Cyber in Life Sciences Caroline Rivett and Stan Gallo 7 March 2018 How good security can enable better healthcare
Cyber in Life Sciences
Caroline Rivett and Stan Gallo
7 March 2018
How good security can enable better healthcare
2© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
PresentersCaroline is KPMG’s Global Cyber Security Leader for Life Sciences. She has over 20 years experience of managing and reviewing technology and risk. Over the last five years she has specialised in privacy and the security of personal medical information. Caroline is the KPMG account lead for cybersecurity and privacy for a number of global pharmaceutical companies. She is a regular speaker at conferences and media commentator on information protection in digital health. Caroline was previously a Chair of the Audit Committee in the NHS for eight years as well as co-founding, running and selling a start-up company which analysed medical records for life insurers.
Stan is a Partner in KPMG Australia’s Forensics Practice and a former Queensland detective with over 25 years in combined law enforcement and professional forensic services environments. He is also the Australian leader for Forensic Technology and Cyber Incident Response Services. Stan is a strategic risk management specialist who combines traditional investigative skills with unique insights and expertise to assist organisations with cybercrime, technology, fraud, financial crime, misconduct and associated risk issues across all economic sectors.
Caroline RivettGlobal Cyber Security Leader, Life Sciences
Stan GalloPartner, KPMG Forensics
Host/Facilitator
Hans VerheulNational Sector Leader, Life Sciences, KPMG Australia
Hans leads KPMG’s Life Sciences practice in Australia. He has over 20 years experience in Life Sciences, working in Fortune 500 companies in the biotechnology, healthcare and pharmaceutical sectors across finance, sales and marketing and general management roles. Hans specialises in business transformation, designing innovative and transformational solutions that greatly enhances the strategic capabilities of organisations and delivers competitive advantage in fast changing external healthcare environments.
3© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
3© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
A Patient’s Digital Journey
Pre-diagnosis
Diagnosis
Treatment
Monitoring
Remission
— Following patients using electronic medical records longitudinally
— Analysis and comparison of similar patients (structured and unstructured data)
— Real world evidence from wearables
Artificial intelligence in clinical research
— Predictive analytics, identifying those at risk from disease
— Personalised medicine, based on genotype analysis
Social platforms
— Patient symptom query
— Patient obtaining support from other similar people
— Pharmaceutical company working with social platform provider
Consumer genetics
— Consumers analysing (parts of)their own genome
Medical Devices, mobile health
— Bringing treatment to the patients,rather than patients to the treatment
— Increasing importance of patient relevant outcomes from wearable device data
Electronic medical records, telehealth
— Predictive analytics for re-infection
— Real world evidence from wearables
Health based social platforms
— Patients discuss their experience with treatments, providers and payers
Telehealth, wearables, sensors and apps
— Staying connected to the patient outside the healthcare providers’ office
— Real world evidence from wearables
— Clinicians, CROs and pharmaceutical companies monitor effectiveness
4© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
Digital Health Ecosystem
https://home.kpmg.com/xx/en/home/insights/2018/01/life-sciences-digital-transformation-is-inevitable.html
Figure 2: Life sciences ecosystem
Source: KPMG in Germany, 2017
Pay for Performance
Supply Chain & Serialisation
Personalised health monitoring
Sensor Health Monitoring
Educational Platforms
Thera-peuticcentre
Rehabcentre
Hospitals/ nursing homes
Established doctor
Other
European Medicines
Agency
US Food & Drugs Admin
Govern-ment
Pharmacy manager
Insurer
Health data clearance
Universities/academia
Distributor/wholesale
Contract research
organizationsPharmacy
Business process
outsourcing (BPO) service
provider
Data & Analytics in R&D trial
management
Cyber security Cloud computing Intelligent automation
Manufacturing
Pharmaceutical / MedTechCompanies
Electronic health record
PATIENT
5© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
Who would target you and why?
6© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
Who would target you and why?
Likely source of cyber-attack for US pharma (2017)
Nation-states 53%
Individualhackers
49%
Hacktivists 47%
Insider threats 44%
7© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
What are we trying to prevent?
8© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
What are we trying to prevent?
