White Paper
Cost of privacy and security breaches
Varying causes of breaches: hackers and insiders
Lack of a comprehensive compliance framework
Velocity, volume and variety of data collected increases risk
Moving beyond traditional healthcare settings increases risk
Evolving global security and privacy regulations
Difficulty of building a solid security organization and system
As Digital Health continues to proliferate and health data breaches rise globally, CISOs and privacy officers at leading biopharma and medtech companies are faced with a conundrum: they have more sensitive data today than they have historically had, with more potential risk of a breach than ever before.
Regional, federal, state and municipal governments around the globe are also continuing to pass new and conflicting privacy laws that empower patients with data access rights and create additional compliance responsibilities.
As biopharma and medtech companies consider building their own cloud-based platforms to manage data coming from new digital products and services, it is important to recognize the heightened security risk of collecting patients’ medical data, even if much of the data is de-identified.
Bottom line: Maintaining a homegrown digital health platform requires significant resources devoted to complying with nonuniform privacy laws and evolving security threats in order to avoid the financial penalties, bad publicity and harm to patients that can result from a breach.
And if a breach does occur, biopharma and medtech CISOs and privacy officers know they will be the first to receive a call from their C-suite asking why their company took on the risk of developing a cloud-based platform internally when it is not their core competency.
Instead of courting the risks, costs and delays that developing and securing an in-house digital health platform can require, biopharma and medtech companies would do best to invest in a strategic technology partner that can manage their end-to-end digital health needs, so they can focus on their core business of creating more effective devices and therapies.
This white paper offers up key considerations and recommendations for CISOs and privacy officers as they look to build safe and scalable strategies for the digital era.
It’s no secret that data breaches and their associated costs are on the rise. The average cost of a health data breach globally is $406 per record, the highest per capita cost of any industry. To put this number in perspective, the financial industry’s per capita cost is the next largest, but only about half that amount at $206 per record breached.1
As pharmaceutical companies become stewards of patient health information, it is more likely that cyberattacks will target them simply because they now hold valuable health data.
Merck suffered the worst known cyberattack on a biopharma to date. The pharmaceutical company lost $915 million because of the NotPetya cyberattack that indiscriminately hit companies globally in June 2017. The cyberattack exploited Microsoft systems that had not installed a necessary security patch, and then it encrypted the user’s data to lock them out. NotPetya took down Merck’s operations. The attack resulted in a $260 million decline in sales, $330 million impact on marketing and administrative expenses and production costs, and a $200 million impact on 2018 sales through residual backlog. Six months after the attack, Merck said it had most of its operations online again.2
Companies understand that data breaches can truly disrupt business and not just something that causes the system to go down temporarily. It also can have a negative effect on the company's reputation. It is important to understand that this is not just a regulatory risk but also an operational and reputational risk."
– Maarten Stassen, Partner, Crowell & Moring
Another area of concern is that the number of patient records exposed in the United States nearly tripled between 2018 and 2017. An incredible 15 million patient records were exposed last year.3
As millions of hacked medical records flood the black market, the price has fallen from as much as $350 for a full patient record to as little as $6.4,5 Cybersecurity experts believe the falling price has not discouraged cyberattacks on healthcare entities. Instead, hackers are recouping their recent profit losses by extracting larger numbers of records.
While the number of health data breaches caused by hacking has increased in recent years and accounted for 44 percent of breaches in 2018,2 company insiders caused 28 percent of breaches.
Medtech company Zoll, for instance, notified more than 270,000 patients that they had exposed their personal data and medical information after an error made during a server migration.6
In another example, just months before the European Union’s General Data Protection Regulation (GDPR) went into effect, Johnson & Johnson accidentally leaked the home addresses and emails of hundreds of people in Ireland as part of an online promotion for one of its products.7
The point is, it’s not just outside hackers that CISOs and privacy officers need to watch out for – the internal tools, processes and people accessing the information are just as critical to manage.
Healthcare, unlike the financial industry’s Payment Card Industry (PCI) Data Security Standard, hasn’t had a framework that sets standards around security best practices. In turn, healthcare companies are taking fragmented approaches to security and privacy, which makes organizations hesitant to exchange data with each other.
