The Cost of a Data Breach Report 2020 by IBM and the Ponemon Institute showed that pharmaceutical and biotech companies suffer the highest number of cyber attacks (or ‘breaches’). The reason for this lies in the fact that the pharmaceutical sector is constantly growing: it is an industrial segment where excelling in research and development is crucial to success. The constant digital upgrading of companies and the wealth of sensitive data in their possession thus make them appealing to hackers. It is estimated that the sale and purchase of health information on the dark web is valued 20 to 50 times higher than information of other types. For example, during the Covid pandemic pharmaceutical companies experienced a spike in cyber attacks, mostly on account of the precious nature of source information regarding vaccines: by the end of 2020 no less than 7 companies in the industry had been hacked.
In recent years the subject of “Data Integrity” has become increasingly topical: indeed, data protection is the basis of the entire system. ALCOA, an acronym introduced in the early 1990s by the FDA that defines a set of data integrity protection principles, summarises the characteristics that the data must have: it must be Attributable, Legible, Contemporaneous, Original and Accurate. Over the years, the ALCOA concept has been extended to ALCOA+ which requires that data also be complete, consistent, durable and available for its entire life cycle.
First of all, it’s necessary to distinguish between OT (Operation Technology) and IT (Information Technology). If IT is traditional information technology (i.e. the technology of management, of calculation and writing applications), OT is the information technology that controls the processes and the lines in the production departments. Security IT aims to defend data, Security OT aims to defend the plant controlled by the control/automation system. To simplify, in IT it is important to protect data, IP (Intellectual Property), Privacy (see GDPR), Reputation, Business data and Company exposure on the WEB. For OT, instead, production systems, the supply chain, OEE, Traceability, Quality, Operation Continuity, etc. are important. In this last case, the risk is not so much loss of data as the loss of control of the plant and the ensuing safety risks for people working on the plant, the risk of damage to plant assets themselves, loss of quality, production, efficiency, etc.
In a sector like pharmaceuticals, however, there is a close link between data protection and system protection. If the production line stops (because of a cyber attack or for some other reason), the production of medicines obviously stops. However, the same happens in the event of data loss, even if the plant continues to produce normally: this is because we will be unable to label and trace the lots as regulations require, nor guarantee the expected quality of each individual lot.
In the new GAMP 5 guidelines for validation of computerised systems in the pharmaceutical sector, published in July 2022, the section on IT security is an important one: it introduces new aspects such as backup copy integrity tests, the BCP (Business Continuity Plan), DR (Disaster Recovery), loss of IT infrastructure, the service provider, access to premises, connectivity, cybersecurity attacks and even loss of the software application.
Foto di cottonbro studio