Employee information
Patient information
Intellectual property
Financial information
US Pharmaceutical assetsperceived as vulnerable (2017)
Supply chain
Internal controls
Clinical research 49%
47%
82%
79%
24%
41%
28%
9© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
Consolidating for Competitive AdvantageCyber-risks uncovered
Insufficient access controls 50%
Cyber-security policy, procedure, and control misalignment 46%
Inability to detect cyber incidents 35%
Poor oversight of trusted third parties 31%
Limited/disjointed governance across operations 27%
Completed a merger or acquisition in the past year
Deal entailed a technology integration
40%
38%
61%
Biotech/pharma
Medical device maker
Yes
No 37%
2017 KPMG/Forbes Insights Cyber-Security Survey
2017 KPMG/Forbes Insights Cyber-Security Survey
2017 KPMG/Forbes Insights Cyber-Security Survey
From ‘Life Sciences innovation and cyber security: Inseparable’
10© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
Sharing and Analysing DataOrganizations are sharing sensitive and confidential information with:
Clinical research partners (e.g., universities) 77%
Contract manufacturers 51%
Marketing/detailing organizations 45%
Contract sales people 30%
Staffing agencies/contractors 24%
Business process outsourcers 10%
Outlook on data securityprofile in light of recent data breaches
Impact of the Cloud
57%
31%
12%
76%
More secure
About the same
Less secure
Improved our security profile
Increased risk 40%
From ‘Life Sciences innovation and cyber security: Inseparable’
11© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
11© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
Examples of malware attacks
12© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
5© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 721281
13© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 721281
14© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
ASIA PACIFIC REGIONWhat we are seeing locally
Theft of IP (Chemical Compounds)
Losses: revenue, reputation and research
Privacy Changes:Mandatory Disclosure
Impersonation & social engineering
West Australian – 2 Feb 2018
15© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
How is ransomware typically spread?
16© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
So what systems are vulnerable?
17© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
17© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 721281
18© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
How to defend/protect?
19© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
Our approach to building incident management
Our approach covers all dimensions of building an incident management capability:— People— Process— Technology
Building an incident management capability
Design
IR Use Case & Playbook Development
Design architecture/solution for automation &
orchestration
Detailed Implementation Plan
Workflow/Process definitions
Existing capabilities alignment
Alignment to other security functions
Test and build incident
workflows
Stakeholder Workshops:
Evaluate implemented Use Cases
Impl
emen
t Su
ppor
ting
Com
pone
nts
Laun
ch in
itial
cap
abili
ty
Trai
n an
d ed
ucat
e te
ams
Plan Implement Sustain
Business Case / Justification Development
Threat Profile Analysis
Incident Management Definition &
Vision
Capability Rationalization /Requirements Development
Use Case Prioritization
Determine and Report
Metrics/KPIs
Continuous improvement
Perform table-top & red team
exercises
Dev
elop
inte
grat
ions
& o
rche
stra
tion
Tech
nolo
gy /
Vend
or S
elec
tions
Behavioural change management
Program and project management
20© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.
Our cyber security servicesWhat can we do to help our life sciences clients?
Strategy and governance Transformation Cyber defense Cyber response
Help clients understand how to align cyber security with their business and compliance priorities
Help clients build and improve their processes, with the right organization and technology, to improve their cyber security
Hep clients maintain cyber security as their business and technology evolve by providing greater visibility of changing risks
Help clients effectively and efficiently respond to cyber incidents and conduct forensic analysis
Prebreach Postbreach
Cyberservices
KPMG Cyber sees the world from the client’s perspective, bringing a business context to cybersecurity for all levels of the organization, from the boardroom to the back office.Helps organizations transform their security function into business-enabling platforms so they can understand, prioritize, and manage their cybersecurity risks, take control of uncertainty, increase agility, and convert risk into advantage.
Thank you
kpmg.com.au
© 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Liability limited by a scheme approved under Professional Standards Legislation.
The information contained in this document is of a general nature and is not intended to address the objectives, financial situation or needs of any particular individual or entity. It is provided for information purposes only and does not constitute, nor should it be regarded in any manner whatsoever, as advice and is not intended to influence a person in making a decision, including, if applicable, in relation to any financial product or an interest in a financial product. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
To the extent permissible by law, KPMG and its associated entities shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss or damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise).