Cyber and Data Breach

Exposure

Life Sciences organization oftentimes have access to, or store personal health information or personally identifiable information - two of the most common targets of breaches. Physical and cyber security are critically important to ensure the integrity and performance of an organization and its products or services. In addition, Life Sciences companies may offer products or services which handle confidential information, making them particularly vulnerable to cyber attacks and unintended dissemination of sensitive data. These risks organizations face related to their data include:

  • Organization - Physical and Cybersecurity

    • Software and systems​

    • Confidential business information

    • Website and social media

  • Product or Service Cybersecurity

    • Software and hardware​

    • Personal Health Information (PHI) and Private Personal Data (PPD)

Network and Wireless Vulnerabilities

  • Web servers, which are quite common in interfacing with medical devices, commonly contain vulnerabilities that can be easily exploited by attackers, who use readily available tools to scan for security weaknesses. 

  • Database servers (commonly referred to as a database back-end) are highly vulnerable to SQL injection, which seriously degrades all three of the aspects of information security (confidentiality, integrity, and availability). 

  • Application software describes any software running on a device, be it conjunction with either of the previous two categories, or on its own. This type of attack is likely to be successful where software has not been through rigorous software vulnerability testing to determine what vulnerabilities may be present. 

What Can Happen

  • Confidentiality may be compromised by unauthorized access due to poor security control measures, resulting in litigation and serious financial consequences. 

  • Integrity may be affected by poor configuration, corruption of data, or unauthorized manipulation of information. This may adversely impact patient safety due to potentially incorrect clinical decisions or from the device being operated by an attacker. 

  • When access to data or a device is limited or lost, this can adversely impact patient safety by limiting access to relevant or critical information, thereby affecting subsequent clinical decisions and communication. 

How to Reduce Risk

The FDA and the National Institute of Standards and Technology (NIST) have developed a comprehensive framework to address cyber security. Adherence with the following key components will help mitigate potential risks for injury:

  • Pre-Market Cybersecurity:

    • Identification of assets, threats, and vulnerabilities​

    • Assessment of their impact on device functionality and end-users/patients

    • Assessment of the likelihood of exploitation

    • Determination of risk levels and suitable mitigation strategies

    • Assessment of residual risk and risk acceptance criteria 

  • Post-Market Cybersecurity:

    • Monitoring cyber security information sources for identification and detection of culnderabilties and risk​

    • Detecting, assess, and understanding the presence and potential impact of a vulnerability

    • Establishing and communicating processes for vulnerability intake and handling

    • Clearly defining essential clinical performance to mitigate, protect, respond, and recover from the cyber security risk

    • Adopting a coordinated vulnerability disclosure policy and practice

    • Deploying mitigations that address cyber security risk prior to exploitation

©2017 BY BROWN & BROWN INSURANCE BROKERS OF SACRAMENTO, INC.

CA License #: 0H38004 | NYSE: BRO

5750 W Oaks Blvd Suite 140, Rocklin, CA 95765, USA