Optimising Supply Chain Cyber Security is Critical to the UK Healthcare & Pharmaceutical Sector

The potential impact on the UK healthcare and pharmaceutical industry from cyber-attacks is front-of-mind for a number of key reasons, including how critical these industries are to everyday life. First, the Intellectual Property (IP) at the operational epicentre of these businesses – collectively worth hundreds of billions in R&D investment annually – makes the pharmaceutical industry an increasingly attractive target for cyber threat actors. Second, UK-headquartered healthcare and pharmaceutical companies work with myriad third-party organisations, with business functions spread across different geographies, territories, and jurisdictions.

This ecosystem of third parties exponentially widens the attack surface for healthcare and pharmaceutical firms, making them potentially more vulnerable to threat actors who are looking to access and exploit valuable, classified patient information and clinical data found across the sector.

 

Cyber budgets are rising, but so is the frequency of cyber-attacks

The most significant challenge of all when it comes to cyber risks, may be the ever-growing size and complexity of the industry’s supply chain ecosystems, the vendors, partners, suppliers, and other third parties they rely on for business continuity. With more stakeholders, third-party providers, suppliers and affiliates comes an increasing reliance upon digital technologies, processes, and behaviours. These factors are not only intensifying existing cyber threats facing the UK’s healthcare and pharmaceutical firms, but introducing new attack vectors.

According to our recent Supply Chain Defence report, which analysed the cyber security issues that originate in the supply chains of UK healthcare and pharmaceutical companies, 98% of respondents have been negatively impacted by a cyber security event originating from third parties.

This is despite more money seemingly being allocated towards preventing such attacks. Nearly all (96%) respondents have reported increased budgets for third-party cyber risk management over the last 12 months.

Decision-makers therefore need to be looking at how they can strengthen cyber security, especially in their supply chains – and question why budget increases have not led to a reduction in cyber security incidents.

 

Industry supply-chain visibility a significant concern

For organisations in healthcare and pharmaceuticals, strengthening their third-party cyber security posture first depends on identifying the source of cyber security weaknesses within their supply chain ecosystems. With 96% of UK healthcare and pharmaceutical respondents stating they maintain supply chains with anything from 501 to 50,000 suppliers, visibility is key.

Startlingly, 44% of UK healthcare and pharmaceutical companies state they have no way of knowing when a cyber issue arises within one of their third parties. This lack of visibility dwarfs any other sector surveyed within the research. This may be due to 30% of decision makers within the sector claiming that third-party cyber security risk is not a business priority for their pharmaceutical/healthcare organisation.

The size of UK pharmaceutical and healthcare supply chains, coupled with the lack of visibility into any cyber security issues that may arise, highlights the magnitude of the problem facing the sector.

Decision makers should make supply chain cyber defence management an immediate strategic priority and proactively manage risk across their entire supply chain. Most respondents (66%) state they only regularly monitor between 501-1,000 suppliers – a small percentage of the potential maximum size of their supply chain ecosystems.

Concerningly, 68% of UK pharmaceutical and healthcare respondents state they either currently rely on their third parties to ensure adequate internal security; or currently appraise their suppliers of any problems and hope they fix it.

 

Polarisation and prioritisation disparities demand attention

With these kinds of cyber risks remaining high for the UK’s healthcare and pharmaceutical sector, it’s clear that many organisations are not fully aware of the breadth, depth, and sophistication of these threats, and are not therefore sufficiently prepared to detect and respond to them.

This is reflected in the variety of methods used to monitor supply chain cyber security in the UK pharmaceutical and healthcare sector. Whilst 22% say they don’t monitor any of their suppliers at all, 32% monitor all third parties in their supply chain for cyber security risk, whilst another third (32%) only monitor suppliers deemed critical.

Arguably, the prioritisation of strong cyber security within third-party supply chains will only increase with heightened awareness of the impact of successful cyber security incidents. As it stands, only 12% of those surveyed currently brief their senior management teams on the cyber security statuses of their suppliers weekly or more. This indicates that more needs to be done in making proactive supply chain cyber security a wider business priority for the C-suite and boards in pharmaceuticals and healthcare.

 

A unified vision will drive a secure future

UK pharmaceutical and healthcare respondents stated they are dealing with a multitude of issues when it comes to managing cyber security within their supply chain. These include:

• Understanding how to penalise suppliers when they don’t respond to, or fail to remediate, vulnerabilities and issues.
• Identifying blind spots where they do not currently have the resources and visibility to spot emerging risks.
• Struggling with an internal understanding across the business that third-party suppliers are part of the organisation’s overall security posture.

It’s clear that many UK pharmaceutical and healthcare businesses urgently need to refine their strategic focus and cohesion when it comes to supply chain cyber security. This means increasing the strength, breadth, depth, frequency, and thoroughness of risk assessments, monitoring, and reporting throughout their supply chains.

Going forward, this will be critical for organisations to who wish to proactively and sufficiently protect IP and operational integrity.

This requires a thorough assessment of their existing resilience capabilities and the identification of areas for immediate improvement. This will help organisations identify specific weak links and determine how best to strengthen them.

Frameworks such as ISO27001, NIST 2.0, and CIS18 will also help in enhancing the security postures of both the companies’ own business and those within their supply chain ecosystem – providing guidance for structured cyber security assessment, management, and compliance.

For UK pharmaceutical and healthcare organisations, making supply chain cyber defence a strategic priority is going to be key – not only to the intrinsic security of the sector, but its overall standing, sustainability, and profitability.