Bad Pharma Cyber Strategy: Waiting for Guidelines to Become Regulations

Bad Pharma Cyber Strategy: Waiting for Guidelines to Become Regulations


Leading cybersecurity experts and standards bodies have released a slew of helpful guidelines on what pharma organizations can (and should) do to secure their networks. Despite this wealth of guidance, many pharmaceutical manufacturers and other related organizations have still been slow to adopt stronger security measures. “But why?” you ask. Well, I’ll tell you.

The Waiting Game

One reason that guidelines are released before regulations is because it’s way easier to get a bunch of smart folks in a room to craft a set of strong guidelines than to get a roomful of regulators to agree on regulations, especially when they incur costs.

Typically, organizations wait to implement solutions to meet optional guidelines because they are waiting for those guidelines to become required regulations before taking action. In part this is because valuable (and often scant) security dollars and resources spent on meeting a guideline could be better spent on a regulation when it finally comes to pass. If dollars spent meeting a guideline prevent implementing a different required solution to meet a regulation, that could put an organization in a very difficult position. Or organizations simply don’t want to spend the money if they don’t have to. For this reason, unfortunately, absent a regulatory body to implement strict oversight, most companies in any industry will not go very far beyond the minimum to secure their digital assets.

Regulations are also almost always in response to a widespread cybersecurity issue (read: many, many breaches) that already happened. By that time, it’s often too late to prevent a successful attack, and you’re stuck with remediation and waiting for the next attack.

When the Best Security is Not Optional

As such, industries with extremely sensitive digital assets – those that could cause mass disruption or destruction if successfully attacked – have long been regulated to adopt strict cybersecurity practices. My favorite example is the nuclear power industry. Basically, the U.S. Nuclear Regulatory Commission (NRC), which is an independent federal agency that oversees all nuclear material production and use in the United States, assumes that the IT networks of nuclear power plants are such an inviting target for cyber threats that they will eventually be breached (if they haven’t already).

However, the operational networks within nuclear power plants – the parts that deal with nuclear reactions – cannot afford to be breached. Therefore, the agency requires the plants to use a system of security kiosks and one-way data transfers, via data diodes or similar hardware-enforced unidirectional technologies, to isolate their operational networks from the rest of their networks and the internet beyond. Due to the unhackable nature of the physical enforcement in the one-way-only transfer, data diodes prevent any and all attackers from probing, infiltrating, or sending nefarious commands to the sensitive systems which control the reactors.

Indeed, it goes to follow, we see strong adoption of data diodes in industries which have stringent regulations around network security, rather than a preponderance of voluntary guidelines. This includes the military and intelligence agencies, and also in critical infrastructure, such as energy utilities, oil and gas, and water utilities.

Why Should I If I Don’t Have to?

“But Charlie,” you say, “I’m not a nuke, or the military, or some regional power utility, I’m but a humble pharmaceutical manufacturer. I’m not required to have these ridiculous security measures like they are. Why should I invest in something like that unless I have to?”

I can give you three reasons why it doesn’t make sense for pharma manufacturers like you to wait for regulations to beef up your security:

  1. Target of Opportunity: As the joke goes, “I don’t have to outrun the bear, I just have to outrun you!” Don’t be the one that gets caught by the bear. The guidelines available today can tell you everything you need to know to secure your network against modern threats. Hackers aren’t waiting for these guidelines to be turned into regulations – just ask Merck, Bayer, or Charles River. As the level of cybersecurity rises across major players in any industry, the organizations that act first get hacked last (and experience less remediation costs) as attackers tend to go after targets of opportunity that have weaker security.
  2. Time: You have time now – use it! As a pharma, you know how this dance goes. If and when the time comes when the regulatory bodies lose their patience, you’ll be stuck to their time frame, which is likely to be more aggressive than you want it to be (or can manage).
  3. Financial Penalties: The security of your networks, business, validated processes, customers, and reputation should be enough to convince you to adopt cybersecurity guidelines now. But the government is realizing they can adjust penalties to reward those with good behavior. A recent senate healthcare bill1 recommends fines for breaches be reduced for those who clearly were adopting the right guidelines – basically a penalty for those who don’t – introducing another financial incentive to adopt guidelines.

The guidelines are out there. You can no longer feign ignorance if you get hacked, and there is no reason you cannot begin to implement a proactive cybersecurity strategy with your organization today. Your customers know, your executives know, and regulatory bodies know that you should know. To be blunt: if you get breached because you failed to implement the guidance available, it’s your own fault.

So what are you waiting for?

The List

Here are a few cybersecurity guidelines you might want to review and adopt. Data diodes support NIST, SANS, DHS, HHS, and FDA cybersecurity best practices around one-way flow mechanisms, principles of least functionality/privilege, network segregation/segmentation, network monitoring, and end-point protection. We’d be glad to show you how.

National Institute of Standards and Technology (NIST)

SANS Institute

U.S. Department of Homeland Security (DHS)

U.S. Department of Health and Human Services (HHS)

U.S. Food & Drug Administration (FDA)

Let us know if you have questions on these guidelines, or would like to learn how data diodes are part of a complete cybersecurity strategy.

1Senate HELP bill called Lower Health Care Costs Act of 2019, Title V, Section 502, Recognition of Security Practices (pg 160-162)

Gary McGibbon Business Development Manager - Financial Services

Integrating Digital Transformation and Cybersecurity Transformation in Financial Services

Financial services institutions are now wading through the latest wave of operational changes that focus on customer centricity and streamlined core operations – digital transformation ...
September 20, 2019
Shawn Campbell Product Manager - Government Solutions

A Brief Note on Raise the Bar and One-Way Transfer

This past year’s publication of the National Cross Domain Strategy and Management Office (NCDSMO) “Raise the Bar” (RTB) mandate is causing a positive transformation of the cross dom...
September 18, 2019
Charlie Schick Healthcare Consultant

How IIoT and the Cloud are Upending the Purdue Model in Manufacturing

The Purdue Model of Control Hierarchy is a framework commonly used by manufacturers in pharmaceuticals, oil and gas, food and beverage, and other verticals to group enterprise and industr...
September 11, 2019