CIO Insider

CIOInsider India Magazine


Pharma Companies: How to Protect Your Intellectual Property?

Filip Cotfas, Channel Manager, CoSoSys

Intellectual property (IP) is a crown jewel asset class of pharmaceutical companies. Threat actors prize pharma IP for its high perceived value, and they are willing to deploy a diverse range of tools and techniques to infiltrate pharma networks and exfiltrate sensitive data.

Companies across the pharmaceutical industry store a variety of proprietary data, from trade secrets related to formulas for drugs or vaccines to patents and industrial designs. IP protection is pivotal to mitigate enormous financial, legal, reputational, and existential risks stemming from cyber-attacks on sensitive class of information. Keep reading for some actionable tips for better protecting pharmaceutical intellectual property.

What Are the Incentives to Breach or Steal Pharma IP?
There are manifold ways to breach networks, infrastructure, devices, apps, and other health care systems to access intellectual property. But what are the incentives at play here for threat actors?

●The first and most obvious motivation is profit, in an industry projected to grow from $1.23 trillion in 2019 to $2.15 trillion by 2027. Threat actors that exfiltrate IP associated with an innovative new drug, for example, could leave pharma companies vulnerable to ransom and extort large payments. An alternative way to profit is to make this information available for sale on shady dark web marketplaces.

●Nation-state-sponsored actors focus on disrupting rival or competing economies. One way to do this is by exfiltrating valuable pharma IP and using this stolen information for their gain. Developing countries with limited economic growth may also employ state-sponsored hackers to steal IP and help advance their own pharmaceutical industries, which often lag behind in the developing world.

●Insider threats are another class of threat to the security of pharmaceutical patents and other IP. Profit is a potential motive for both outsiders and insiders, but there is also the possibility of disgruntled insiders disclosing this confidential information with the sole intention of causing harm to their employer.

A Note on Patents and Data Exclusivity
Multinational drug companies spend millions of dollars on R&D for new medicines and new pharmaceutical products. Patents are the main type of intellectual property that incentivize continued R&D, help generate revenue to recoup investments, and protect against infringement. Consider a company like Pfizer (a biotech and pharma company), which currently has 746 international patent rights that provide market exclusivity for a typical fixed patent term of 20 years.

Aside from intellectual property rights, data exclusivity rights protect data from clinical trials. Inventors get exclusive rights over clinical trial data to prevent companies from using this data to create generic versions of new products.

From a cybersecurity perspective, these details have important ramifications. Since patents are publicly available information, there is less need to safeguard already-registered patents. However, there is a delicate dance in patent protection as disclosing details about an invention (or having those details compromised) before filing a patent application can cause havoc for pharma companies. Therefore, patent protection for prospective new medicines and products need to be a part of IP protection in pharma.

Actionable Tips to Protect Intellectual Property in Pharma
With a 2021 report finding that 98 percent of pharmaceutical firms experienced at least one intrusion and 28 percent lost business-critical data or IP. It’s clear there’s a need to step up security measures.

Here are seven actionable tips for improving intellectual property protection and maintaining exclusivity over the ownership of this information.

Discover and Map IP Assets
Within the complex digital ecosystem that pharma companies operate, there is a pressing need to discover and map IP assets, including confidential information related to patents for new inventions and any other sources of IP in computer systems, such as trade secrets about medicinal products, medical devices, or industrial processes.

This IP asset inventory provides the bedrock for implementing other important security measures because you can’t protect what you can’t see. Furthermore, automated data discovery solutions are available, but the task will likely involve manual efforts to locate data, including surveying employees. Discovery and mapping should cover databases, e-mail messages, PDFs, and other electronic documents found on removable media, workstations, cloud infrastructure, on-premise servers, and operational technology (OT) devices.

Strictly Control IP Access
A cornerstone element in sensitive data protection is strictly controlling who has access to certain categories of information. The discovery and mapping stage informs you with an accurate inventory of what IP assets you have and where they are located.

Mistakes are one piece of the human factor, but intentional compromise is another that you can’t neglect

Encrypting digital IP stored (at rest) and in motion protects its confidentiality to prevent accessibility in plain text form. It’s also critical to securely manage personnel access to IP using the principle of least privileges to allow users to access resources for their work tasks. Over-privileged access can result in breaches of sensitive data assets when threat actors compromise or insiders abuse user accounts that didn’t need access to those assets in the first place.

Segment the Network
Network segmentation can also prove to be a useful tool in protecting IP in the pharmaceutical industry. This segmentation splits the network into smaller subnets with systems containing the most sensitive assets. They can be isolated in segments away from systems with a larger attack surface due to their exposure to the Internet or other risky points of entry.

This segmentation becomes important when you factor in the increased convergence between IT and OT systems.
Use Non-Disclosure and Confidentiality Agreements
In pharma, relationships with third parties are complex, including contractors, vendors, business partners, consultants, logistics companies, university research departments, and more. Pharma businesses rely on this network for both their strategic and operational goals.

Since third parties invariably get exposed to some categories of IP, such as trade secrets, confidentiality, and non-disclosure agreements (NDAs) have a key role to play. These agreements clearly state the obligation to avoid disclosing or using confidential information in any way other than specified in the contract. It’s important to include provisions in the contract for the need to maintain confidentiality over IP indefinitely.

Address the Human Factor
Any discussion about cybersecurity and data protection can’t overlook the human factor. It remains true that human error is the cause of many security incidents leading to data breaches. This message reinforces the fact that phishing was the second most common intrusion path into pharmaceutical networks in 2021.
Effective training educates employees in the fundamentals of cybersecurity, including recognizing phishing emails and other popular social engineering scams. Training should also cover how to securely connect to corporate resources from remote environments.

Confidentiality agreements or NDAs for employees at pharma companies can somewhat combat insider threats to IP. Employees with access to trade secrets and other IP assets are far less likely to disclose information when bound by an agreement with significant legal and financial consequences. Mistakes are one piece of the human factor, but intentional compromise is another that you can’t neglect.

Advanced Threat Detection
Keeping malicious actors out is ideal, but there needs to be technologies and processes in place that can detect in-progress threats based on indicators of suspicious activity. Ideally, advanced threat detection solutions can monitor your network for both behavior-based anomalies and breaches of traditional signature-based rules.

The red flags you want to get notified about and act on rapidly could include making configuration changes, unexpected downloads, remote access outside the normal IP address range, and more. Acting fast in response to ongoing threats can help to protect your IP, but you’ve got to detect the threat first.

Use a Data Loss Prevention Solution
Data loss prevention (DLP) solutions provide robust functionalities to help safeguard pharmaceutical intellectual property. These technologies can block the transfer of data from endpoint devices to removable drives, block file transfers, and even help discover data.

With printing, copying, and downloading information on endpoint devices representing some of the biggest risks to IP confidentiality, DLP technologies can stop these activities in their tracks or prevent them outright.

Current Issue
Ace Micromatic : Pioneering Excellence in Comprehensive Manufacturing Solutions