Life Science

Cybersecurity tips for Life Science companies

Renate Pochert, Senior Risk Engineer and Life Science Practitioner
Wouter Wissink, Head of Speciality Engineering, Chubb Overseas General

Written by

Renate Pochert

Senior Risk Engineer and Life Science Practitioner

Wouter Wissink

Head of Speciality Engineering, Chubb Overseas General

Life science companies are exposed to many cybersecurity risks that are particular to their sector. Pharmaceutical and Biotechnology companies, medical device companies and service organisations such as testing laboratories or contract research organisations have a great deal of valuable data, critical Operational Technology (OT) or IT systems or intellectual property (IP) which should be managed, secured and protected. 

While the fundamental principles of cyber security apply to almost every business in any industry, this list highlights specific areas to focus on for life science companies in the UK and Europe. 

IT risk analysis

Common cyber risks for life science companies include:
 

  • Hacks to medical devices such as insulin pumps or pacemakers 
  • Theft of patient data from hospital networks or clinical trials’ IT systems via Life Science products or services
  • Manipulation of environmental management systems

These attacks can have serious consequences, such as device malfunction, production disruption, financial loss, reputational damage and compromised patient safety. 

 

Involving IT specialists in the risk analysis process can identify cyber-security vulnerabilities and plan mitigation strategies or implement tighter security measures. IT risk analyses can also help to mitigate IT-related risks that could impact device reliability and functionality. 

OT controls

Monitoring the security of Operational Technology – such as laboratory or dedicated production equipment – is as important as IT for life science companies. Regular system scans, vulnerability assessments and 24/7 network monitoring can help to detect and identify anomalies and facilitate swift response to suspicious activities. Regularly installing security patches and updating software can mitigate any potential vulnerabilities.

Data protection

Many life science companies can manage vast amounts of medical data which could have serious consequences if seized or tampered with by cyber attackers. Data should be categorised into risk classes, with protected health information (PHI) granted the strictest level of protection and access restricted to only those employees who need it. Using data protection measures such as encryption in databases, laptops and systems that are connected to the internet can make it more difficult for malicious agents to access this information. Also ensure compliance with local data regulation such as GDPR. Highly sensitive corporate information intrinsic to the value of the company also needs strict controls within the corporate network.

Multi Factor Authentication

Multi factor authentication (MFA) can provide an additional layer of security by requiring employees to authenticate their identities through multiple methods. This significantly reduces the risk of unauthorised access. Additionally, MFA can help life science companies to log and trace each authentication event, allowing them to identify individuals who have accessed data or systems. This functionality enhances accountability, helps in identifying potential data corruption or breaches, and enables immediate action to be taken in case of any suspicious or hostile activities.

Physical protections

Ensuring premises are physically secure can help to protect life science companies’ valuable data and intellectual property. Conduct thorough screening of personnel, particularly those that have access to sensitive data. If data storage or critical IT or OT infrastructure is housed on site, it may be useful to purchase an uninterruptible power supply or emergency power generator. Consider secure storage of valuable assets with appropriate access control systems for employees and visitors.

Incident response planning

Life science companies can effectively plan for cyber incidents by implementing a comprehensive disaster recovery plan (DRP) that outlines step-by-step procedures for responding to and recovering from cyberattacks. This includes establishing clear protocols for incident reporting, including to the relevant Data Protection Authority, incident management, and communication strategies. It’s also recommended to regularly test the DRP and provide ongoing training to employees on the response plan. Also implementing a business continuity plan (BCP) can help ensure that business activities continue as much as possible following an incident.

Summary

As life science companies gather and manage PHI data, their own proprietary data and intellectual property, it’s recommended that they take care to protect against cyber vulnerabilities. All the steps suggested here align with the principles of CIA: confidentiality, integrity and availability. It’s also recommended that life science companies familiarise themselves with ISO 27001 on cybersecurity and discuss this with their insurance partner’s specialist risk engineers. 

 

Specialising in Life Sciences for over 25 years, Chubb offers specialist products, supported by underwriters, risk engineers and claims handlers who are industry specialists. From product liability and clinical trials to professional indemnity, and property insurance to cyber and marine, we have it covered. We can support from the early R&D phase through to complex multinational. Contact us today to learn how you can partner with us to utilise our expertise and experience with the life sciences.

Insights and expertise

We keep you informed – and your business protected – with these helpful articles.
Cyber
Don’t play cyber risk dominos with your business
Cybersecurity risks are critically challenging for businesses, with the potential to cause severe business disruption and financial impact.
Industry Practices – Life Science
Commissioning a new life sciences facility: 7 aspects to consider
New life sciences buildings may require specific features to minimise risk and optimise output. Learn more about these considerations and how to implement them.

Related pages

Chubb Industry Practices
Chubb Industry Practices - where cover connects. Deep dive into the Industry Practices sector within Chubb.
Life Science

Have a question or need more information?

Talk to an expert

All content in this material is for general information purposes only. It does not constitute personal advice or a recommendation to any individual or business of any product or service. Please refer to the policy documentation issued for full terms and conditions of coverage.

Chubb European Group SE trading as Chubb, Chubb Bermuda International and Combined Insurance, is authorised by the Autorité de contrôle prudentiel et de résolution (ACPR) in France and is regulated by the Central Bank of Ireland for conduct of business rules.

Registered in Ireland No. 904967 at 5 George's Dock, Dublin 1.

Chubb European Group SE is an undertaking governed by the provisions of the French insurance code with registration number 450 327 374 RCS Nanterre and the following registered office: La Tour Carpe Diem, 31 Place des Corolles, Esplanade Nord, 92400 Courbevoie, France. Chubb European Group SE has fully paid share capital of €896,176,662.