With greater digitalization, life science and healthcare are growing strategically closer: data is being transferred and shared between organizations and people, and there is increased personalization of both therapies and medicine. However, life science organizations are grappling with ever-expanding cyber threats which impact systems availability, data integrity and confidentiality of information.
Healthcare and life science ecosystems have numerous third parties and joint ventures with stringent compliance requirements across geographical jurisdictions. At the healthcare and life science core reside a fragile circle of trust between patients, clinicians, hospitals, researchers and life science organizations, within which companies must work to ensure shared data remains uncorrupted while maintaining integrity and accessibility. While collaboration brings valuable knowledge to the table, it also complicates the value chain. Based on the KPMG CEO Outlook report 2024, 84 percent of CEOs surveyed identified regulatory demands as a major hurdle for their organizations over the next three years. Life science organizations are required to comply with the evolving rules around drug discovery, clinical trials, manufacturing, and distribution across different geographies. This complexity can extend development timelines and increase costs.1
Artificial intelligence (AI) and machine learning (ML) have become integral to life sciences, especially in research. The impact of AI/ML will be transformative in the near future, enabling a significantly greater volume of research and a faster velocity of developing medicines and therapies: this is likely to drive down the economic cost of medicines and therapies. These tools will be used not only in research but also in clinical trials, production, and core technology processes such as security and privacy. AI/ML is, therefore, integral to the strategic future of life sciences in general and to protect the intellectual property and personal data upon which the value of organizations in this sector is built.
At the enterprise level, cybersecurity leaders in life sciences are aligning team priorities with their organization’s values and strategies. As both the value and liability of data become more strategically important, organizations will need to be diligent about evolving data practices and global regulatory imperatives for compliance with multiple global regulations and reporting requirements. As such, CISO’s roles will require them to inspire other areas of the company to infuse security into their work to protect and proactively address cyber challenges to intellectual property, organizational operations, and maintaining trust over personal data. A core feature of this continuum is managing identity effectively and efficiently across multiple domains. As people gain greater control over their digital identities, these should become portable and not tied to an individual organization.
About these insights
The insights that follow originate from the KPMG Cybersecurity considerations 2024 report and have been adapted to provide a life science sector perspective for Chief Technology and Information Officers and their teams to consider in supporting their organizations’ objectives and to help mitigate the impact of specific cyber incidents and reduce overall cyber risk exposure. This report also considers some of the core cyber challenges for life science organizations on the cusp of the AI / ML transformation, including customer expectations, harnessing the power of AI and managing digital identities.
Consideration 1: Meet customer expectations, improve trust
Today, life sciences organizations are increasingly expected to deliver innovative, secure and privacy-compliant solutions. The digitization of health records, the adoption of cloud services for data management, and the personalized approach to patient care are reshaping what customers expect from healthcare providers and pharmaceutical companies.
Life science organizations face the dual task of innovating securely while meeting or exceeding regulatory and customer expectations for privacy and data protection. So, they are proactively enhancing their regulatory compliance and cybersecurity frameworks. This includes the adoption of secure data storage and transfer protocols, alongside ensuring the transparency of AI/ML algorithms.
Consideration 2: Unlock the potential of AI — carefully
AI brings opportunities to enhance research and development, streamline operations and personalize patient care. However, the integration of AI technologies also brings new cyber challenges. Based on the KPMG survey, 80 percent of CEOs highlighted the potential for GenAI to disrupt the current business model and create a competitive advantage for the companies as a major impact. It will require life science organizations to comply with the evolving regulations and make investments to maintain privacy controls and implement tools such as data cloud to control cybersecurity threats.2
To adequately address risks, life science organizations have channeled resources into developing the technological backbone for AI and ML initiatives. This investment includes enhancing cloud computing resources and high-performance computing capabilities. Concurrently, a shift towards partnerships and collaborations between industry groups, tech giants, academic circles and innovative startups is gaining momentum. Additionally, with a growing awareness of the ethical implications of AI, some entities are also proactively taking the lead on ethical AI frameworks. An example of this is the Trustworthy & Responsible AI Network (TRAIN) consortium of healthcare organizations that have Microsoft acting as its technology enabling partner. TRAIN is one of the first health AI networks aimed at operationalizing responsible AI principles by developing and evaluating standards so that effective and responsible applications of AI are used in health.3
Consideration 3: Make identity individual, not institutional
Like other sectors, managing digital identities has become a critical component of cybersecurity strategies for life sciences organizations. These organizations also need to ensure transparency in handling individuals' health data, providing clear information on collection, usage and privacy policies. The increasing digitization of patient records, research data and internal processes has made robust identity and access management (IAM) practices imperative.
Life science organizations are increasingly preparing strategies against data breaches stemming from inadequate identity and access management. They have also invested in advanced identity management solutions like multi-factor authentication (MFA) and single sign-on (SSO), alongside implementing employee training programs on secure identity management practices. The focus is also on establishing robust governance frameworks and adopting continuous monitoring solutions.
The imperatives to safeguard patient data, embrace AI responsibly and manage digital identities with precision and care are clear. By addressing challenges head-on, life science organizations can not only counter evolving cyber threats effectively but also pave the way for a future where innovation and security go hand in hand.
Real-world cybersecurity in the life sciences sector
A leading life science company specializing in biomedical research experienced a sophisticated cybersecurity attack. Employing a malware-infected email, attackers infiltrated the company's network in an attempt to compromise intellectual property and sensitive patient data.
As soon as the incident was detected, the company activated its response team, which immediately began work to assess the severity of the breach, isolate affected systems and assemble critical information about the intrusion.
The company's cybersecurity team simultaneously initiated an analysis of the malware and developed targeted countermeasures to neutralize the impact. This involved scanning all systems for signs of similar malware and removing them before they could cause significant damage.
The response team collaborated with an external cybersecurity firm focused on threat hunting and digital forensics. Using advanced AI-powered tools, the team was able to identify the threat origin, mechanism and potential targeted data. Critically, they were also able to deconstruct the malware code to predict its behaviors and isolate vulnerable servers.
Meanwhile, the company’s public relations team worked on a communication plan to inform stakeholders, including affected patients, about the breach and the mitigation steps that were taken. The incident was reported to legal bodies and regulators to comply with data breach notification regulations.
Following the episode, the company conducted a thorough review to extract any relevant lessons. They worked to address any identified gaps, install necessary patches, and update firewalls and intrusion detection systems. They also committed to regularly monitoring and auditing their overall cybersecurity policies.
Key takeaways for life science cyber security professionals
- Ensure robust cybersecurity measures are integrated into digital transformation initiatives, especially those involving cloud services, to mitigate data sovereignty and privacy risks.
- Develop and implement stringent security protocols for AI and ML applications in clinical trials to protect against data breaches and ensure the integrity of research data.
- Implement comprehensive security strategies for IoT devices to safeguard sensitive health information and ensure device integrity.
- Consider advanced security services provided by cloud platforms to improve monitoring, alerting and cyber risk management.
- Stay ahead of regulatory scrutiny by maintaining an up-to-date understanding of global regulations and ensuring compliance.
How KPMG can help
In addition to assessing cybersecurity programs and ensuring they align with business priorities, KPMG professionals can help life science organizations develop advanced digital solutions, advise on the implementation and monitoring of ongoing risks and help design appropriate responses to cyber incidents.
KPMG professionals are adept at applying cutting-edge thinking to clients’ most pressing cybersecurity needs and developing custom strategies that are fit for purpose. With technology that is secure and trusted, KPMG professionals offer a broad array of solutions including cyber cloud assessments, privacy automation, third-party security optimization, AI security, and managed detection and response.
