Attacks on the life sciences and healthcare sectors (healthcare providers and health technology, medical device, pharmaceutical and biotechnology companies) increased significantly in the last year, including at the World Health Organization, which reported a fivefold increase in attacks in 2020. Another United Kingdom (UK)-focused government report detailed that of 26 business sectors analyzed, the life sciences sector was the main target of intellectual property theft via malicious cybersecurity attacks, ultimately costing the UK billions of dollars. With the ongoing rush to develop vaccines and drug therapies around the globe, the threats show no signs of decreasing.
The top global cybersecurity and privacy risks faced by the life sciences and healthcare sectors are:
- High-Risk Data
- Supply Chain Risk
- Digital Transformation Risk
- Practical Implications Post-Data Breach
- Litigation and Regulatory Risks
- International Privacy Compliance Requirements
- State Privacy Compliance Requirements in the U.S.
- Federal Privacy Compliance Requirements in the U.S.
- Post-Brexit Challenges for UK Companies
We outline these risks below and provide steps companies can take to mitigate them.
1. High Risk Data
Consumer health data, preclinical and clinical trial data, protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) (such as insurance and prescription information), research and development intellectual property and proprietary business information are sensitive by nature and highly susceptible to cybersecurity attacks. Threats include viruses or other malicious code, deployment of harmful malware, phishing attacks, ransomware attacks and denial of service attacks.
2. Supply Chain Risk
Contract research organizations, contractors, consultants and data storage cloud providers are relied on heavily by the life sciences sector. Any type of reliance on a third party raises a threat for data breaches. Life sciences companies are advised to limit vendor access to personal information—particularly sensitive/special category data—and ensure that vendors maintain a sufficient level of cybersecurity insurance. Life sciences companies should be sure to include indemnification, restrictions on data use and other clauses in contracts to protect against harm and to conduct regular contract reviews.
3. Digital Transformation Risk
The pandemic has accelerated the rise of remote workers and remote solutions in the life sciences and healthcare sectors. This has increased the potential for security incidents and cybersecurity threats. Companies must be vigilant in ensuring they evaluate their personal data collection and retention practices and update them to reflect new working practices.
4. Practical Implications During and Post-Data Breach
The impact of a data breach in this industry can be devastating. Breaches can result in clinical trial and regulatory approval delays, the disruption of research and development (R&D) programs, increased costs to recover or reproduce data and negative publicity. This can threaten the viability of a clinical trial in its entirety. Cyber breaches in the healthcare sphere can undoubtedly have a severe impact on patient care. A patient with a life-threatening condition was found to have died as a result of having to be directed to a more distant hospital when University Hospital Dusseldorf in Germany was crippled by a ransomware attack in September 2020. Furthermore, cyber breaches in hospitals inevitably lead to delays for doctors in accessing patient records or receiving lab and scan results, and appointments are often cancelled causing direct harm to countless patients. However, it is important to recognize that attributing the harm caused to patients to the cyberattack itself is often not an easy or clear process.
5. Litigation and Regulatory Risks
Further to the practical implications of a data breach, companies can be subject to litigation in addition to government investigations and proceedings. This includes by federal, state and local regulatory entities in the U.S. and by international regulators, resulting in exposure to material civil and/or criminal liability as well as stock market fluctuations and reputational damage.
6. International Privacy Compliance Requirements
Many companies will be working internationally and subsequently are subject to various data protection regimes, often with inconsistent privacy and data security laws throughout jurisdictions. Some will be subject to responsibilities imposed by the European Union (EU) General Data Protection Regulation (GDPR), where the penalties for breaches are substantial.
7. State Privacy Compliance Requirements in the U.S.
In the states, the California Data Privacy Protection Act of 2018 (CCPA) went into effect in January 2020 and provides new data privacy rights for California residents, including expanded rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used. California’s next wave of privacy legislation, the California Privacy Rights Act (CPRA), will become operative on January 1, 2023. Both the CCPA and CPRA have exemptions for protected health information and clinical trial data collected subject to certain requirements. The CPRA expands the exemption to include other biomedical research studies. Of note, the CPRA exemption applies only if businesses do not sell or share clinical data without informing participants of that use and obtaining consent.
8. Federal Privacy Compliance Requirements in the U.S.
In the states, HIPAA sets forth rigorous requirements for the safeguarding of PHI and limits the use and disclosure of PHI. In most cases, life sciences and healthcare sector companies do not fall under the purview of HIPAA. Nonetheless, life sciences companies may need to follow HIPAA requirements governing PHI as a part of their relationships with HIPAA-covered entities and business associates may be subject to HIPAA as a service provider (known as a “business associate”) if the services they provide to healthcare providers, plans and others in the healthcare sector involve the use and disclosure of PHI. Life sciences should consider how to best meet these requirements to successfully further their relationships with partners who are subject to HIPAA.
9. Post-Brexit Challenges for UK Companies
The aftermath of Brexit places companies with a UK dimension in a challenging situation. Starting in January 2021, companies had to have established an entity in the UK and in the EU and will have to cope with a more uncertain data privacy landscape. For more information on Brexit, see our Guide here.
Steps to Take to Mitigate Cybersecurity and Privacy Risks
- Perform privacy or security risk assessments to determine if potential risks and vulnerabilities exist and work with external counsel to mitigate identified risks and vulnerabilities.
- Evaluate existing privacy and security policies and cybersecurity insurance coverage to project the cost of an incident and address gaps in coverage.
- Evaluate enterprise-wide personal information data collection and retention practices to ensure compliance with state, federal, and international data collection laws.
- Provide training to all types of staff, not just information technology, on phishing and ransomware awareness best practices (how attackers conduct it, what threat actors are looking for and practical advice for spotting and reporting the threat).
- Include indemnification, restriction on data use and other clauses in vendor contracts to protect against harm and conduct regular contract reviews.