How often do pharma and healthcare companies change their vendors or digital agencies – once every 2 or 3 years? What criteria do they use when making their choice?
As cyber crime becomes even more advanced and constantly sharpens its claws, the companies should protect themselves even more actively. Here we’ll look at the ways we can avoid the jeopardies of the security minefield.
To begin with, in the age when digitalization is a necessity rather than something “nice to have”, there are plenty of tools and software systems which different IT agencies offer pharma companies. Indeed, one of them will be chosen by a customer and the new tool will start its own way within the organization at least during the pilot period. So, what will the first steps of the tool look like? Everything starts with a number of demos for decision makers, after which the tool is checked by the procurement and IT departments. Of course, the list could be much longer, but on average, the scheme is as it is. Besides, the standard procedure often involves a questionnaire for the vendor including a question regarding the availability of the ISO 27000 certificate. Sometimes a vendor answers “yes, I have this certificate” while they are in the process of obtaining it (nobody guarantees that they will actually get it). What do you think happens then?
Next, according to the cyber security expert Vlad Styran, “most specialists are not only aware of various international and industrial standards, but they also think that there is a magical power behind the abbreviations ISO27001, PCI DSS, HIPA and GDPR. They believe that these standards somehow affect security requirements, which, in turn, companies use for their systems and processes. In fact, this is not the case.” As an illustration, in HIMSS survey, 71% of healthcare organizations said they budget for cyber security and 60% mentioned they allotted 3% or more of the overall budget for breach prevention and related activities. Although the frameworks can help an organization spend its funds efficiently, the budget is the only power which boosts the development of its security systems.
Last but not least, we should also be concerned about compliance. As a rule, companies should follow the compliance procedure by sending a document/questionnaire/ form to the prospective vendor in order to check the imminent risks. Actually, compliance certificates like PCI DSS, GDPR, and ISO, etc. are indispensable to managers who are responsible for IT security and execution of compliance procedures. Following the compliance protocols helps managers to avoid serious administrative liability in case of cybersecurity accident. However, what if this document is randomly opened in the format where all the right answers are visible, thus placing this vendor in a “green zone” of the organization? Although compliance is of utmost importance, we shouldn’t forget who and what it is intended for; otherwise, we risk being eaten alive in the wild Jumanji forest of cyber security.
We want to hear from you – which cyber security processes you have already launched in your company? Which cyber security challenges you see in future? We also present you a complimentary cyber security consultation with one of the cybersecurity expert. Drop us a line to firstname.lastname@example.org and let’s get in touch.