News & Blog

Weighing Cybersecurity Risk Factors in Life & Healthcare

News & Blog

We don’t have to go very far back in time for a good example of one of these attacks on a healthcare or pharma organization. On June 27, 2017, Merck, one of the largest pharma companies in the world, and 2,000 other companies were hit with ransomware called Petya that infected employees’ computers across 65 countries and left a ransomware note demanding a bitcoin payment to decrypt their infected files. Weeks later, the pharma giant is still trying to get their infrastructure back on track.

So, before a company like Merck – or any company for that matter – can determine a plan of action to prevent the next cyberattack, it must consider why the attack happened in the first place. With that in mind, let’s explore a few narratives that could come into play in the process of becoming a cyberattack target.

Four Narratives that Could Explain Why

  1. A decade ago, cybersecurity was all about securing the perimeter to ensure that corporate IT systems were closed to outsiders. In the past five years, however, working remotely has become more and more ubiquitous with a high percentage of employees working outside of the perimeter, accessing sensitive data through the cloud and unsecured systems, and often doing it all via a mobile device. As a result, the entire enterprise has become fundamentally more vulnerable, making it difficult to determine where the perimeter ends and the outside world begins.
  2. Healthcare and life sciences companies have long been slow to innovate when it comes to digital, and this hasn’t been helped by the fact that technology is not their core business proposition. In fact, as other industries have had to adopt new business models to grow their revenues, which typically resulted in disproportionate investment into technology, healthcare and life sciences have stayed a little behind the digitization curve.
  3. For many organizations, being slow to innovate is not by choice. Instead, it’s often for compliance reasons, like in a scenario where a business has to choose between meeting the latest regulatory standard and rolling out a new technology. In this case, the company may stay in business without the new software component, but not without meeting the regulatory standard. Indeed, compliance has long been a burden to the CIO agenda.
  4. Finally, considering the above narrative about the ever-expanding perimeter and how the June cyberattack on Merck affected so many employees, it’s worth noting that the companies making headlines for data breaches aren’t small or even medium-sized. Instead, hackers go after the biggest and, by extension, most profitable targets – companies with the highest numbers of employees, locations, and potential entry points.

How to Plan for What’s Next

Considering the size and scope of the data breach against Merck, it’s hard not to start posing what-if questions. What if they had implemented better or more security controls sooner? What if they had run a mixture of Windows and iOS to stave off Windows-attacking viruses like WannaCry and Petya? What if they had identified the virus before it made its way across the entire enterprise?

There will always be what-ifs, but with so many possible access points for a data breach, it’s nearly impossible to ever be 100% uncompromised, especially when you’re a huge company trying to balance growth and revenue with compliance and security.

It’s not easy, but it is absolutely worth your time to not only determine a plan to improve your cybersecurity, but also create a plan for how to respond if your company falls victim to a cyberattack. The best way to get started is to assume you’re already compromised, or that you’ll be compromised tomorrow at the latest, and then find a partner who can help you. The faster you make cybersecurity a priority, the better off you’ll be.

Share Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0Email this to someone

Leave a Reply

Your email address will not be published. Required fields are marked *

By continuing to use the site, you agree to the use of cookies. more information

This information notice is provided in accordance with Article 13 of Italian Legislative Decree no. 196 of 2003, Code in relation to Personal Data Protection

This information notice is limited to browsing on the aforementioned websites and does not apply to websites external even if consulted by way of links contained on the websites and themed websites. This information notice describes the methods of managing the websites above  in relation to the processing of personal data of users who consult them, choose to register and/or use the online services.

Processing Controller Registration on the websites and subscription of the services leads to the processing of personal data relating to individuals or entities.
Processing Managers
The processing in relation to the portal services Mainly takes place at the above websites . It is performed by specially appointed personnel Identified on the basis of the purposes of the requested and subscribed services .
Types of Data Processed
Consultation of websites: Browsing Data
The computer systems and application processes involved in the operation of the above websites acquire, during the course of their normal operation, some data whose transmission is implicit in the use of Internet communication protocols.
That information is used to obtain statistical information on the use of the portal and to check its correct functioning and is not associated with identified users; however, by its nature and by association with data held by third parties, it could allow for the identification of the interested parties. This category includes, for example, the IP address of the system used to connect to the portal.
This data is removed from the systems after the preparation of the statistics and is stored offline exclusively to ascertain liability in the case of computer crimes and it may only be consulted upon request by the judicial authority.
Data provided voluntarily by the user when using the online services In order to use the online services that involve authentication, registration or sending of e-mails, personal data provided freely by users is used according to different methods:

Registration

Individuals or entities external may register on the websites in order to request particular online services. When registering to the portal, some personal data is requested that is needed to identify the registered individual. When subscribing for the services, additional data may be requested, including sensitive data, depending on the specific chosen service. The processing purposes differ depending upon the service and are described in detail in the respective subscription pages.

Sending of e-mails to addresses identified on the websites The optional, explicit and voluntary sending of electronic mail to the addresses identified on the website involves the subsequent acquisition of the sender’s address, required to respond to the requests, along with any personal data included in the communication.

Processing Methods
The personal data is processed using automated tools for the time strictly necessary to achieve the purposes for which it was collected. Specific security measures are applied in order to prevent the loss of the data, its unlawful or incorrect use and any unauthorised accesses.

Session cookies (essential for using the online services and accessing reserved areas of the websites)
The website uses http session cookies to manage the authentication of online services and reserved areas. The use of session cookies (which are not stored permanently on the user's computer and are removed when the browser is closed) is strictly limited to the transmission of session identifiers (constituted by random numbers generated by the server) required to allow safe and efficient browsing of the website. By disabling these cookies, online services cannot be used.

Tracking cookies Tracking cookies can be disabled without any effect on browsing of the portal: to disable them, please see the next section. The University uses the Google Analytics services of the company Google, Inc. (hereafter "Google") to generate statistics on use of the web portal; Google Analytics uses cookies (not of third parties) which store personal data. The information identifiable from the cookies on use of the website by the user (including IP addresses) is transmitted from the user's browser to Google, based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, and stored on the server of that company. In accordance with the terms of the service in place, Google uses this information, in the capacity of autonomous data processor, for the purpose of tracking and examining use of the website, compiling reports on website activity to be used by the operators of that website and to provide other services relating to website activity, the connection method (mobile, PC, browser used, etc.) and the methods of searching and accessing the pages of the portal. Google may also transfer this information to third parties where this is required by law or where those third parties process the aforementioned information on Google's behalf. Google will not associate the IP addresses with any other data possessed by Google. In order to read the privacy information notice of the company Google, relating to the Google Analytics service. To find out more about Google's privacy policy. By using the above website, you consent to the processing of your data by Google using the methods and for the purposes identified above. Tracking cookies:

Name

Origin

Function

Expiration

_ga

Google

Statistics on use of the web portal

24 months (2 year)

_gat

Google

Statistics on use of the web portal

10 minutes



How to disable cookies (opt-out)


It is possible to withhold consent to the use of cookies by selecting the appropriate setting on your browser: unauthenticated browsing on the unimi portal will in any case be available in all its functions. We set out below the links which explain how to disable cookies on the most popular browsers (for other browsers that may be used, we suggest you seek this option from the software help menu, which can usually be accessed by pressing the F1 key:

Alternatively, it is possible only to disable the Google Analytics cookies, using the additional opt-out component provided by Google for the main browsers. In this way, it will also be possible to use the unimi online services.





Close