CYBERSECURITY - Why Pharmaceutical Companies Are Vulnerable to Cyberattacks & What You Can Do to Protect Your Company

INTRODUCTION

The cybersecurity landscape is continually changing and evolving, and cybercriminals are increasingly targeting private companies. This means that having good cybersecurity strategies and practices in place is more important than ever. A cybersecurity breach can wreak havoc on any company, compromising proprietary digital assets, exposing private information, and potentially damaging the critical systems your company relies on to function. When a breach does occur, it also requires both time and energy to contain the breach and mitigate the damage, eating up resources, people hours, and funds that could have been deployed elsewhere. According to the 13th annual Cost of a Data Breach Study conducted by the Ponemon Institute in 2018, the global average cost of a data breach is up 6.4% over 2017 and cost companies a total of $3.86 million.¹ The average cost for each individual lost or stolen record also increased to about $148.

CYBERSECURITY & THE PHARMACEUTICAL INDUSTRY²

The data collected by pharmaceutical companies, including proprietary information about patented drugs, data related to pharmaceutical advances and technologies, and patient information are all incredibly sensitive and valuable, which means that losing control over that data can have catastrophic consequences and erode patient and consumer trust.

Having a comprehensive cybersecurity strategy in place to safeguard those digital assets has become an essential part of any company’s security protocols. Companies that do not prioritize creating robust, flexible, and comprehensive cybersecurity strategies leave their valuable data vulnerable.

A successful cybersecurity attack against a company can result in stolen intellectual property, lost revenue, and even litigation. Valuable research data can be lost or damaged, which necessitates repeating entire clinical trials and absorbing the associated costs. Share prices can plummet, and a brand’s image can become tarnished.

In general, the pharmaceutical industry as a whole has not been on the cutting edge in terms of cybersecurity practices, though the high profile and highly publicized cybersecurity attacks in recent years have acted as a wake-up call to many companies. Though there has been a surge in interest, and a new sense of urgency, when it comes to improving cybersecurity protocols at individual companies, there are still a few challenges that many pharmaceutical companies face.

DIGITAL ASSETS

A pharmaceutical company’s most valuable assets are typically secret formulas for proprietary drugs and other large amounts of strictly confidential data. This makes pharmaceutical companies attractive to criminals because this data is incredibly valuable and can easily be sold on the dark web or ransomed back to companies that are desperate to protect the intellectual property their company has built its business on.

PEOPLE

Even the most airtight and well-designed cybersecurity strategy is only effective if your employees know how to implement it correctly, what their role is when it comes to safeguarding your company’s assets, and who they should report potential problems to. Improperly trained employees are a challenge faced by many companies both inside and outside the pharmaceutical industry.

MERGERS & ACQUISITIONS

Mergers and acquisitions are a part of daily life in the pharmaceutical industry, and this poses a unique challenge from a cybersecurity perspective. When a company is acquired by another company, or the two companies merge, there can be a lot of shuffling, which means that cybersecurity strategies and approaches can change overnight. It also means that if a company’s data is compromised, or they are found not to have taken enough care to safeguard their assets before a merger or acquisition is finalized, it could compromise the deal and leave the company vulnerable to legal problems.

THE INTERNET OF THINGS

The healthcare industry, including the pharmaceutical industry, has embraced the internet of things wholeheartedly. While this makes it easy to access critical documents and patient data or use big data to track trends all of this information is about health, which comes with unique privacy challenges. Depending on where you operate, stringent new privacy regulations, such as GDPR, can mean that sloppy cybersecurity protocols could leave you vulnerable to legal litigation as well as cybersecurity attacks.

The internet of things increases your risk of experiencing a cybersecurity incident and can cause increased uncertainty around the chain of controls that follow where data is generated or created and where it ultimately ends up.

GOVERNANCE

All organizations need to have robust yet flexible cybersecurity protocols in place to protect themselves against the threat of cybersecurity attacks. This requires having an overall operating model, well-defined roles and responsibilities, robust contracts, dealing with third-party integration, monitoring threats, communicating vulnerabilities effectively, and ensuring that cybersecurity remains a top security priority.

