An Industry Under Attack: Pharma Revisits Cybersecurity During COVID-19

The pharma value chain has become increasingly digital and complex, with networks of remote and on-premises workers regularly accessing disparate data, clouds, and applications. In addition, pharma companies are increasingly customer-driven, with more data available through patient and healthcare provider portals. All of this, says Troy Ament, chief information security officer (CISO) for healthcare at Fortinet, makes pharma “a target for cybercriminals.”

The bioeconomy is one of the five key technologies in need of protection from cybercrime, according to the US National Counterintelligence and Security Center. “Companies in this space are targets because of their intellectual property,” says Scott Nawrocki, chief security officer and managing director of digital investigations and cyber defense at Nardello & Co. “To maintain a competitive advantage, they need to protect that intellectual property. When a company outsources some of its research or production, it is handing over its IP. The company may have spent millions, sometimes billions of dollars on this IP, only to outsource it.” As well as cybercriminals engaged in extortion rackets, there are nation states that are interested in becoming world leaders in pharma and biotech. And they have the means to target companies’ IP in highly organized and sophisticated cyberattacks.

Channels of attack

The pandemic has exacerbated pharma’s vulnerability, not least because of the shift to remote work. Writing on pharmexec.com in August, Ament noted that this has meant “a shift from trusted computing to untrusted networks.” With many employees no longer protected by company firewalls and security protocols, “new risks were introduced, especially around cloud migration and endpoint proliferation.” The industry’s “expanded attack surface becomes a playground for cybercriminals,” wrote Ament.

One criminal tactic is the distribution of ransomware. According to Fortinet, by the end of 2020, there were as many as 17,200 devices reporting ransomware each day.¹ Nawrocki, who discussed cybersecurity in pharma in a Pharm Exec podcast (https://bit.ly/2YMMXXm) earlier this year, says that ransomware has become a billion-dollar industry. “Companies’ data is being encrypted and there follows an extortion, where the data is held hostage. And companies are being forced to pay ransoms because they can’t unencrypt their data, due to inadequate backups, or they don’t want the data to get out to the public as it is sensitive. In the news, we’ve seen companies paying these million-dollar ransoms, and this only emboldens the criminal organizations.”

The increasing array of endpoints that comes with remote work opens doors to potential security breaches in any sector, but for pharma, “IP, electronic protected health information (ePHI), and other sensitive operational data is routinely accessed and transferred—meaning it is both potentially exposed and highly valuable to cybercriminals,” Ament tells Pharm Exec. It is vital to focus on these endpoints, says Nawrocki, because in a remote work environment, especially, “an attack might begin on that endpoint, on that laptop.” He explains, “We have found that about 85% of the time, an initial attack comes into an organization through a phishing email.” Not being in the same building as their CISO, home workers cannot drop by the CISO’s office and say, “This is suspicious.” Employees can reach out remotely to security personnel, “but phishing emails are becoming more and more sophisticated,” says Nawrocki. “You can no longer rely on catching a misspelling or identifying poor grammar. They’re well-crafted emails; they might even have your company logo on them.” Some phishing emails come in the form of a file-share request or may look like they are from Microsoft Office. When employees click on a link, often a pop-up box then requests their username and password. “Once that happens, if the employee enters their credentials, then the attackers have those credentials for that employee,” warns Nawrocki.

Pharma’s growing model of customer-centricity also exacerbates the threat of cyberattack. Pharma companies now “routinely engage with customers in a highly targeted way” and “increasingly participate in the data exchanged through patient and healthcare provider portals,” says Ament. These activities run the risk of exploitation by cybercriminals, who manipulate social networks for profit or spread dangerous misinformation about medicines. “Additionally, because Internet of Things (IoT) and Industrial Internet of Things (IioT) device integration via operational technology (OT)/IT convergence, this attack surface has also greatly expanded,” explains Ament.

Strengthening cybersecurity

Securing web properties and social media interactions is paramount for pharma, as the loss of data from potential customers in the early stages of the buying cycle, or sensitive personal data and medical records, could be devastating to a company’s reputation, says Ament. In the face of a wide variety of evolving cyberthreats, rather than try to solve each issue separately, “a better plan is to take a comprehensive architectural approach to cybersecurity across the endpoint, cloud, network, etc. This type of approach provides the automation, visibility, and fast response to threats that easily demonstrate compliance and defeat attackers.”

Ament explains: “Establishing a holistic cybersecurity strategy with tools that help streamline this complex ecosystem into a single view is key to securing these complex and often siloed environments. The security architecture must extend protection from research, prototyping, and approval to manufacturing, distribution, and the patients being treated.” He continues, “It must also encompass the entire cyber-physical environment of a pharmaceutical manufacturer’s data, data centers, carriers, users, critical infrastructure, and ecosystem, partners, distributed offices, and remote workers. This brings visibility and accessibility of data across systems to increase speed of response, while reducing the burden of alerts on IT/security staff and enabling effective reporting to the C-suite when needed.”

Nawrocki also points to the need for security awareness among a company’s employees. This could involve training security personnel to make sure they stay ahead of the threats, but also raising awareness among non-technical personnel, educating them to identify those phishing emails. “I’m a big fan of phishing testing to find out where the gaps are in an organization,” says Nawrocki. “Who are the employees clicking on these links? They might need additional education to help them recognize what is suspicious and what should be reported.”

Evolving protection

As cybercriminals’ methods have evolved, however, so have the tools to combat them. Helping to maintain integrity across remote-based working environments during the pandemic, Multi-Factor Authentication (MFA) and good password hygiene, paired with actionable threat intelligence, have been vital for security, says Ament. Using a VPN offers encryption of data in transit, and features such as Data Loss Prevention (DLP) are “essential for teleworking executives with frequent access to important and sensitive customer and operational data.” It remains critical for pharma companies, Ament adds, to provide secure wireless connectivity and access at remote work locations with full integration and configuration management.

Endpoint detection has become an essential tool, adds Nawrocki. “In the last 18 months, many vendors have been providing endpoint detection and response (EDR) tools. And they’re now moving to what’s called XDR—extended detection and response—which not only focuses on the device itself but also looks at things like cloud email, tying in multiple layers of security and analysis to be able to detect and quarantine attacks early.” He adds, “I’ve seen these EDR tools in action, and I hope that organizations are taking advantage of them.”

Nawrocki also welcomes the outreach from government to the private sector to share intelligence on the indicators of compromise from attacks, the reporting of ransomware incidents, and other cybersecurity-related matters. “Of course, the government is not going to come in and remediate your systems, but they can share with you what they’ve learned from these attacks,” says Nawrocki. Information security is no longer something a company can do alone, he adds. “You must have cooperative partnerships, not only with government, but within the sector, too. When a company is being attacked, it won’t just be one company, it’s multiple companies seeing similar type of activity. Sharing that information with other companies is very important.”

The new normal

With workers beginning to return to their offices and the protection of a more secure and vigilant IT environment, can the issues around cybersecurity return to something like normal? “There is no normal to go back to,” Ament says, unequivocally. “Remote work is not going away. Pharma as an industry is evolving and so must IT and cybersecurity with it.” Nawrocki is reassured that, over the past 18 months, companies have been forced to evolve into the remote environment and then to pivot to a hybrid environment as workers returned to the office. But organizations have to be prepared to switch back to remote work, he adds, “because we don’t really know what is going to happen, right?”

Reference

1. Global Threat Landscape Report, Fortinet, February 2021.

Julian Upton is Pharm Exec’s European and Online Editor. He can be reached at jupton@mjhlifesciences.com.