Intellectual property (IP) is one of the crown jewel asset classes belonging to pharmaceutical companies. Threat actors prize pharma IP because of its high perceived value, and they are willing to deploy a diverse range of tools and techniques to infiltrate pharma networks and exfiltrate sensitive data.
Companies across the pharmaceutical industry store a variety of proprietary data, from trade secrets related to formulas for drugs or vaccines to patents and industrial designs. IP protection is pivotal in mitigating the enormous financial, legal, reputational, and even existential risks stemming from cyber attacks that result in a breach of this sensitive class of information. Keep reading for some actionable tips in better protecting pharmaceutical intellectual property.
What Are the Incentives to Breach or Steal Pharma IP?
There are manifold ways to breach networks, infrastructure, devices, apps, and other health care systems and access intellectual property. But what are the incentives at play here for threat actors?
- The first and most obvious motivation is profit in an industry projected to grow from $1.23 trillion in 2019 to $2.15 trillion by 2027. Threat actors that exfiltrate IP associated with an innovative new drug, for example, can hold pharma companies to ransom and extort large payments. An alternative way to profit is to make this information available for sale on shady dark web marketplaces.
- Nation-state-sponsored actors focus their efforts on disrupting rival or competing economies, and one way to do this is through exfiltrating valuable pharma IP and using this stolen information for their own gain. Developing countries with limited economic growth may also employ state-sponsored hackers to steal IP and help advance their own pharmaceutical industries, which often lag behind in the developing world.
- Insider threats are another class of threat to the security of pharmaceutical patents and other IP. Profit is a potential motive for both outsiders and insiders, but there is also the possibility of disgruntled insiders disclosing this confidential information with the sole intention of causing harm to their employer.
A Note on Patents and Data Exclusivity
Multinational drug companies spend millions of dollars on R&D for new medicines and new pharmaceutical products. Patents are the main type of intellectual property that incentivize continued R&D, help generate revenue to recoup investments, and protect against infringement. Consider a company like Pfizer (a biotech and pharma company), which currently has 746 international patent rights that provide market exclusivity for a typical fixed patent term of 20 years.
Aside from intellectual property rights, there are also data exclusivity rights protecting data from clinical trials. Inventors get exclusive rights over clinical trial data to prevent companies from using this data to create generic versions of new products.
Regulators like the FDA in the US provide data exclusivity rights, while patent law is enforced by a separate regulatory agency, such as the Patent and Trademark Office (“PTO”). A similar patent system is public policy in many other nations and jurisdictions. Interestingly, delays in regulatory approval can shorten the useful life of a patent.
The World Trade Organization (WTO) confers additional IP rights to inventors under the Trade-Related Aspects of Intellectual Property Rights (TRIPS) agreement. The WTO TRIPS agreement covers copyrights, designs, and trade secrets. The TRPS agreement also mentions that patents shall be available for any inventions if they are novel, involve an inventive step, and have an industrial application.
From a cybersecurity perspective, these details have important ramifications. Because patents are publicly available information, there is less need to safeguard already-registered patents. However, there is a delicate dance in patent protection because disclosing details about an invention (or having those details compromised) before filing a patent application can cause havoc for pharma companies, so patent protection for prospective new medicines and products needs to be a part of IP protection in pharma.
Actionable Tips to Protect Intellectual Property in Pharma
With a 2021 report finding that 98% of pharmaceutical firms experienced at least one intrusion and 28% lost business-critical data or IP, it’s clear there’s a need to step up security measures. Here are seven actionable tips for improving intellectual property protection and maintaining exclusivity over the ownership of this information.
Discover and Map IP Assets
Within the complex digital ecosystem that pharma companies operate, there is a pressing need to discover and map IP assets, which includes confidential information related to patents for new inventions and any other sources of IP in computer systems, such as trade secrets about medicinal products, medical devices, or industrial processes.
This IP asset inventory provides the bedrock for implementing other important security measures because you can’t protect what you can’t see. Furthermore, There are automated data discovery solutions available, but the task will likely involve manual efforts to locate data, including surveying employees. Discovery and mapping should cover databases, e-mail messages, PDFs and other electronic documents found on removable media, workstations, cloud infrastructure, on-premise servers, and operational technology (OT) devices.
Strictly Control IP Access
A cornerstone element in sensitive data protection is strictly controlling who has access to certain categories of information. The discovery and mapping stage informs you with an accurate inventory of what IP assets you have and where they are located.
