The pharmaceutical sector is a prime target for cyber attacks as it is an industry built on innovation with extensive investments in R&D, intellectual property (IP) on medicines and new compounds, clinical patient data and trade secrets. When this information is stolen, it can have a devastating impact on the company. The Ponemon Institute’s 2016 Cost of Data Breach study found that the average cost of a data breach was in excess, of $4 million dollars, and each stolen record in the life sciences and pharmaceutical sector was valued at $195 per record. The effect of such breaches goes beyond the direct damage from lost data, it also affects the company valuation, regulatory fines and overall operational disruption. In a survey by Deloitte, health care and the life sciences industry was rated the fourth most “at risk” industry in terms of valuation impacts arising from cyber security issues.
Understanding the way threat actors operate in the pharmaceutical industry is an essential step to strengthening cybersecurity posture. Attackers deploy a wide range of tactics to target drug manufacturers, clinical researchers and the overall supply chain. In some instances, they used common tactics such as email phishing campaigns to penetrate IT networks before migrating to other connected systems. In 2018, Proofpoint researchers, who analyzed attacks against Fortune 500 companies, found that phishing attacks and fraudulent business email compromise increased 149%, with biopharma the most targeted industry by hackers. Another substantial threat comes as adversaries exfiltrate sensitive information and IP with insider threat actors (financially motivated employees or planted spies). The pharmaceutical industry is also one of the most active in the merger and acquisition (M&A) space. This unique time exposes sensitive information assets for both companies and gaps can be created when merging the two IT and security infrastructures.
Cyber Attacks in the Pharmaceutical Industry and COVID-19
An example of a past cyber attack and its damaging effects is the 2017 ransomware attack on Merck and Co., dubbed NotPetya, that crippled 30,000 end-user devices and 7,500 servers. The malware caused $1 billion in damages, lost sales, and resources to recover from the incident. Furthermore, the breach crippled Merck’s production facilities for the leading vaccine against human papillomavirus. In another instance, Roche and Bayer, major pharmaceutical firms, confirmed that they experienced a cyberattack caused by Winnti malware.
The current COVID-19 pandemic has heightened the value and the focus on the pharmaceutical industry, both the public and threat actors are highly interested in the activity in this industry. The UK’s National Cyber Security Center (NCSC) reported that hackers, almost certainly operating as part of Russian intelligence services, are targeting organizations developing a coronavirus vaccine in the UK, US, and Canada. The Canadian Communication Security Establishment (CSE) and the Canadian Security Intelligence Service have publicly warned that hackers had exploited software flaws to get access to computer systems. In other cases, threat actors used WellMess and WellMail malware to upload and download files from infected machines. APT29, an advanced persistent threat, has targeted vaccine research and development by scanning specific device IP addresses for vulnerabilities to enable hackers to obtain login credentials to critical systems. It is evermore important to have security measures and incident response plans in place as cybercriminals are interfering with the opportune research and development of a COVID-19 medicine.
Despite the highly publicized data breaches targeting the pharmaceutical industry in recent years, a wide range of companies in the sector lack adequate cybersecurity practices to impede attacks. However, the current COVID-19 situation has generated a surge in interest and a sense of urgency to enhance cybersecurity posture for pharmaceutical firms.
Here are a few basic measures that organizations can implement to overcome cybersecurity challenges.
Create a security culture: Drug manufacturers should train employees to understand cyber threats and the best practices they can follow to protect confidential information and critical systems. A security awareness program helps to encourage and enable employees to play an active role in a company’s overall security strategy. In a previous post, Healthcare Under Attack, ISA shares some key tips on how every employee can exercise extra cybersecurity caution in the workplace.
Classify data: The bioscientific community should classify sensitive data like drug compounds and formulas, which forms the lifeblood of their organizations. The sector should identify both information at rest and in transit and critical applications and users accessing the data. Subsequently, the security teams can provide layered protection at the application and data levels.
Deploy reliable security access controls to mitigate insider threats: Companies should implement adequate security measures, such as email security gateways, firewalls, and virtual private networks, to examine network packets and determine the appropriate course of action. Identity and privileged access management practices can help limit insider threat paths and provide robust audit trails.
Data backup: Drug manufacturers should back up data regularly and separate it from the production environment. In case of a ransomware attack, the victim can recover encrypted information from a tested backup.
Contact us anytime to see how we can help.