The highly prescriptive PCI framework sets standards around security best practices that include specifics for review of information, logs, and encryption. For many years, healthcare had no PCI equivalent. The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is far less prescriptive than the PCI framework. While HIPAA provides some specific requirements that organizations need to implement, including technical, administrative and physical controls, it does not specify how to implement those controls to be in compliance.
About ten years after HIPAA passed, healthcare organizations finally created their own framework, called the HITRUST Common Security Framework (CSF). HITRUST CSF has quickly become the standard security certification for companies responsible for safeguarding patient health information as it harmonizes various international standards and regulations, including HIPAA, ISO, NIST, and PCI into a comprehensive set of baseline security controls.
The velocity, volume and variety of health data are all ramping up. While clinical trials have leveraged health apps and connected health devices in recent years, biopharma and medtech companies are just beginning to collect real world data on a population-level. Digital health brings a transition from managing data streaming from hundreds of patients in a controlled setting to thousands or potentially millions of patients in a commercial environment. Data volumes will also increase dramatically as real-time data streams from wearables, like heart rate monitors and blood pressure devices, which take measurement every five minutes compared to today’s annual or bi-annual blood pressure measurements.
The sheer volume of health data has increased by orders of magnitude in recent years with no signs of slowing down:
Beyond an increase in volume, CISOs and privacy officers also need to consider the variety of data being captured. For instance, connected electrocardiogram devices record audio of the patient’s voice while they take a reading, which can be analyzed later using digital biomarkers for mental health and other conditions. Respiratory apps record the sound of a patient’s cough and analyze the audio to help clinicians with diagnoses. Vital sign monitoring algorithms can detect heart rate and other biometrics from video recorded during a remote visit between a patient and a physician. And the list goes on…
With new legislation targeting privacy and security breaches, companies are increasingly recognizing that data is no longer just an asset but also a liability. As a result, companies are starting to focus on 'smart data' rather than just 'big data'."
– Maarten Stassen, Partner, Crowell & Moring
A recent CHIME-KLAS survey of CIOs, CTOs and CISOs at healthcare provider organizations found that 18 percent had medical devices at their facilities that were impacted by malware or ransomware during the previous 18 months.10 Overall, 96 percent of respondents pointed to medical device manufacturer-related factors as a root cause of the medical device security issues. Those factors included out-of-date operating systems or the inability to patch devices.
As connected medical devices for home use continue to proliferate, medtech companies’ security issues will be compounded. While keeping medical devices in traditional healthcare environments secure has proven to be difficult, ensuring the security of connected health devices in homes, workplaces and public spaces will be even more so.
Since 2015 the FDA has issued public warnings about cybersecurity vulnerabilities in medical devices that "allow unauthorized users to remotely access, control, and issue commands to compromised devices," which could lead to "severe patient harm".
The FDA and the Department of Homeland Security jointly issued an alert in March 2019 about a critical vulnerability found in thousands of Medtronic defibrillators that could allow a hacker to remotely control the implanted devices. As this cyberattack scare highlights, breaches for biopharma and medtech are no longer just about protecting trade secrets, patients’ lives are at stake.
In another example, after an independent research firm identified security vulnerabilities in St. Jude Medical’s implantable cardiac devices and Merlin@home transmitter, the FDA published a public warning. (St. Jude Medical is now a part of Abbott.)
The FDA also issued a warning about cybersecurity vulnerabilities in Hospira’s Symbiq Infusion System.
Every CEO, CTO and CISO I know has a very healthy respect for the rapidly changing landscape of security risk and what is taking place in that threat environment. If you find someone who is incredibly confident in their capabilities, then you probably just found someone who is not competent enough for the role."
– Diana McKenzie, Board member, MetLife & Change Healthcare, Technology Advisor, Brighton Park Capital, Former CIO at Workday and Amgen
From a security perspective, the FDA and other regulators make clear that it is the responsibility of the medical device manufacturer to assess vulnerabilities in its own products and implement appropriate risk mitigation measures. However, regulators around the world continue to issue new cybersecurity guidance documents as medical devices increasingly leverage connectivity and analytics. This evolving landscape proves challenging for medtech and biopharma companies.
Here’s what’s occurred in the last few years alone:
The European Union’s approach to medical device cybersecurity has also shifted in recent years. The EU is in the middle of a grace period for its new medical devices regulations MDR EU2017/745 and IVDR EU2017/746, which include guidance related to cybersecurity. These two regulatory guidance documents replace the three existing directives (93/42/EEC, 98/79/EC and 90/385/EEC) for medical devices in the EU. While the new regulations went live in May 2017, they will be fully enforced in May 2020 for MDR and May 2022 for IVDR.
