At the start of 2020, organized ransomware groups were already engaging in targeted campaigns designed to generate maximum revenue from victims. However, in spring the ransomware opportunity got even bigger as the switch to mass home-working necessitated by COVID-19 work from home orders created the perfect, disrupted environment for ransomware attacks. Consequently, according VMware Carbon Black, attack volumes are up 900% year on year.
Attacks on biotech and pharmaceutical companies are on the rise
The global healthcare sector, and in particular biotech and pharmaceutical companies, have been bearing the brunt of escalating attacks. Data held by healthcare providers is some of the most confidential and valuable to individuals, and consequently is highly attractive to cybercriminals; the dark web market for health-related PII and insurance data is booming. As a result, attackers are prioritizing gaining access to healthcare provider networks, employing island hopping tactics and exploiting the supply chain. This means that the larger the business ecosystem, the greater the associated risk.
Away from direct patient-facing risks these companies also deal in some of the world’s most critical and priceless intellectual property (IP). Consequently, they are targeted by opportunistic and highly capable cybercriminals seeking to steal and exploit their data. As firms race to develop cures and vaccinations – particularly in the current COVID-19 environment – their IP data is a prime target for both financially motivated and nation state-sponsored threat actors.
COVID-19 vaccines are the crown jewels of 2020
Research just undertaken by BlueVoyant reveals that attacks against biotech and pharmaceutical companies rose 200% from 2017 to 2018, jumping again by 50% between 2019 and 2020. The report found that, despite almost half of attacks being due to ransomware, the industry frequently lacked critical defenses against phishing and remote desktop exploits, the methods most favored by ransomware groups.
In 2020 attackers reacted to the race for a COVID-19 vaccine by massively ramping up attacks on companies developing vaccines, who are again struggling to defend themselves. The research found that eight of the most prominent companies in this vaccine race are facing high volumes of targeted malicious attacks. For example, IQVIA, the contract research organization helping manage AstraZeneca’s COVID-19 vaccine trial, fell victim to a ransomware attack originating in one of its tier two technology vendors. This meant that IQVIA had to stop clinical trials and researchers had to revert to pen and paper.
Most organizations in this sector are significantly scaling up their digital platforms and digital transformation initiatives but their cybersecurity posture lags. This industry is committed to precision medicine and its business models are supported by an abundance of data. There is increased reliance on machine learning and AI to automate, interpret and optimize all that data; unfortunately, this is also a goldmine for cybercriminals. The report found that companies were notably weak in the areas of vulnerability, patch management and basic IT hygiene and best practices for limiting exposure. Additionally, the research environment has fluid borders, and a lot of data generation happens at the edges as they connect to vendors, suppliers and patients.
The impact of an attack extends way beyond the ransom payment
Biotech and pharmaceutical companies’ market valuation relies on the new drugs they bring to market. This depends on successful clinical trials, which hinge on data and analytics; no principal researcher can afford for its data to be compromised. And ransomware attacks are not just about the financial ransom payment in return for unencrypting systems. Often, if victims resist, attackers threaten to publish stolen data as proof of the attack, to cause major reputation and regulatory damage and expose trade secrets. Some groups even base their ransom demands on the likely fines businesses would face if a breach becomes public. Likewise, the stolen data can still be sold on the dark web. Even if they pay the ransom, companies risk prosecution by the US Department of the Treasury should they pay a group that is subject to US sanctions.
Furthermore, regulation such as HIPAA and the associated HITECH Act are a key factor. These put the onus directly on healthcare providers to safeguard patient information. Biotech and pharmaceutical companies face detailed oversight on clinical innovation, requiring strong risk management and clear answers on resilient protocols.
Why don’t these organizations prioritize cybersecurity and risk?
Typically, IT leaders and CISOs are dealing with too many tools, too many false alerts and tension between budgetary restrictions and security imperatives. With IT security budgets flat or falling, leaders must optimize, not simply add more tools. This issue is compounded by ineffective technology. Only last month cyber industry think tank Debate Security revealed research establishing the fragmented cybersecurity market and sub-par technology is not as successful as it ought to be at protecting companies: it may not perform as advertised.
But today the consequences of not prioritizing cyber risk are unacceptable. Pharmaceutical organizations have critically sensitive data assets such as interim clinical trial outcomes; unpublished Probability of Technical Success (PTS) of molecules; launch plans across the globe, Active-Ingredient suppliers. However, many CIOs have not recently updated their data architectures, pressure-tested their tech and processes or mapped upgraded threat vectors. For example, while their SAP user access might be very secure, could they be exposing patient data on pilot trials to a higher relative risk?
The strategic approach must include educating executives about the challenges the organization faces, as well as having robust incident preparation and response. This is as important as the technology tools that prevent such attacks. There must be board level conversations around risk visibility and risk mitigation and – given the increased reliance on collaboration and on data assets – they need to rethink how they are protecting those key assets.
Importantly, after securing their own systems, CIOs must look outward to supply chain cybersecurity due to the sector’s tight and varied webs of supply chain dependencies. Supply chain cybersecurity is a critical step in managing third-party cyber risk.
Corporate leaders in life sciences must spotlight cybersecurity. They are the custodians of critical data and IP and it is imperative this is protected from nation-state and cybercriminal threats. Crucially, many must move away from the academic mindsets of allowing open computing for researchers towards a “security-first” culture that extends into the whole supplier ecosystem.
Below is a checklist for companies to review Board oversight of their cybersecurity program:
• How recently has the Board prioritized their data assets?
• How familiar are they with the data architecture that underpins the business?
• Do they have a good understanding and oversight of how many collaborations and vendors the business is working with in R&D or manufacturing?
• How familiar is the board with the current digital risk mitigation plan? What tradeoffs did the CIO/CISO make to deploy this plan?
• How recently did the Board and CIO simulate a serious attack?
• How ready is the Board to communicate with stakeholders?
Written by Abel Archundia, MD, Life Sciences and Industrials, ISTARI and Jim Penrose, COO BlueVoyant