Cyber security in the GMP environment.

Every company must protect itself against cyber attacks. Especially in the GMP environment, there are special challenges to overcome.

Alongside the finance and insurance industries, the pharmaceutical industry is one of the financially strong sectors of the economy. Considering the large sums of money invested in researching new medicines, it is all the more important to protect all data from unauthorised third parties. Both technical and organisational measures must be implemented. Technical measures include securing networks with a suitable IT infrastructure or firewalls. Organisational measures include documentation and training for employees.

The 2021 State of Pharmaceuticals and Cybersecurity Report1 by Fortinet finds that an industry is rapidly losing the race to secure and protect intellectual property, business continuity and mission-critical data. 98% of pharmaceutical companies surveyed have experienced at least one breach. And about half of the companies surveyed experienced between three and five attacks in the last year (2020).

Cyber security in the GMP environment as a special challenge.

The particularly strongly regulated GMP environment does not exactly make it easier for cyber security. For example, no undocumented changes may be made to systems. And the installation of updates must also be based on a concept that is usually based on documents such as risk analyses, equipment and software lists. All efforts then result in (at least) one work instruction that describes in clearly defined scenarios how and when which updates may be applied to which systems. In addition, regular reviews of documentation and audit trails are carried out.

The attackers' methods evolve accordingly, incorporating current protection mechanisms. For this reason, cyber security in the company requires a system that also evolves and is subject to a life cycle process. Cyber security should therefore by no means be understood by companies and employees as an additional requirement. Rather, it must be part of the daily routine of a regulated IT. This also includes the sensitisation of all employees to the topic.

An Information Security Management System (ISMS) is therefore essential.

Protecting data is one side of the coin, the other is ensuring the confidentiality, availability and integrity of the data. The necessary rules, tools and processes are defined in the information security management system.

The implementation of security standards and the associated compliance with governance in the company, as well as the minimisation of risks through the use of process-oriented methods, is only successful if the following components are incorporated into the ISMS:

  • Technical measures
  • Organisational measures
  • Cyber security concept
  • Life cycle process

The life-cycle process (continuous improvement process) is an integral part of the information security management system. Security is made up of a mix of technology, measures, personnel and processes. But training and awareness-raising for the topics of cyber security and information security also play an important role in the context of a holistic process.

This means that you should audit and check yourself regularly.

An attack can pursue different goals.

An attack can have different targets and thus different effects. Furthermore, an attack can pursue several targets in parallel:

Delete data
  • Regulatory breach > non Compliance
  • Tracking (product quality, data) no longer given
  • Product recall
  • Loss of reputation
  • Financial damage up to and including insolvency
Manipulate data
  • Audit trails are no longer meaningful
  • Product quality not guaranteed
  • Threats to patient safety
  • Product recall
  • Loss of reputation
  • Financial damage up to and including insolvency
Spying on data
  • Competitor opens up new markets
  • Sale of data
  • Loss of reputation
  • Financial damage up to and including insolvency
Scattering of Misinformation
  • Loss of reputation
  • Financial damage up to and including insolvency

Tab. 1: Attack targets and effects.

The deletion of data.

The deletion of data is critical in the GMP environment. Years of investment in studies and complete documentation form the backbone of a product's approval. If attackers delete the data and the process has to be started all over again, a company can quickly reach its financial limits. If products are already on the market, but the quality of the manufacturing process cannot be traced, this can lead to expensive product recalls. The violation of regulatory requirements automatically leads to non-compliance, which can quickly result in warning letters from the FDA and a serious loss of reputation.

The manipulation of data.

The potential danger of data manipulation is even higher than data deletion. Deletion of data is generally noticed more quickly than manipulation. Deleted data does not mean that the quality of the product is subsequently poor. However, the manipulation of data can have a very strong impact on the product quality. This can go so far as to endanger the safety of patients.

Spying on data and spreading false information.

Spying on data and spreading false information is more likely to cause economic damage to the company and damage its reputation. Here, too, the severity of the attack in combination with the media interest and the level of awareness of the company can lead to insolvency.


The asset group defines which data is to be protected. This can be documents, reports, photos, but also password information or credit card data.

When choosing assets, the following questions are helpful:

  • What data is most confidential for you?
  • Not all data is equally confidential. Work with confidentiality levels. Depending on the level, the protection effort is defined.

  • What data must not be lost under any circumstances?

    Create categories and evaluate them. Data that must not be lost may be found in business/management, in the laboratory, in the research area or even in production.

  • What would cause the most damage?

    Define damage scenarios and subdivide e.g. by probability of occurrence, probability of detection, impact on different areas and criticality. Pay attention to a data-related assessment. The greatest damage occurs when what happens to what data?

  • What could have a strong negative impact on the company's reputation?

    Determine which scenarios can negatively affect the company's reputation. Classify the scenarios. Not every scenario affects the reputation to the same extent.

Derived from the answers, you receive the assets that are (particularly) worth protecting for you.
Anonymity / Privacy.

Privacy and anonymity also play an important role in the choice of assets.

            Anonymity = moving around the network undetected

            Privacy = secret data (Top Secret, Confidential)

Anonymity means that every user action is separated from the identity. Although it is possible to see which action has been carried out (e.g. an entry in a public forum), it is not possible to assign the user to a specific person.2 possible.

