Pharma is hiding data breaches, claims UK survey

The real extent of the pharma industry's problem with data breaches has been revealed by a survey which suggests a quarter of IT workers in the industry are keeping them quiet.

The results of the Crown Records Management (CRM) survey, undertaken by Censuswide - comes just weeks after US pharma giant Merck & Co revealed it had fallen victim to the Petya ransomware attach.

The new survey polled 408 IT decision-makers in companies of between 100 and 1,000 employees across the country, and provided some shocking results which suggest many of the UK's data breaches are going unreported.

CRM notes that it is absolutely vital that businesses tackle this culture of secrecy because in future unprotected data loss will simply not be acceptable - and should not be acceptable now.

Some of the statistics for the pharmaceutical sector are below, with mixed results:

• 23 per cent have chosen not to report a breach to more senior management or the appropriate authorities;

• 15 per cent don’t know who to report a breach to – only the retail sector polled worse;

• 23 per cent know somebody in their company who hasn’t reported a data breach; and

• On the plus side, nobody polled was unaware of what constituted a data breach - better than the national average of 8 per cent.

Another CRM survey conducted in 2015 revealed the sector is frequently targeted, with nearly two-thirds of pharma companies reporting serious data breaches and a quarter saying they had been hacked.

It’s not a problem confined to pharma of course; another survey reported earlier this month by ControlScan found that 62 per cent of organizations across the private and public sectors were unable to detect and respond to cybersecurity threats effectively, with half failing to employ people with the skills to tackle the problem.

"Whilst the pharmaceutical sector is doing better than most when it comes to understanding what entails a data breach, there is still a long way to go," said Dominic Johnstone, head of information management at CRM. "The frequency of data breaches that go unreported is especially worrying in a sector such as pharma, which handles large quantities of sensitive data."

It's a risky approach too, as companies that suffer breaches face potential fines as well as loss of reputation.

New legislation, such as the UK Data Bill and the forthcoming EU General Data Protection Regulation, due to come into force in May 2018, include measures to tackle data breaches. The latter will bring in huge fines for businesses which suffer breaches as a result of poor compliance. It also sets a strict timeframe for the reporting of breaches – with fines for those who do not meet them.

"Some of these statistics really are shocking and suggest that data breaches may be far more common and more widespread than many people realise. These results also indicate a culture inside many companies that the best response to a breach is to ignore it or keep it quiet," says Johnstone.

"Perhaps this comes from a fear of the loss of reputation which can be experienced when breaches are publicised. Or perhaps it is simply down to lack of a clear procedures and information management in the business. Either way, the implications are serious, and the fact still remains that data breaches must legally be reported within 72 hours."

He said it is vital that companies have an effective data protection and information management programme in place, with the individuals responsible for reporting breaches - and to whom - clearly identified.

"Until businesses grasp how much a breach can cost them - both financially and in terms of reputation - this problem is not going to go away," concludes Johnstone.