Although pharmaceutical companies have been using digital networks for a long time, a true culture of digitisation is not yet widespread. Cyber attacks are often perceived as something distant or unlikely. The problem is dealt with when it is really big and leads to serious consequences, such as downtime. But at the threat level, pharma is no different from other industries.
“The reality,” explains Gian Paolo Baranzoni, an ICT consultant in the pharmaceutical sector, with a focus on quality, data integrity and GDP, “is that the presence of malware can even go unnoticed: specific skills and a certain sensitivity on the subject are needed to understand when, for example, a slowdown in the operating system is actually a full-blown IT attack, to analyse it and to understand the damage it is causing.
Not least because the pharmaceutical supply chain has some specific fragilities.
The weaknesses of the pharma
‘The risks linked to digital technologies,’ explains the expert, ‘first and foremost ransomware, affect companies in the various sectors across the board. However, pharmaceuticals is a sector with a wealth of suppliers and subcontractors. And it is precisely its supply chain, including its operational technology suppliers, that is most vulnerable to cyber attacks.
We have to consider that so-called hackers are hardly individual criminal entities. More often they are real agencies, even governmental ones, from countries such as Russia, China or North Korea. Against such attacks, IT giants such as Microsoft or Google are well equipped, but smaller providers show greater fragility.
That is why it is important to defend ourselves with an organic and reasoned approach to digital’. But the pharmaceutical and IT worlds often do not talk to each other.
IT is an industrial process
“Rigidly constrained the former, constantly changing the latter. To bridge this gap, efficiently coping with the risks associated with digitalisation, but also implementing digital technologies in the best possible way, we must first of all go beyond the mere use of computer programmes.
This is in fact the first step, to which, however, specific business processes and an internal function capable of effectively controlling them must be added. In fact, IT processes should be considered in the same way as other industrial processes, to be managed through risk assessments and dedicated investments’.
Updating and validation
The digital world is changing and evolving and, speaking in economic terms, constant investment is needed to be always ready to respond to attacks. IT service providers, especially the larger ones, send out continuous updates to improve applications as various threats are resolved: implementing these improvements means staying abreast of identified risks.
“But it is necessary to get into the spirit of continuous updating and a flexible, long-term investment mode. This is also why the corporate function dealing with IT systems and networks should be headed by a security manager who is as independent from management as possible. The frequent updating, called patching, of the infrastructures on which applications rely also poses a further problem: their validation or revalidation.
At present, this important quality process has to be repeated every time it is updated, which is a very demanding task.
It would be necessary to find a method to streamline and optimise the infrastructure qualification and application validation operations so as not to have to give up the continuous updating that is indispensable for an organic and efficient digital infrastructure. The first step, however, remains the change of mentality and openness towards a different language, to be integrated into corporate systems and not to be considered as something isolated to be used when needed’.
What resources are indispensable today to cope with the risks of cyber attacks? “First of all, it is necessary to increase the digital culture in the company. All employees can be vehicles for cyber attacks and specific training is needed, for example on how to handle e-mails coming from unknown addresses or how to report suspected attacks.
As for dedicated staff, skills should be created with targeted cybersecurity courses. University studies are in fact not enough, because it is not enough to be a good computer scientist and a good programmer. It is certainly a good starting point, but to really get to the bottom of cybersecurity, you also need to know in depth the regulations in force and the programmes in use in the various companies’.