The Importance of CIS Critical Security Controls (CIS18) in Life Sciences

Significant security breaches in the life sciences industry underscore the need for robust cybersecurity measures. Implementing CIS Critical Security Controls strengthens your cybersecurity posture and helps prevent breaches.

The Center for Internet Security (CIS) developed 18 Critical Security Controls (CIS Controls, also known as CIS18) to provide a comprehensive framework for securing digital assets and data. There are three Implementation Groups (IGs): IG1 is the baseline and focuses on basic cybersecurity hygiene while IG2 and IG3 help you evolve your organization’s cybersecurity maturity.

This blog will describe how IG1 (basic cybersecurity hygiene, remember) mitigates 79% of malware in the MITRE ATT&CK techniques and 100% of the insider privilege and misuse techniques.

Significant Security Breaches in the Life Sciences Industry

In January 2023, ZOLL Medical reported a cybersecurity incident in which hackers obtained personal data on more than 1 million current and former patients who use the ZOLL LifeVest, a wearable cardioverter defibrillator. The company evaluated and augmented its security measures to prevent similar incidents in the future.

In April 2023, German biotech company Evotec experienced a cyberattack that forced the company to shut down its network to mitigate the impact. The attack caused significant disruption, and the company had to notify relevant authorities while conducting a forensic examination to understand the extent of the breach. The company recovered from the cybersecurity attack and shared solutions.

In April 2023, New York-based biotech company Enzo Biochem suffered a ransomware attack that compromised test data and personal information for nearly 2.5 million individuals. The stolen data included names, test data, and 600,000 social security numbers.

The WorldMetrics Report 2024 states that:

• 85% of biotech companies consider third-party vendors a significant cybersecurity risk
• The biotech industry spends an average of 12% of their IT budget on cybersecurity
• 50% of biotech companies have experienced a cybersecurity attack in the last year

Among the most valuable data in the world is medical, personal, proprietary, and research-related data—which is exactly why life sciences companies are such attractive targets.

Why Do Cybercriminals Target Biotech, Pharma, and MedDev Companies?

Among the most valuable data in the world is medical, personal, proprietary, and research-related data. Cybercriminals target this data for:

• Personally Identifiable Information (PII): Names, social security numbers, dates of birth, and addresses can be used for identity theft.
• Medical Records: Sensitive patient information can be used for medical identity theft or ransomware attacks.
• Genetic Information: Sophisticated medicines developed with this information represent valuable intellectual property.
• Trade Secrets: Confidential business information can be sold to rivals to give them a competitive edge.
• Research & Development: Details about a company’s new treatments or cures can be sold or released to inhibit the company's progress.

Protecting this data isn't only a security concern—it is foundational to data integrity across GxP systems, where the trustworthiness of your records depends on controlling who can access and alter them.

Common Cybersecurity Risks for Life Sciences Companies

Cybersecurity risks in life sciences include:

• Phishing. A social engineering scam where the attacker attempts to trick an employee into giving up private information like login credentials. Depending on the victims’ credentials, attackers can gain access to sensitive data.
• Ransomware. Malware that encrypts the victim’s files and demands a ransom be paid before the attacker decrypts them. If the ransom is not paid, the attacker may threaten to release the encrypted files publicly, sell them to other criminals, or destroy the data completely.
• Denial-of-Service. An attack that makes a website or online service unavailable to users. The attacker floods the target with traffic from multiple computers or devices. Criminals attacking life sciences companies can shut down important portals for suppliers, patients, or customers and jeopardize critical business and medical processes.

These risks are heightened by complex supply chains in the life sciences industry, which involve third-party vendor vulnerabilities. Managing those exposures calls for a deliberate program of third-party risk management that evaluates vendors before and throughout the relationship.

Risks are made worse by internal cybersecurity challenges and shortcomings. For example:

• Lack of Cybersecurity Awareness and Training: Employees may not recognize or know how to defend against cybersecurity threats.
• Insufficient Resources: Budgets for cybersecurity talent and technologies are limited.
• Outdated Systems: Inherent security flaws make life sciences organizations vulnerable to attacks.
• Poorly Defined Strategic Plans: Resources are not allocated effectively for cybersecurity measures.

What’s the Solution for Cybersecurity Challenges?

Investors and partners consider cybersecurity a critical factor in their investment decisions and often require proof of compliance with basic cybersecurity standards. For example, CIS18 IG1 meets compliance standards and demonstrates your commitment to robust cybersecurity practices. This assurance helps build trust with investors and partners, fosters stronger relationships, and enhances your organization's reputation for security and reliability.

CIS18 gives your life sciences organization the framework to develop a formal cybersecurity program and a long-term strategic plan to protect your digital assets and data.

IG1 focuses on basic cybersecurity hygiene and addresses:

• Inventory and Control of Hardware Assets: Ensures that only authorized devices are given access to the network.
• Inventory and Control of Software Assets: Monitors software on the network to identify and remove unauthorized software.
• Continuous Vulnerability Management: Regularly scans for vulnerabilities and remediates them in a timely manner.
• Controlled Use of Administrative Privileges: Limits administrative access to reduce the risk of privileged accounts being misused.
• Secure Configuration for Hardware and Software: Ensures that systems are configured securely to prevent exploitation of vulnerabilities.

Achieve Essential Cybersecurity Hygiene with IG1

The frequency and severity of cyberattacks in the life sciences industry is rising, but CIS18 IG1 consists of 56 safeguards that prevent or mitigate common cybersecurity threats. Here is a structured approach to establishing this foundational protection:

1. Engage Key Stakeholders and Sponsors. Identify C-level leaders, especially those with technical and scientific backgrounds, to sponsor the initiative. Brief them on the importance of cybersecurity and the benefits of implementing IG1. Their support and understanding will help drive the initiative forward and ensure adequate resource allocation.
2. Identify Knowledgeable People in the Organization. Locate individuals who are familiar with current information security measures and brief them on the process. Their insights will be valuable for comparing existing measures to IG1 controls.
3. Conduct the Assessment. Compare your organization’s existing cybersecurity measures with cybersecurity defense safeguards in IG1. Remember, this isn't a checklist-and-your-done process. It's a series of meaningful conversations that are rich with ideas and definitive next steps.
4. Identify Critical Gaps and Plan for Improvement. Use the assessment output to identify critical gaps and make a plan to fill those gaps with appropriate policies, processes, and technologies. The assessment will also reveal controls that are compliant, ad-hoc, non-existent, or not applicable and decipher the level of risk these gaps pose to your organization.
5. Develop a Detailed Roadmap. Close the gaps found during the assessment and meet your organization’s control goals. A roadmap is typically split into several phases with a one-year overall timeframe for achieving goals. These phases will include critical issues (now), immediate goals (1-3 months), intermediate-term goals (3-12 months). Adjust these timeframes to meet your specific business requirements.
6. Reassess Annually. Schedule periodic reviews to assess the relevance and effectiveness of implemented controls. Update and refine your cybersecurity measures based on evolving threats and organizational changes.

As more life sciences teams adopt AI and automation, security hygiene increasingly intersects with AI governance and compliance—extending the same access controls, monitoring, and accountability to the data and models that power emerging workflows.

Adopting IG1 of CIS Controls helps your organization establish fundamental cybersecurity practices, reduce your risk of breaches, and improve your overall security posture.

USDM Life Sciences offers a robust CIS18 assessment service designed for life sciences companies. Our experts will help ensure that your organization is well-protected against evolving threats, including adversarial attacks and insider threats.