Cybersecurity considerations: Life science sector insights

With greater digitalisation, life science and healthcare are growing strategically closer: data is being transferred and shared between organisations and people, and there is increased personalisation of both therapies and medicine. However, life science organisations are grappling with ever-expanding cyber threats which impact systems availability, data integrity and confidentiality of information.

Healthcare and life science ecosystems have numerous third parties and joint ventures with stringent compliance requirements across geographical jurisdictions. At the healthcare and life science core resides a fragile circle of trust between patients, clinicians, hospitals, researchers and life science organisations, within which companies must work to ensure shared data remains uncorrupted while maintaining integrity and accessibility. While collaboration brings valuable knowledge to the table, it also complicates the value chain. Based on the KPMG CEO Outlook report 2024, 84 per cent of CEOs surveyed identified regulatory demands as a major hurdle for their organisations over the next three years. Life science organisations are required to comply with the evolving rules around drug discovery, clinical trials, manufacturing, and distribution across different geographies. This complexity can extend development timelines and increase costs.¹

Artificial intelligence (AI) and machine learning (ML) have become integral to life sciences, especially in research. The impact of AI/ML will be transformative in the near future, enabling a significantly greater volume of research and a faster velocity of developing medicines and therapies: this is likely to drive down the economic cost of medicines and therapies. These tools will be used not only in research but also in clinical trials, production, and core technology processes such as security and privacy. AI/ML is, therefore, integral to the strategic future of life sciences in general and to protect the intellectual property and personal data upon which the value of organisations in this sector is built.

At the enterprise level, cybersecurity leaders in life sciences are aligning team priorities with their organisation’s values and strategies. As both the value and liability of data become more strategically important, organisations will need to be diligent about evolving data practices and global regulatory imperatives for compliance with multiple global regulations and reporting requirements. As such, CISOs' roles will require them to inspire other areas of the company to infuse security into their work to protect and proactively address cyber challenges to intellectual property, organisational operations, and maintaining trust over personal data. A core feature of this continuum is managing identity effectively and efficiently across multiple domains. As people gain greater control over their digital identities, these should become portable and not tied to an individual organisation.

About these insights

The insights that follow originate from the KPMG Cybersecurity considerations 2024 report and have been adapted to provide a life science sector perspective for Chief Technology and Information Officers and their teams to consider in supporting their organisations’ objectives and to help mitigate the impact of specific cyber incidents and reduce overall cyber risk exposure. This report also considers some of the core cyber challenges for life science organisations on the cusp of the AI / ML transformation, including customer expectations, harnessing the power of AI and managing digital identities.

Consideration 1: Meet customer expectations, improve trust

Today, life sciences organisations are increasingly expected to deliver innovative, secure and privacy-compliant solutions. The digitisation of health records, the adoption of cloud services for data management, and the personalised approach to patient care are reshaping what customers expect from healthcare providers and pharmaceutical companies.

Data sovereignty and privacy risks – With the move to cloud services, navigating data sovereignty and privacy becomes increasingly challenging. Inadequately addressing these risks can lead to violations of data protection laws. Machine learning (ML) and AI in clinical trials – The increasing use of ML and AI tools to process clinical trial data introduces vulnerabilities, where data inaccuracies or manipulations could not only skew research outcomes but also expose sensitive patient information. Internet of Things (IoT) expansion – The integration of IoT devices in the sector expands the attack surface for cybercriminals. Such devices, if compromised, can lead to unauthorised access. Regulatory scrutiny – Major pharmaceutical and healthcare organisations find themselves under intense regulatory scrutiny. Non-compliance with cybersecurity standards can lead to regulatory penalties, operational disruptions, and a loss of stakeholder confidence.

Digitisation and cloud services – The shift towards digitisation and cloud computing presents an opportunity to reduce technical debt and enhance organisational security posture. It enables more robust cybersecurity measures, streamlined data management, and improved compliance with data protection regulations. Adoption of advanced cybersecurity services – Advanced cybersecurity services provided by cloud platforms can significantly enhance monitoring and alerting capabilities. Unified cyber risk management – Digitisation facilitates a better understanding and management of both IT and operational technology (OT) cyber risks.

Life science organisations face the dual task of innovating securely while meeting or exceeding regulatory and customer expectations for privacy and data protection. So, they are proactively enhancing their regulatory compliance and cybersecurity frameworks. This includes the adoption of secure data storage and transfer protocols, alongside ensuring the transparency of AI/ML algorithms.

Consideration 2: Unlock the potential of AI — carefully

AI brings opportunities to enhance research and development, streamline operations and personalise patient care. However, the integration of AI technologies also brings new cyber challenges. Based on the KPMG survey, 80 percent of CEOs highlighted the potential for GenAI to disrupt the current business model and create a competitive advantage for the companies as a major impact. It will require life science organisations to comply with the evolving regulations and make investments to maintain privacy controls and implement tools such as data cloud to control cybersecurity threats.²

Data bias and inaccuracy – The reliance on AI and ML increases the risk of data bias, leading to inaccurate outcomes that can compromise research integrity and patient safety.

Cybersecurity vulnerabilities – AI models can be susceptible to exploitation, data poisoning and breaches. These vulnerabilities not only threaten the integrity of clinical data but also raise significant privacy concerns for patient information.

Privacy concerns – AI's capability to process massive amounts of data, including protected health information (PHI), requires stringent controls to protect against unauthorised access and ensure compliance with privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the US, the General Data Protection Regulation (GDPR) in Europe and the UK, the Privacy Act in Australia, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.