Encrypting digital IP stored (at rest) and in motion protects its confidentiality so that it’s not accessible in plain text form. It’s also critical to securely manage personnel access to IP using the principle of least privileges so that users only get access to resources necessary for their work tasks. Over-privileged access can result in breaches of sensitive data assets when threat actors compromise or insiders abuse user accounts that didn’t need access to those assets in the first place.
Segment the Network
Network segmentation can also prove to be a useful tool in protecting IP in the pharmaceutical industry. This segmentation splits up the network into smaller subnets in which systems containing the most sensitive assets can be isolated in segments away from systems that have a larger attack surface due to their exposure to the Internet or other risky points of entry.
This segmentation becomes even more important when you factor in the increased convergence between IT and OT systems. From monitoring lab equipment to building automation systems, biopharmaceutical and other pharma businesses see enormous benefits from industrial IoT (IIoT) devices.
However, the closer convergence of IT and OT presents cyber threats from unsecured devices providing another attack vector to target IP. Segmentation can involve an industrial demilitarized zone (iDMZ) to strictly control traffic between IT and OT layers.
Use Non-Disclosure and Confidentiality Agreements
In pharma, there is a complex interplay of relationships with third parties including contractors, vendors, business partners, consultants, logistics companies, university research departments, and more. Pharma businesses rely on this network for both their strategic and operational goals.
Since third parties invariably get exposed to some categories of IP, such as trade secrets, confidentiality and non-disclosure agreements (NDAs) have a key role to play. These agreements set out in clear legal terms the obligation to avoid disclosing or using confidential information in any way other than specified in the contract. It’s important to include provisions in the contract for the need to indefinitely maintain confidentiality over IP.
Address the Human Factor
Any discussion about cybersecurity and data protection can’t overlook the human factor. It remains true that human error is the cause of many security incidents leading to data breaches. Reinforcing this message is the fact that phishing was the second most common intrusion path into pharmaceutical networks in 2021.
Effective training educates employees in the fundamentals of cybersecurity, including recognizing phishing emails and other popular social engineering scams. Training should also cover how to securely connect to corporate resources from remote environments.
Mistakes are one piece of the human factor, but intentional compromise is another that you can’t neglect. Confidentiality agreements or NDAs for employees at pharma companies can somewhat combat insider threats to IP. Employees with access to trade secrets and other IP assets are far less likely to disclose information when bounded by an agreement that carries significant legal and financial consequences.
Advanced Threat Detection
Keeping malicious actors out is ideal, but there needs to be technologies and processes in place that can detect in-progress threats based on indicators of suspicious activity. Ideally, advanced threat detection solutions can monitor your network for both behavior-based anomalies and breaches of traditional signature-based rules.
The red flags you want to get notified about and act on rapidly could include making configuration changes, unexpected downloads, remote access outside the normal IP address range, and more. Acting fast in response to ongoing threats can help to protect your IP, but you’ve got to detect the threat first.
Use a Data Loss Prevention Solution
Data loss prevention (DLP) solutions provide robust functionalities to help safeguard pharmaceutical intellectual property. These technologies can block the transfer of data from endpoint devices to removable drives, block file transfers, and even help discover data.
With printing, copying, and downloading information on endpoint devices representing some of the biggest risks to IP confidentiality, DLP technologies can stop these activities in their tracks or prevent them outright.
Endpoint Protector comes with full-suite DLP capabilities for protecting pharma IP. Features include content-aware protection that prevents data leakage through all possible exit points, eDiscovery to scan and identify IP at the endpoint level, and full device control to lockdown, control, and monitor USB and peripheral ports.
Frequently Asked Questions
Intellectual property (IP) is a type of intangible asset that is the product of the human mind and has legal protection against unauthorized use. The main incentive for providing IP rights to individuals and businesses is to encourage innovation and creativity by protecting intellectually-derived stores of value.
The four main types of intellectual property are:
1. Patents that provide exclusive rights over inventions that are novel, have patentable subject matter, involve an inventive step, and have an industrial application.
2. Trademarks are distinctly recognizable signs, designs, or expressions that identify the products or services of a particular source company, individual, or other legal entity and cannot be used by other sources.
3. Copyrights provide exclusive legal ownership rights over the reproduction, publishing, sale, performance, and distribution of creative works, including books, music, photographs, and movies.
4. Trade secrets are stores of knowledge that provide an economic or competitive advantage to owners because the information is generally not known or easily discoverable.
Explore More on Data Loss Prevention
Interested in diving deeper into the world of Data Loss Prevention? Check out these hand-picked resources to expand your knowledge:
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.