Healthcare and Life Sciences

The healthcare sector is a prime target for cybercriminals. Estimates suggest that healthcare organisations experienced 1,426 attacks per
week in 2022, an increase of 60% on the
previous year.¹

The threats facing healthcare organisations vary according to whether they are: 1) pharmaceutical manufacturers or 2) front-line healthcare (i.e., hospitals, clinics, GPs). PharmaceuticalsPharmaceutical companies are in essence hi-tech manufacturers, and the approximately $1.48 trillion² market thrives on intellectual property (IP) and innovation. Pharmaceutical manufacturers earn on average $18.6 billion in total global revenues for a new drug, which is 10 times greater than development costs.³ IP is therefore very much the ‘crown jewels’ of pharma companies’ data assets. Being of greatest value, they are also most at risk of theft. Protecting this data, wherever it resides, is a priority for CIOs. Availability is a second key concern. Pharma businesses operate large manufacturing sites. Any downtime because of a successful security attack means lost production and, ultimately, lost revenue. It is thought that the downtime cost of production disruption in pharma manufacturing amounts to $100,000 to $500,000 per hour.⁴As Jonathan Gohstand, director of security product marketing at HP, explains: “For CIOs at pharmaceutical businesses the huge costs associated with IP theft or downtime make these two challenges important levers for justifying a business case for improvements to technology or processes.”When considering exactly which improvements to make, HP recommends that CIOs consider the following:

Data loss.
CIOs understand the importance of securing the network with firewalls, data loss prevention (DLP) systems, intrusion prevention systems (IPS) and more. In the world of hybrid working, equal attention must now be given to the endpoint. In particular, CIOs should establish mechanisms to protect data and network access when a device is lost or stolen, such as HP Wolf Protect and Trace. With this capability, CIOs gain the ability to remotely locate, lock and wipe a lost or stolen device.

Availability.
A key risk to availability comes from ransomware. CIOs can make it difficult for cybercriminals to launch ransomware through phishing attacks by making security processes integral to the device itself. After all, no matter how effective their training is, employees can’t be expected to catch every phishing attack. In-built, device-level security, such as delivered by HP Sure Click Enterprise, can open emails and links in a virtual container that’s isolated from the corporate network. If malware is present, it can be delt with in the container, without ever encountering the core network environment.

For CIOs at pharmaceutical[s] businesses the huge costs associated
with IP theft or downtime make these two challenges important levers
for justifying a business case for improvements to technology or processes.

- Jonathan Gohstand, director of security product marketing, HP

Front-line HealthcareHospitals’ approach to security is dictated in part by a skills crisis and a shortage of beds. On the one hand, there is a shortfall of an estimated one million health workers in Europe.⁵ On the other, there’s an increase in demand driven by aging populations and a rise in chronic conditions that require long-term care. To help address this disparity, healthcare providers are turning to connected care technology. Connected internet of things (IoT) devices can relieve the pressure on frontline care providers by, for example, enabling more care to take place in the community, with patients monitored remotely. The global connected healthcare market is expected to reach $541.46 billion by 2030 and to grow at a compound annual growth rate (CAGR) of 27%.⁶Pelle Aardewerk, HP’s cyber security consultancy lead – personal systems services Europe, explains some of the security challenges facing hospitals: “The growth in connected devices expands the threat surface. Hospitals and other healthcare providers generally employ small IT teams, so managing the security of remote devices will be a major challenge. In addition to IoT devices, IT teams can also expect to manage a greater range of devices used by physicians and nurses out “in the field” as more people are treated at home.”Given that much of the data collected and transmitted by these devices is of a highly personal nature, healthcare organisations must consider the regulatory impact of security failures. Alongside reputation damage, CIOs should factor in heavy fines under GDPR should personal data from a connected device be intercepted or leaked. Here are some steps that go above and beyond standard security controls for CIOs to consider:

Secure remote access.
As the range of devices used to monitor patients grows, so does the need to secure remote access without compromising performance. Performance is particularly important in healthcare, where alerts generated by connected devices can be time-sensitive – alerting a physician to a patient’s change in condition, for example. In addition to network-based solutions such as zero-trust network access (ZTNA), CIOs should consider hardware-enforced zero-trust access on the device level. HP delivers this capability through HP Sure Access Enterprise, which operates each access session within its own virtual machine, thereby isolating the data being accessed from any malware present in the endpoint operating system.

Managed services.
Given the relatively small IT teams traditionally used in front-line healthcare, CIOs can access broader expertise and capabilities using managed security services. While such services often focus on network security operations, there is a new segment of device-level managed services that can help ensure devices are configured properly and leveraging the full scope of inherent and installed security services. HP Device as a Service (DaaS) is a case in point, providing devices, repair services and AI-driven analytics to businesses as a managed service. Just as biomedical engineers today collaborate with manufacturers to maintain and operate MRI scanners, so it increasingly makes sense for IT teams to work with device manufacturers to better manage and secure their laptops, PCs, printers and other devices.

Industry View

Masonicare

Masonicare is a healthcare provider based in the US. Even with endpoint security in place, Masonicare fell victim to a ransomware attack caused by an employee clicking on a malicious email. Since then, the company has made HP Sure Click Enterprise (SCE) the core component of its security approach. Now, each opened file is isolated in its own micro-virtual machine allowing the content to be used normally while rendering any malware harmless. As a result, the company has seen a 57% reduction of IT resources with zero breaches.⁷

1 Checkpoint, “Cyberattacks on the Healthcare Sector,” 2022
https://www.checkpoint.com/cyber-hub/cyber-security/what-is-healthcare-cyber-security/cyberattacks-on-the-healthcare-sector/
2 Statistics, “Revenue of the worldwide pharmaceutical market from 2001 to 2022,” March 2023
https://www.statista.com/statistics/263102/pharmaceutical-market-worldwide-revenue-since-2001/
3 AHIP, “New Research: Big Pharma Companies Earn Big Revenues Through Patent Gaming”, December 2021
https://www.ahip.org/news/press-releases/new-research-big-pharma-companies-earn-big-revenues-through-patent-gaming
4 Enterprisetechsuccess, “Pharmaceutical Industry Perspective Focusing on Power Quality Can Reduce Downtime 20 Percent,” May 2023 https://www.enterprisetechsuccess.com/article/Pharmaceutical-Industry-Perspective-Focusing-on-Power-Quality-Can-Reduce-Downtime-20-Percent/L1JTY0N4NVRHeWNtbElBRW8zaEVyZz09
5 EC, “Health-EU newsletter 250 – Focus,” https://health.ec.europa.eu/other-pages/basic-page/health-eu-newsletter-250-focus_en
6 Growth+ Market Reports, “Connected Healthcare Market Report (2022 to 2030),” February 2023
7 For more information see: https://h20195.www2.hp.com/v2/GetDocument.aspx?docname=4AA8-1874ENW