Is your head spinning yet? That’s just the security side of things.
The global privacy legal thicket is the most formidable challenge facing biopharma and medtech companies as they move into digital health.
The world’s most ambitious privacy law, the European Union’s General Data Protection Regulation (GDPR), went into effect May 2018 and applies to any organization that collects or processes personal data from residents of the EU. GDPR requires medtech and biopharma companies to obtain explicit consent from end users using clear language that can easily be understood by the general public. The consent must also include specifics around how the data will be processed and used.
It all goes back to consent and making sure you provide the level of detail in your consent that is understandable, comprehensive, and thoughtful about the intended use of the information. This can only be achieved by truly collaborating with the business. You can craft the best possible consent for what the business "says" they want on Wednesday, but if you are not working with the team and understanding and incorporating their needs into the consent, it is likely your consent will be obsolete by Friday. And if you’ve already collected consent, the need to revisit and to get consent again arises, potentially triggering fatigue from the end consumer."
– Zoe Philippides, Chief Privacy Officer, Amgen
GDPR went into effect in May 2018 but there isn’t an understanding of what will happen when the first big fine is levied against a company and how the podium policy will start to take on more color and context. People are just waiting for that and hoping that they are doing everything they should be doing without negatively affecting their ability to be competitive."
– Diana McKenzie, Board member, MetLife & Change Healthcare, Technology Advisor, Brighton Park Capital, Former CIO at Workday and Amgen
Privacy and security laws in the US are numerous, complex, and often not in agreement. In addition to federal laws like HIPAA, there are hundreds of state-specific security and privacy laws. California alone has more than 25 of them including the California Consumer Privacy Act (CCPA) signed in 2018. The CCPA which some describe as the GDPR of the US becomes effective on January 1, 2020. Similarly, forty-eight states have their own breach notification laws. Even individual towns and cities have passed their own privacy regulations.
Countries around the world, including Russia, China, India, Japan, Australia, Chile, and New Zealand all have their own respective privacy laws — just to name a few.
We continue to see fragmentation in Europe, too. GDPR was supposed to bring a holistic approach by providing a more consistent, standardized approach across the EU, thereby helping both companies and individuals anticipate and understand how GDPR would be applied, regardless of country. But we are seeing a fair amount of fragmentation. Not just country by country, but also, frankly, Data Protection Authority by Data Protection Authority."
– Zoe Philippides, Chief Privacy Officer, Amgen
If you have a global digital health platform that receives data from devices, you need to know who you are collecting information from, what types of information you are collecting, and where and how it is processed. In Russia, for example, when you collect information about Russian citizens, Russian data localization legislation requires you to store it on servers in Russia."
– Maarten Stassen, Partner, Crowell & Moring
Ensuring your systems, products and teams are all compliant with these evolving regulations is incredibly challenging.
As breaches continue to rise, the volume of data increases and the overall risk for biopharma and medtech companies grows, there is a desire to bring more security expertise in house. However, that’s easier said than done.
The challenge is that privacy and security are not the type of things you can just throw money and people at. Talent is scarce. Experienced talent is even more scarce."
– Diana McKenzie, Board member, MetLife & Change Healthcare, Technology Advisor, Brighton Park Capital, Former CIO at Workday and Amgen
While security is a growing concern for biopharma and medtech, most companies are not increasing the budgets to address the growing challenges that come with the digitization of healthcare.
Funding is not there for healthcare security — even now. It remains an afterthought. Healthcare systems with multiple hospitals believe they are doing the right thing by hiring a CISO, but they do not provide them with an adequate budget or staff. They are not allocating enough funding for it or driving the importance of it across their organization."
– Jothi Dugar, CISO, NIH Center for Information Technology
Given these challenges, companies are looking to partner with technology and security experts.
For one of our large institutional accounts, we are the first [Business Associate] of theirs to have a cloud system that is storing patient data that is located outside of their perimeter. There is a lot of rigor involved with our product as a connected device that handles patient data on behalf of the healthcare provider. Managing large institutional accounts like this has driven a lot of awareness internally about the importance of cybersecurity in our product."
