Skip to main content

Preventing ‘Black Swan’ events in pharma

communication technology
(Image credit: Image source: Shutterstock/violetkaipa)

A ‘Black Swan’ is an unpredictable event that is beyond what is normally expected of a situation, but often deemed obvious or inevitable in hindsight. These events can have potentially severe consequences and are characterized by their extreme rarity and impact. 

For large enterprises, being able to identify potential ‘Black Swan’ events, as well as understanding how they can be prevented and mitigate the risks is immensely important. Here, Rod Schregardus, pharma manufacturing lead at The Access Group, explores the key IT security threats currently facing pharmaceutical firms and the steps that can be taken to prevent devastating consequences. 

Pharmaceutical companies have always been an attractive target for cybercriminals and since the rapid development and distribution of the COVID-19 vaccine the threat has undoubtedly increased. While many firms recognize this risk, their systems remain outdated and insufficient against the sophisticated nature of today’s cybercriminals. 

According to a recent Forbes article, pharmaceutical and biotech companies suffer more breaches than those in any other industry, with 53 percent resulting from malicious activity. Experts believe that the cost of these breaches will continue to grow year on year, with one study finding that the average cost of a breach already stands at $5.06 million. 

When the global science and technology firm Merck was hit by a cyber security attack back in 2017, they suffered hundreds of millions in damages. It also led to the significant disruption of its worldwide operations, including manufacturing, research and sales. 

These consequences were severe and impacted every corner of the business, as detailed in their 2018 annual report. An entire vaccine plant went down and the firm had to borrow Gardasil 9 doses from the USA's strategic stockpile to fulfill orders. Merck estimated that the lost revenue from sales stood at $410 million, while it also had to pay around $285 million in expenses relating to the hack. 

Hackers always aim to corrupt the company's most valuable and sensitive data during an intrusion attempt. For pharmaceutical firms this includes clinical data and formulas for compounds, as well as patient or employee personal data. One study revealed that in Q2 of 2018 alone, 3.15 million records were exposed across 142 industry breaches - a figure that significantly adds up over time and can lead to disastrous consequences for an organization. 

How can ‘Black Swan’ events of this nature be prevented?

Updating infrastructure

A reliance on aging physical IT infrastructure creates significant risk, making ‘Black Swan’ events worryingly inevitable. Despite some initial resistance to the use of external networks and software-as-a-service (SaaS) solutions across the pharmaceutical industry, the benefits are beginning to be recognized. 

Expert hosting providers are used to dealing with vast quantities of data on a daily basis, able to perform thousands of automated checks per second to help identify any potential risks. Should the system flag an anomaly, action can instantly be taken before major disruption occurs. 

A report by the IBN and Ponemon Institute found that the majority of breaches involving pharmaceutical firms happen during cloud migrations as the attack can more easily stay under the radar, allowing hackers to gather a larger amount of information. Remarkably, it takes an average of 257 days before a breach is identified and contained. Had these migrations been the responsibility of an external hosting company, it’s unlikely that they would go undetected for anywhere near this long. 

The same report found that data breach costs rose from $3.86 million to $4.24 million in 2021, the highest average total cost in the 17-year history of the report, a number that looks only set to increase over time. Perhaps unsurprisingly, organizations further along in their cloud transformation strategy managed to contain a breach on average 77 days faster than those in the early stage of their modernization journey, demonstrating the limitations of outdated IT systems. 

Taking the pressure off in-house IT teams 

For large pharmaceutical firms it’s still relatively common to rely on an in-house team to manage all IT-related processes. However, these individuals cannot be experts in every application they manage - especially as systems become more complex and this could leave an organization open to a costly data breach. 

Companies are therefore reexamining their legacy systems and considering how best to move forward. Future trends such as personalized medicine will require a much more nimble manufacturing operation and enhanced IT capabilities. 

Moving to a fully hosted, cloud-based solution can significantly streamline the upgrades process and any routine maintenance, as it’s all dealt with by the external provider. These upgrades are not only designed to enhance user experience and capability, they can also strengthen security processes. 

When relying on internal teams, a simple upgrade can take between 6 and 9 months to complete, once you have taken into account the meetings and lengthy decision-making processes. In reality, these upgrades can be completed in less than one working day by an expert hosting firm, ensuring that the firm's data remains as secure as possible. 

Should there be any issues, most problems can be resolved remotely by the hosting firm, preventing the business from coming to a stand-still while the issue is resolved.

Managing software at scale

Deploying and managing software at scale is difficult and not a task that should be underestimated. Large pharmaceutical firms employ an array of talented individuals, from researchers to scientists all focused on manufacturing cutting-edge drugs, not the maintenance of their IT infrastructure. 

Hosting firms on the other hand, employ a dedicated and highly qualified team of IT experts. They also regularly invest in their own hardware and data centers. Due to the sheer volume of data these organizations are responsible for, they are continually developing their own infrastructure to provide day-to-day users with the best possible support and functionality, something that an in-house team simply can’t compete with. 

What makes ‘Black Swan’ events all the more frustrating is that in hindsight they can feel almost inevitable and while the Merck example is extreme, it demonstrates just how vulnerable large enterprises are without continuous investment into their IT-related processes.

Rod Schregardus, pharma manufacturing lead, The Access Group

As one of the original team members for Access Orchestrate, Rod has significant experience in helping companies with their day-to-day scheduling, capacity planning and what-if analysis.