienced numerous breaches.
3. Include cyber risk management in your contract.
Including cyber risk management in your contract may not prevent a breach, but it holds the vendor responsible for protecting your data — and encourages cybersecurity best practices.
4. Set up strong access control measures.
Pay close attention to the data you share with third parties — and limit access whenever possible. Enforce access reporting, auditing, and monitoring to keep all movement out in the open.
5. Create a clear incident response plan — and have your team role-play with realistic scenarios.
Your team’s first response to an incident shouldn’t be during the chaos of a devastating cyberattack. Identify exactly what your company will do in the event of a third-party data breach — and practice your response until you’ve covered all of your bases.
Pharmaceutical companies must stay vigilant and prepare for escalating cyber threats: It’s no longer a matter of “if” a company will be attacked, but “when.” Institute a third-party risk management plan, identify your weakest links, and safeguard your data today; it could save your company millions of dollars in the long run.