– Sudhir Mahakali, Senior Director, Surgical Informatics & Cybersecurity, Alcon
World-class life sciences and medtech companies would never accept less than best-in-class regulatory, security, or privacy practices when it comes to their core therapeutic or device business. At BrightInsight, we believe the same rigor should be applied as biopharma and medtech position themselves in the age of digital health.
BrightInsight provides the leading global regulated digital health platform for biopharma and medtech. Our medical-grade Internet of Things (IoT) platform is built under a Quality Management System to support and optimize highly regulated medical device data and personal health information, and is designed to support up to Class III medical device and combination product intended uses.
The BrightInsight™ Platform uses software and services to capture, transmit and analyze data from CE-marked and FDA-regulated medical devices, combination products, apps and Software as a Medical Device, in compliance with security, privacy and regulatory requirements. Deployed as a managed service, the platform accelerates the time to market for biopharma and medtech companies, reduces the cost of implementation and maintenance versus a custom solution, and scales across products and global markets.
As the leading regulated IoT platform for biopharma and medtech, BrightInsight has achieved the upmost privacy, security, regulatory and quality certifications to minimize customer risk and protect sensitive health information.
As part of our highly differentiated managed service, we actively address ongoing privacy and security requirements so our customers don’t have to. For example, we achieved the French HDS (“Hébergeur de Données de Santé”) certification to strengthen the security and protection of personal health data. BrightInsight is one of the first managed service platforms to receive this certification. We pursued the HDS certification to underscore our ability to scale our privacy and security tools and processes for our customers while protecting sensitive health data.
BrightInsight has put the people, processes, and tools in place to protect sensitive data. All Patient Identifiable Information (PII) lives in a completely separate cloud environment from the de-identified patient health information (PHI) data lake and the cloud environment that produces operations for the customer’s products.
BrightInsight’s team of privacy and security experts includes a privacy officer, Chief Information Security Officer (CISO), security architect, security operations engineers, as well as risk and compliance professionals. BrightInsight’s team receives continuous training and monitoring to ensure compliance with privacy and security policies.
Ongoing operational and administrative safeguards include response and forensics analysis, regular vulnerability assessment and risk analysis, regular internal and third-party penetration testing, security updates and patching, regular testing for disaster recovery, as well as regular third-party audits.
BrightInsight’s platform is fully managed and protected by a defense-in-depth architecture with multiple dimensions of technical controls. BrightInsight’s secure architecture is designed to ensure segregation of sensitive PII.
BrightInsight offers data privacy services to safeguard patient data, support patient rights and meet global compliance requirements.
BrightInsight’s managed service approach pairs clients’ privacy officers with a dedicated privacy subject matter expert who tracks global data privacy requirements in real-time on their behalf.
The managed service component offers compliance support, which includes audit logs, data retention, incident response and breach notifications, Data Protection Impact Assessment, as well as patient consent management.
BrightInsight helps customers comply with their patients’ rights, such as the Right to be Forgotten and the Right to Access, among others, which are guaranteed under GDPR in the European Union.
The biopharma and medtech companies that thrive in today’s digital era will be the ones that continue to uphold robust standards in the face of ever-evolving and expanding security and privacy threats.
There are a number of variables biopharma and medtech companies need to consider when building a digital health platform. At the end of the day, it’s paramount that CISOs and privacy officers uphold the same risk management standards their companies have operated with since their founding.
One crucial difference between safeguarding biopharma and medtech’s traditional datasets and new digital health ones, is that making the wrong decision about security or privacy doesn’t just put the company’s reputation or intellectual property at risk, it may put patients’ lives at risk. Data breaches or compliance issues can lead to hefty fines or regulators shutting down a product altogether.
CISOs and privacy officers should work with their CIOs to invest in a digital health platform that can support the evolving needs of the Commercial and R&D sides of the business quickly – such as adding new products, entering new markets or accelerating clinical trials – in a regulated environment that meets the requirements of standards bodies globally.
Instead of courting the risks, costs and delays that developing and securing an in-house digital health platform can require, biopharma and medtech companies would do best to invest in a partner that can manage their end-to-end digital health needs, so they can focus on their core business: creating more effective therapies.
When building a digital health IoT platform, partner with BrightInsight and leverage our medical-grade platform to maximize your speed to market, minimize your risk and future-proof your platform.