Privacy refers to data and its protection. Secrets should be kept. For example, it makes sense to make important business data accessible only to a certain group of people. Sending encrypted data is also part of privacy. If you load encrypted data into the cloud, the company is not anonymous as a customer, but the data is protected by the encryption and only those who have the key can decrypt the data.

In summary, assets are the data we have to take care of. They form our assets. The questions listed above, as well as the weighting of the areas of anonymity and privacy, can help in the creation of assets.

Fig. 1: Assets

Different security procedures are used to protect the assets. For example, a VPN (Virtual Private Network) can secure the connection between sender and receiver. 2-factor authentication is also part of the security procedures, as is a firewall or the patching of computer systems (hardware and software).

Fig. 2: Security

Security is the degree to which our assets are resistant to threats. We select security controls based largely on the threat scenarios triggered by attackers.


The threats represent the actual attack scenario. Besides attacks by means of viruses, Trojans, etc., phishing is also one of the threats. These threats are controlled/triggered by the attackers.

Fig. 3: Threats
Exploits and Weakness.

The various threats are collectively referred to as an exploit. An exploit will attempt to exploit known vulnerabilities and thus gain access to systems. The vulnerabilities form the boundary between threats and security.

As soon as the exploit wants to penetrate the security zone, the security measures must take effect. To do this, the security system must first recognise that an attack is taking place. There is no such thing as 100% protection. A residual risk always remains. If the exploit has successfully penetrated the security zone, it will try to break through the next line of defence. Once the boundary between security and assets has been breached, the assets are accessed.


With vulnerability, we talk about the reasons why an attack could be successful in the first place. Depending on what data needs to be protected and to what extent, the appropriate security procedure must be established. Not all security procedures are suitable for all scenarios.

For example, a computer is infected with a spy tool because no security updates were previously installed. A VPN connection between the computer and the update server would not have prevented the attack here.

The vulnerability for the infestation is thus the omitted update.

Adversaries (opponents/attackers).

Once you have determined the assets and defined the security measures, you may want to explicitly protect yourself from certain threats. For this purpose, a threat landscape is created and the adversaries are included.

Fig.4: Adversaries

This way you can show in detail that you want to protect yourself from hackers, for example. Hackers often use backdoors such as security holes in applications. Security patches and updates provide a remedy. This would enable you to protect sensitive audit reports, among other things.

The attack vector.
Attack vector
Fig.5: Attack vector

However, attack vectors can also be used in a completely different way:

A company notebook with highly sensitive data is stolen. A VPN connection is completely useless in such a case. The perpetrator theoretically has an infinite amount of time to access the data, since he is in possession of the notebook. Only a very strong and secure encryption of the entire notebook hard drive can help here.

The question when planning the security concept is:
How high is the impact if the encryption is cracked?

All devices with corresponding security measures must be checked regularly. Due to the constantly changing threat situations, measures taken are sometimes no longer sufficient after just a few weeks.

The added value.

The ISMS ensures that data can not only be used but also monetised within a legally defined framework. In the pharmaceutical industry, cautious trends are emerging to strengthen sales with data.

Every company that stores or uses customer data must be able to show the customer which data is used for which purpose. Especially with regard to data-based business models, it is to be expected that a functioning ISMS will become mandatory.

Other advantages of the ISMS are:

  • Controllability of the safety aspects through process-controlled procedures
  • Compliance with safety standards
  • Fulfilment of corporate guidelines with regard to compliance/governance










2-factor authentication

Food and Drug Administration


Good Manufacturing Practice

Information Security Management System

Internet Protocol

Information technology

Virtual Private Network

Notes and literature.

  2. In computer networks (company network, Internet), the IP address and other measures make it possible to identify a user (or at least the workstation).

Share Article.


Persons to the article.

Dirk Düsterhöft

Senior Management Consultant

Dirk Düsterhöft studied computer science at the University of Applied Sciences in Bremerhaven with a diploma in media informatics. Mr Düsterhöft also holds a Master's degree in Management with a focus on Corporate Management from FOM Bremen.
During his professional career, he has worked in various positions such as Online Media Manager, Coordinator for Systems and Databases and as an IT Analyst. His core competencies include the recording and analysis of CSV-relevant processes in vaccine production as well as the coordination of the migration of software systems validated according to GMP, including revalidation. Furthermore, he is experienced in CSV in the entire production area (GxP, GAMP5, V-Model, Lean, PDSA, ITIL) and in process optimisation and implementation of international CSV company specifications. Mr Düsterhöft took over a CSV project in the SAP environment with more than 25 key users as project manager and successfully completed it in terms of quality, time and costs.
Dirk Düsterhöft supports Entourage as Senior Management Consultant.


Read more.

Drug Shortages in Germany - A Critical Assessment.
Dr. Ralf Hess, Dominik M. Aumer, Moritz Haucke and Dr. ...
News on the harmonized standard ISO 15223.
News on the harmonized standard ISO 15223.
Dr. Ralf Hess et al, published. Article on the implementation of MDR & IVDR into national law.
Entourage Principal Project Consultant Dr. Ralf Hess publishes article on ...
Progressive roll-out of the In Vitro Diagnostic Medical Device Regulation for "legacy" IVDD-CE-marked devices.
An extension of the transitional periods should increase the pressure on IVD manufacturers ...
Cyber security in the GMP environment.
Every company must protect itself against cyber attacks. Especially in the ...