The State of cybersecurity in the pharmaceutical industry

• Losing control over sensitive data can have catastrophic consequences and in turn, impact patients’ and consumers’ trust.
• A cybersecurity breach on such organizations can wreak havoc, resulting in the compromise of proprietary digital assets & private information.

Pharmaceutical companies face a special level of responsibility when it comes to data protection. These companies collect a wide range of data including proprietary information about patented drugs, data related to pharmaceutical advances and technologies and personal information belonging to patients.

Losing control over sensitive data can have catastrophic consequences and in turn, impact patients’ and consumers’ trust. A cybersecurity breach on such organizations can wreak havoc, resulting in the compromise of proprietary digital assets & private information. These types of attacks can also potentially damage the critical systems that the organization heavily relies on.

Reckoning some major attacks

One of the most significant cybersecurity attacks on a pharmaceutical company in recent history struck Merck &Co. Merck was hit massively during the NotPetya attack that occurred in 2017. The attack had disrupted its worldwide operations, forcing the company to halt the production of new drugs, and significantly impacting the company’s revenue for the year. Following the attack, Merck had reportedly lost over $300 million in Q3 of 2017 alone.

Two major pharmaceutical firms - Roche and Bayer - confirmed earlier this year that they were impacted by the Winnti cyber attack, believed to be tied to the Chinese government. Fortunately, both companies reported no loss of sensitive data.

A biopharma company disclosed that a cyberattack in March 2019 harvested data from around 1% of its clients. The attack was carried out by a highly sophisticated, well-resourced intruder.

How threat actors can benefit?

Pharmaceutical companies are a treasure trove of valuable data. Cybercriminals can harvest this data to sell it on the dark web or to rival companies.

According to Proofpoint’s Q3 2018 Threat Report, pharma was the number one industry targeted in email fraud attacks. As such attacks begin with penetration on the IT networks through an email phishing campaign, they could ultimately migrate to the OT network via systems accessible to both environments. If these environments are left unchecked, malware can cause unpredictable and dangerous disruption to pharmaceutical production processes.

Engaging against attacks

• Cybersecurity is everyone’s job. Every single employee, from the CEO to the intern in an organization, plays an important role. In addition to the C-suite working with the cybersecurity experts to craft and implement company-wide best practices, employees should also need to understand what that can do to protect their company’s digital assets.
• The employees should also be well-trained on how to avoid falling for phishing scams. The company, on its part, should have good email security gateways to ward off spoofed emails.
• A comprehensive, robust and flexible cybersecurity approach is also required apart from updating anti-virus software and making sure all updated security patches are downloaded.