When we consider the damage a data breach can cause, we tend to focus on the cost of breach reporting, potential fines and loss of reputation. One of the ‘unseen’ costs is the potential loss or theft of an organisation’s IP (intellectual property). IP includes sensitive business or trading information and research and development information.
The risk of losing your IP
Organisations rely on their IP to retain a competitive position in the market. For life sciences and pharmaceutical companies, this includes data on the development and testing of new therapies and details of how therapies are manufactured. For medical device companies, the software and interaction of medical devices and their integration into complex hospital systems are what set these organisations apart from the competition, so it is vital that they protect their IP.
For all organisations, strategic business plans and planned trading activities are also vulnerable and, if breached, can be duplicated, sold, ransomed or even used to manipulate stock market trading.
What are the threats?
A number of threat actors could benefit from stealing an organisation’s IP.
In the 2017 WannaCry attack, for example, cyber criminals used ransomware to prevent victims from accessing their IP unless a ransom was paid. This type of attack can be incredibly disruptive and often the perpetrator will threaten to destroy information that they have breached unless the ransom is paid. With WannaCry affecting largely NHS organisations, this could have resulted in the permanent loss of patients’ medical records. This would have had a devastating effect on patient care and the cost of reacquiring that information would have been huge.
Disgruntled employees are another threat. Last year, private healthcare giant BUPA suffered a breach affecting 108,000 health insurance policies when a rogue employee copied and removed information from the organisation. The information affected is said to have included names, date of birth, nationalities and insurance membership numbers.
Although the impact in this instance was not devastating, employees’ misuse of information can cause significant damage. One such case occurred when Sinovel, a leading wind-turbine manufacturer, headhunted an employee of AMSC, an energy technology company that owned proprietary wind turbine technology. Sinovel allegedly bribed the insider to steal this technology before leaving AMSC, using this to develop its own products in a move that AMSC’s boss claims was “attempted corporate homicide”. Sinovel was convicted of stealing trade secrets and ordered to pay a $1.5 million fine.
Preventive measures
The range of threats that organisations face make it impossible to eliminate the risk of a breach. Organisations can, however, minimise the risks they face by understanding their vulnerabilities, providing the best defences against cyber attacks and employing an incident response and business continuity plan to ensure survival if a breach occurs. This can be achieved with an effective cyber resilience programme.
A cyber resilience programme should identify, assess and manage the risks associated with an organisation’s network and information systems, including those across the supply chain, and build response and recovery measures to help you take the necessary steps to minimise the impact of an attack.
Implementing a cyber resilience programme does not need to be an extensive project, but it should be unique to the organisation. For companies operating in the healthcare sector, a cyber resilience programme needs to consider the risks to patients and ensure supply continuity, should a breach occur.
Most healthcare providers in the UK are required to comply with the NIS Regulations (The Network and Information Systems Regulations 2018), which transposed the NIS Directive (Directive on security of network and information systems) into UK law in May 2018. The EU-wide Directive requires critical infrastructure organisations to achieve a robust level of cyber resilience. Suppliers to these healthcare providers should consider their own position to avoid being the ‘weak link’ in the supply chain.
Implementing cyber resilience requires you to have people in-house who understand the key elements of a cyber resilience programme. Our training courses give insight into how to implement an ISMS (information security management system) and a BCMS (business continuity management system), as well as practical training on cyber incident response management.