Compliance with regulatory standards – Adapting to comply with standards such as the EU AI Act presents an opportunity to establish legal and ethical guidelines for deploying AI technologies in healthcare, enhancing trust and accountability.

Enhanced cybersecurity through AI – Utilising AI for cybersecurity can lead to more sophisticated threat detection and response mechanisms. Real-time monitoring and automated threat intelligence can significantly improve an organization's ability to preempt cyberattacks.

Third-party cyber risk management – Automating vendor classification and processing unstructured data through AI can streamline third-party risk management, ensuring that partnerships and collaborations do not introduce vulnerabilities into the organisation's cyber defenses.

To adequately address risks, life science organisations have channeled resources into developing the technological backbone for AI and ML initiatives. This investment includes enhancing cloud computing resources and high-performance computing capabilities. Concurrently, a shift towards partnerships and collaborations between industry groups, tech giants, academic circles and innovative startups is gaining momentum. Additionally, with a growing awareness of the ethical implications of AI, some entities are also proactively taking the lead on ethical AI frameworks. An example of this is the Trustworthy & Responsible AI Network (TRAIN) consortium of healthcare organisations that have Microsoft acting as its technology enabling partner. TRAIN is one of the first health AI networks aimed at operationalising responsible AI principles by developing and evaluating standards so that effective and responsible applications of AI are used in health.³

Consideration 3: Make identity individual, not institutional

Like other sectors, managing digital identities has become a critical component of cybersecurity strategies for life sciences organisations. These organisations also need to ensure transparency in handling individuals' health data, providing clear information on collection, usage and privacy policies. The increasing digitisation of patient records, research data and internal processes has made robust identity and access management (IAM) practices imperative.

Individual ownership – The shift to individual ownership of identity introduces complexity in authentication and verification, making standardisation difficult. Similarly, ensuring data privacy is more challenging when individuals control their digital identities, raising concerns about personal data exposure and misuse.

Myriad platforms – The variety of platforms and systems for managing identities poses a challenge to interoperability and standardisation across different services and institutions.

Identity-focused attack surface management – Without a standardised approach to authentication the user experience and security protocols will be diminished. Too many methodologies can lead to confusion, weaker security postures and increased susceptibility to attacks.

Decentralised identity solutions – Implementing decentralised or self-sovereign identity solutions can reduce the burden of managing identities in-house while offering enhanced privacy and control over personal data for individuals.

Automation and integration of ML/AI – Utilising ML and AI for identity management can streamline processes, reduce human error and provide advanced analytics for detecting anomalous access behaviors, significantly bolstering cybersecurity defenses.

Enhanced user experience – Single sign-on and integration with social authentication/logins can improve the existing user experience.

Life science organisations are increasingly preparing strategies against data breaches stemming from inadequate identity and access management. They have also invested in advanced identity management solutions like multi-factor authentication (MFA) and single sign-on (SSO), alongside implementing employee training programs on secure identity management practices. The focus is also on establishing robust governance frameworks and adopting continuous monitoring solutions.

The imperatives to safeguard patient data, embrace AI responsibly and manage digital identities with precision and care are clear. By addressing challenges head-on, life science organisations can not only counter evolving cyber threats effectively but also pave the way for a future where innovation and security go hand in hand.

Real-world cybersecurity in the life sciences sector

A leading life science company specialising in biomedical research experienced a sophisticated cybersecurity attack. Employing a malware-infected email, attackers infiltrated the company's network in an attempt to compromise intellectual property and sensitive patient data.

As soon as the incident was detected, the company activated its response team, which immediately began work to assess the severity of the breach, isolate affected systems and assemble critical information about the intrusion.

The company's cybersecurity team simultaneously initiated an analysis of the malware and developed targeted countermeasures to neutralise the impact. This involved scanning all systems for signs of similar malware and removing them before they could cause significant damage.

The response team collaborated with an external cybersecurity firm focused on threat hunting and digital forensics. Using advanced AI-powered tools, the team was able to identify the threat origin, mechanism and potential targeted data. Critically, they were also able to deconstruct the malware code to predict its behaviors and isolate vulnerable servers.

Meanwhile, the company’s public relations team worked on a communication plan to inform stakeholders, including affected patients, about the breach and the mitigation steps that were taken. The incident was reported to legal bodies and regulators to comply with data breach notification regulations.

Following the episode, the company conducted a thorough review to extract any relevant lessons. They worked to address any identified gaps, install necessary patches, and update firewalls and intrusion detection systems. They also committed to regularly monitoring and auditing their overall cybersecurity policies.

Key takeaways for life science cyber security professionals

Ensure robust cybersecurity measures are integrated into digital transformation initiatives, especially those involving cloud services, to mitigate data sovereignty and privacy risks.
Develop and implement stringent security protocols for AI and ML applications in clinical trials to protect against data breaches and ensure the integrity of research data.
Implement comprehensive security strategies for IoT devices to safeguard sensitive health information and ensure device integrity.
Consider advanced security services provided by cloud platforms to improve monitoring, alerting and cyber risk management.
Stay ahead of regulatory scrutiny by maintaining an up-to-date understanding of global regulations and ensuring compliance.

How KPMG can help

In addition to assessing cybersecurity programs and ensuring they align with business priorities, KPMG professionals can help life science organisations develop advanced digital solutions, advise on the implementation and monitoring of ongoing risks and help design appropriate responses to cyber incidents.

KPMG professionals are adept at applying cutting-edge thinking to clients’ most pressing cybersecurity needs and developing custom strategies that are fit for purpose. With technology that is secure and trusted, KPMG professionals offer a broad array of solutions including cyber cloud assessments, privacy automation, third-party security optimisation, AI security, and managed detection and response.