How can pharma protect itself from cyber attacks?

Andrew Douthwaite CTO of VirtualArmour writes about the changing cybersecurity landscape and what pharma companies can do to protect themselves. 

The cybersecurity landscape is continually changing and evolving, and cybercriminals are increasingly targeting private companies. This means that having good cybersecurity strategies and practices in place is more important than ever. A cybersecurity breach can wreak havoc on any company, compromising proprietary digital assets, exposing private information, and potentially damaging the critical systems your company relies on to function. When a breach does occur, it also requires both time and energy to contain the breach and mitigate the damage, eating up resources, people hours, and funds that could have been deployed elsewhere.

Cybersecurity & the pharmaceutical industry

The data collected by pharmaceutical companies, including proprietary information about patented drugs, data related to pharmaceutical advances and technologies, and patient information are all incredibly sensitive and valuable, which means that losing control over that data can have catastrophic consequences and erode patient and consumer trust.

Having a comprehensive cybersecurity strategy in place to safeguard those digital assets has become an essential part of any company’s security protocols. Companies that do not prioritise creating flexible and comprehensive cybersecurity strategies leave their valuable date vulnerable.

Why cybercriminals target pharmaceutical companies

Pharmaceutical and biotechnology companies are being targeted by cyber criminals more frequently than they were in the past, and according to a study conducted by Deloitte - the pharmaceutical industry is now frequently the number one target of cybercriminals around the world, particularly when it comes to intellectual property theft. This is because, as these companies move towards increased digitisation and storing more valuable data online, they are becoming more attractive targets.

Stolen data can either be sold on the dark web or ransomed back to desperate companies who rely on their IP, as well as access to critical documents such as trial results and patient information, to continue running.

A recent hack & what the industry has learned from it

Though it is unfortunate for any company to experience a cybersecurity incident such as a hack or breach, cybersecurity incidents can be used as educational tools that can better inform current company cybersecurity policies.

NotPetya attack on Merck

One of the most significant cybersecurity attacks on a pharmaceutical company in recent history struck Merck & Co., which employs more than 69,000 people and is one of the oldest and largest pharmaceutical companies in the world. Merck was one of dozens of companies hit by a massive ransomware attack in 2017 and suffered worldwide operational disruptions, forced the company to halt production of new drugs, and significantly impacted the company’s revenue for the year. 

Merck employees around the world opened their computers to find themselves completely locked out of the company’s systems and unable to work. The incident was caused by the NotPetya strain of ransomware, which was used to attack other companies as well.

Safeguarding Your company’s assets

Traditionally, cybersecurity was approached from an incident response perspective. This means that many companies did not review their protocols or correct vulnerabilities that could be exploited until they or another similar company had already been targeted by unauthorised users. 

Once the unauthorised user was discovered, companies would work to oust them and then go through the forensics of the attack to determine how the intruder gained access by looking at things like IP addresses, domain names, and what malware was used (called Indicators of Compromise, or IoCs). Companies also need to determine what exactly was compromised, and what needed to be done to clean up the mess and patch the security hole or holes that were exploited. 

The drawbacks of the incident response approach

This approach is problematic for two ways: One, it relies on either your company or another company falling victim so that the IoCs could be discovered and shared with other potentially vulnerable companies and organisations. The other problem has to do with the timeframe: IoCs have a very short half-life, which means that any solutions derived from this line of defense are short lived. All an unauthorised user needs to do is reconfigure their malware or purchase a different IP address, and they can potentially regain access to your systems.

This approach leaves you and your company trapped in a potentially endless game of cat and mouse where each incident is dealt with in a vacuum, ignoring larger systematic weaknesses and waiting to act until after the damage has already been done. 

A proactive, top-down approach

A comprehensive, robust, and flexible cybersecurity approach goes beyond updating your anti-virus software is up to date and making sure all updated security patches for your software are downloaded. While these basics are essential, they are only the beginning. A holistic cybersecurity approach seeks to uncover potential vulnerabilities before they can be exploited, keeping up to date on the latest cybersecurity threats, and continually reevaluating your cybersecurity protocols to ensure they are meeting your needs effectively.

Cybersecurity is everyone’s job. Every single employee, from the CEO down to the intern in the mail room, plays an important role. In addition to the C suite working with cybersecurity experts to craft and implementing company-wide best practices, your employees need to understand what they can do to protect your company’s digital assets, how to avoid falling for phishing scams or other cybersecurity attacks that could expose confidential information, and who they should report potential incidents to. Training tools such as tabletop scenarios and pen (penetration) tests all play a critical role in honing your company’s cybersecurity protocols and safeguarding assets.

^References

^{1: Industrial Cybersecurity Defenses Essential for Pharma Companies, by Mat Morris, VP of Product &Strategy, NexDefense. Published by Pharma Manufacturing (2017)}

^{2: Cybersecurity for Pharmaceutical and Biotechnology Firms, by Megan Berkowitz. Published by Pharma iQ.}

^{3: The Untold Story of NotPetya, the Most Devastating Cyberattack in History, by Andy Greenberg, WIRED senior writer. Published in WIRED, 2018.}

^{4: Boosting Cybersecurity in Pharma, by CheeHoe Lee, Yokogawa Electric Corporation. Published by Pharma Manufacturing, 2018.}

^{5: 19 Essential Cybersecurity Best Practices. Published by VirtualArmour, 2018.}