All of this presents a significant challenge for any company, but implementing a system such as this it can be particularly onerous for pharmaceutical companies because of the extremely confidential nature of their intellectual property, the fact that their most valuable assets may be subject to strict privacy laws, and the fact that acquisitions and mergers can disrupt established ways of doing things.

WHY CYBERCRIMINALS TARGET PHARMACEUTICAL COMPANIES

Pharmaceutical and biotechnology companies are being targeted by cyber criminals more frequently than they were in the past, and according to a study conducted by Deloitte, the pharmaceutical industry is now frequently the number one target of cybercriminals around the world, particularly when it comes to intellectual property theft.³ This is because, as these companies move toward increased digitization and storing more valuable data online, they are becoming more attractive targets. Stolen data can either be sold on the dark web or ransomed back to desperate companies who rely on their IP, as well as access to critical documents, such as trial results and patient information, to continue running.

RECENT HACKS & WHAT THE INDUSTRY HAS LEARNED FROM THEM

Though it is unfortunate for any company to experience a cybersecurity incident such as a hack or breach, cybersecurity incidents can be used as educational tools that can better inform current company cybersecurity policies.

NotPetya Attack on Merck
One of the most significant cybersecurity attacks on a pharmaceutical company in recent history struck Merck & Co., which employs more than 69,000 people and is one of the oldest and largest pharmaceutical companies in the world.⁴ Merck was one of dozens of companies hit by a massive ransomware attack in 2017 and suffered worldwide operational disruptions, forced the company to halt production of new drugs, and significantly impacted the company’s revenue for the year.

Merck employees around the world opened their computers to find themselves completely locked out of the company’s systems and unable to work. The incident was caused by the NotPetya strain of ransomware, which was used to attack other companies as well.⁵

The WannaCry Attacks
In 2017, healthcare networks around the world were affected by the WannaCry ransomware attacks, which locked healthcare professionals out of patient health records.⁶ In all, more than 230,000 computers in 150 countries were affected causing billions of dollars of damage, virtually shutting down health systems worldwide.

Wicked Panda Uses WINNTI to Target Bayer
In 2018, drug manufacturer Bayer discovered that its computer networks had been infected with malicious software.⁷ The company decided to covertly monitor and analyze the software before purging it from its systems, and though they discovered no evidence of data theft or any indication that any personal data was compromised, the incident is still unnerving.

Bayer was able to determine the hackers were using malware called WINNTI, which allowed unauthorized users to access private systems remotely and give cybercriminals the time to look for internal vulnerabilities that could be potentially exploited. According to Bayer’s spokesperson, the company and their security experts believe the Wicked Panda group, which is based in China, initiated the attack.

SAFEGUARDING YOUR COMPANY’S ASSETS

Traditionally, cybersecurity was approached from an incident response perspective. This means that many companies did not review their protocols or correct vulnerabilities that could be exploited until they or another similar company had already been targeted by unauthorized users.

Once the unauthorized user was discovered, companies would work to oust them and then go through the forensics of the attack to determine how the intruder gained access by looking at things like IP addresses, domain names, and what malware was used (called Indicators of Compromise, or IoCs). Companies also need to determine what exactly was compromised, and what needed to be done to clean up the mess and patch the security hole or holes that were exploited.

The Drawbacks of the Incident Response Approach
This approach is problematic for two ways. First, it relies on your company or another company falling victim so that the IoCs could be discovered and shared with other potentially vulnerable companies and organizations. The other problem has to do with the timeframe. IoCs have a very short half-life, which means that any solutions derived from this line of defense are short lived. All an unauthorized user needs to do is reconfigure their malware or purchase a different IP address, and they can potentially regain access to your systems.

This approach leaves you and your company trapped in a potentially endless game of cat and mouse in which each incident is dealt with in a vacuum, ignoring larger systematic weaknesses and waiting to act until after the damage has already been done.

A reactive approach also drains your company’s resources unnecessarily, as your cybersecurity team spends its time chasing after the same intruders and cleaning up their messes. This drain pulls both people and resources away from other vital areas of cybersecurity, such as pre-emptively looking for vulnerabilities that could be exploited, and forces your cybersecurity personnel to dedicate themselves to minimizing damage and focusing on remediation. A Zero Trust approach would be much better suited as a preventative measure instead of the common reactive approach by not letting the original action happen and cutting off all access until a communication has been verified as trustworthy.

A Proactive, Top-Down Approach⁸
A comprehensive, robust, and flexible cybersecurity approach goes beyond updating your anti-virus software is up to date and making sure all updated security patches for your software are downloaded. While these basics are essential, they are only the beginning. A holistic cybersecurity approach seeks to uncover potential vulnerabilities before they can be exploited, keeping up to date on the latest cybersecurity threats, and continually reevaluating your cybersecurity protocols to ensure they are meeting your needs effectively.

Cybersecurity is everyone’s job. Every single employee, from the CEO down to the intern in the mail room, plays an important role. In addition to the C suite working with cybersecurity experts to craft and implementing company-wide best practices, your employees need to understand what they can do to protect your company’s digital assets, how to avoid falling for phishing scams or other cybersecurity attacks that could expose confidential information, and who they should report potential incidents to.^9,10 Training tools such as tabletop scenarios and pen (penetration) tests all play a critical role in honing your company’s cybersecurity protocols and safeguarding assets.

Tabletop scenarios are similar to fire drills. They let your employees hone their response to a simulated cybersecurity incident in a low stakes environment. After the scenario is complete, your team can review their response, identify where improvements can be made, and formulate strategies to address any shortcomings. A pen test involves hiring an ethical hacker to stress test your cybersecurity protocols by attempting to break into your system and access your valuable digital assets. As the hacker works, they will take note of the vulnerabilities they encounter and how they were able to exploit them, then provide you with a comprehensive report at the end of the test. This valuable information can then be used to strengthen your current protocols and address any vulnerabilities before a cybercriminal attempts to gain unauthorized access to your systems and data.

THE BENEFITS OF A MSSP

For many of us, creating, implementing, and monitoring company-wide comprehensive cybersecurity solutions can seem daunting, and even overwhelming. Luckily, you can rely on a trusted MSSP (Managed Security Services Provider) to help you ensure that your company’s digital assets are secure.

An MSSP consists of a team of trained cybersecurity experts who will work with you to create a custom cybersecurity solution to meet your needs and safeguard your company’s digital assets. They can also monitor your network 24/7/365 for suspicious activity, offer employee cybersecurity training, and help you mitigate or even avoid damage if your company does experience a cybersecurity incident. If an incident occurs, they can also help you review the incident and learn from it so that similar breaches can be avoided moving forward.

REFERENCES

1. 2018 Cost of a Data Breach Study by Ponemon. Sponsored and published by IBM Security.
2. Cyber Security Challenges in the Pharma Industry, by Ramón Serras, Head of Information Security, Risk Management, and Quality at Almirall. Published by Global Engage, 2018.
3. Industrial Cybersecurity Defenses Essential for Pharma Companies, by Mat Morris, VP of Product & Strategy, NexDefense. Published by Pharma Manufacturing (2017).
4. Cybersecurity for Pharmaceutical and Biotechnology Firms, by Megan Berkowitz. Published by Pharma iQ.
5. The Untold Story of NotPetya, the Most Devastating Cyberattack in History, by Andy Greenberg, WIRED senior writer. Published in WIRED, 2018.
6. How WannaCry Ransomware Crippled Healthcare, by Jennifer Jeffers. Published by the Infosec Institute, 2018.
7. Bayer Contains Cyber Attack it Says Bore Chinese Hallmarks, by Patricia Weiss & Ludwig Berger. Published by Reuters, 2019.
8. The Untold Story of NotPetya, the Most Devastating Cyberattack in History, by Andy Greenberg, WIRED senior writer. Published in WIRED, 2018.
9. How WannaCry Ransomware Crippled Healthcare, by Jennifer Jeffers. Published by the Infosec Institute, 2018.
10. Bayer Contains Cyber Attack it Says Bore Chinese Hallmarks, by Patricia Weiss & Ludwig Berger. Published by Reuters, 2019.

Andrew Douthwaite has more than 17 years of technology experience, joining VirtualArmour in 2007 as a Senior Engineer. Now as Chief Technology Officer, Andrew focuses on leading growth in the managed security services business and ensuring VirtualArmour is a thought leader in the security industry.