Ex­perts en­cour­age bet­ter 'cy­ber hy­gien­e' as phar­ma breach­es sky­rock­et amid the pan­dem­ic

As the Covid-19 pan­dem­ic thrusts phar­ma com­pa­nies in­to the pub­lic spot­light and ac­cel­er­ates dig­i­ti­za­tion, cy­ber­se­cu­ri­ty ex­perts say it al­so places a huge tar­get on their backs. Now, Con­stel­la In­tel­li­gence is re­port­ing a dra­mat­ic rise in breach­es that ex­posed mil­lions of records from top phar­ma gi­ants over the last three years.

An­a­lyz­ing records from 2018 to 2021, Con­stel­la — a dig­i­tal risk pro­tec­tion com­pa­ny — de­tect­ed 9,830 breach­es and leak­ages at the top 20 phar­ma com­pa­nies on the For­tune Glob­al 500 list, which in­cludes J&J, Mer­ck, Pfiz­er and oth­ers. Those breach­es re­sult­ed in over 4.5 mil­lion ex­posed records, about two-thirds of which in­clud­ed per­son­al­ly iden­ti­fi­able in­for­ma­tion. Most of the ex­po­sures (76%) have oc­curred since 2020.

“Phar­ma’s role in de­vel­op­ing life-sav­ing med­i­cines and vac­cines makes them high-val­ue tar­gets for threat ac­tors be­cause their work tends to in­clude in­tel­lec­tu­al prop­er­ty and pro­pri­etary in­for­ma­tion,” Con­stel­la wrote in the re­port.

The news comes on the heels of a De­part­ment of Home­land Se­cu­ri­ty bul­letin warn­ing of po­ten­tial Russ­ian cy­ber­at­tacks as ten­sions rise over con­flict with Ukraine, ac­cord­ing to a re­port by ABC News. Britain’s Na­tion­al Cy­ber Se­cu­ri­ty Cen­tre al­so is­sued a state­ment en­cour­ag­ing UK busi­ness­es to bol­ster their cy­ber­se­cu­ri­ty.

Er­ic Per­ak­slis

If Er­ic Per­ak­slis, chief sci­ence and dig­i­tal of­fi­cer at the Duke Clin­i­cal Re­search In­sti­tute, were to give phar­ma com­pa­nies a score on their so-called cy­ber hy­giene, he’d give them a six out of 10.

“I would say that based against the lev­el of threat that’s con­stant­ly im­prov­ing,” he said. “So the same lev­el of cy­ber hy­giene five years ago might have been an eight or nine.”

Per­ak­slis — who once served as the FDA’s CIO and held se­nior IT po­si­tions at J&J and Take­da — not­ed that it’s hard to quan­ti­fy the sever­i­ty of cy­ber­se­cu­ri­ty threats.

“Of­ten the da­ta is du­pli­cat­ed, mean­ing that, you know, 4.5 mil­lion peo­ple might be 1.5 mil­lion peo­ple where their da­ta showed up in three places,” he added.

But the threat is re­al, he em­pha­sized. And while com­pa­nies are tak­ing mea­sures to in­crease their re­silience against cy­ber threats, they’ve al­so in­creased their “at­tack sur­face,” or the dif­fer­ent points at which a hack­er might see an open­ing. Every time a user cre­ates an ac­count or us­es a pass­word, they’re con­tribut­ing to their at­tack sur­face, he said. Work­ing from home or us­ing pub­lic WiFi in­creas­es that sur­face sub­stan­tial­ly.

“Say you’re a phar­ma em­ploy­ee at a man­u­fac­tur­ing plant. Right? Well, some­thing could jump from your kid’s lap­top at their school, to your home net­work, your lap­top to that fac­to­ry,” Per­ak­slis said. “There are lots of sto­ries where this hap­pens. Lit­er­al­ly, peo­ple have been tar­get­ed by some­one go­ing to their kid’s school.”

In a sam­ple of 78 ex­ec­u­tives from For­tune’s top 20 phar­mas, Con­stel­la found that 58% of them had been ex­posed to a da­ta breach since 2018. And of those ex­ecs, near­ly one-third had been ex­posed in breach­es that in­clud­ed pass­words.

The firm al­so found that cre­den­tials were fre­quent­ly ex­posed via non-es­sen­tial do­mains — mean­ing em­ploy­ees were us­ing their cor­po­rate ac­counts to reg­is­ter on re­tail, gam­ing, and oth­er en­ter­tain­ment sites. Not on­ly that, but 65% of pass­words ex­posed were in plain­text, or used a weak al­go­rithm.

The fix? Train em­ploy­ees on the prop­er use of cor­po­rate email ad­dress­es and per­son­al da­ta on­line, and how to main­tain strong pass­words, Con­stel­la says. But ac­cord­ing to Per­ak­slis, to­day’s run-of-the-mill train­ing just doesn’t cut it.

Charles Frac­chia

“You’re get­ting ham­mered with train­ings all day long. You just do them. You just do them and move on. And a lot of times peo­ple don’t get to a re­al­ly kind of deep­er un­der­stand­ing of why they’re tak­ing some of these train­ings and what the things that could go wrong are,” he said.

The po­ten­tial cost of a cy­ber­at­tack should be in­cen­tive enough. Ac­cord­ing to Con­stel­la, the av­er­age cost per breach in the phar­ma sec­tor is $5 mil­lion. Big­ger at­tacks, how­ev­er, cause much more dam­age. In 2017, ran­somware dubbed Not­Petya elim­i­nat­ed years of re­search at Mer­ck and crip­pled Gar­dasil 9 pro­duc­tion fa­cil­i­ties, forc­ing the com­pa­ny to dip in­to the US na­tion­al stock­pile. And though Mer­ck wasn’t even the in­tend­ed tar­get of the ran­somware, the phar­ma gi­ant still suf­fered more than $1.4 bil­lion in loss­es as a re­sult.

In a worst-case sce­nario, Bio­Bright CEO Charles Frac­chia told End­points News a cou­ple of weeks ago that a tar­get­ed at­tack could crum­ble “vir­tu­al­ly all bio­man­u­fac­tur­ing in­fra­struc­ture in the US” overnight.

“First and fore­most, de­cide what has to be pro­tect­ed and make sure you pro­tect it,” Per­ak­slis said. “When I was in phar­ma, we prob­a­bly had fire drills twice a year. I don’t know if we ever had a hack drill … How many of these places have ac­tu­al­ly had fires? Al­most none. How many peo­ple in these places have been hacked? Yeah, most of them.”

Has the mo­ment fi­nal­ly ar­rived for val­ue-based health­care?

RBC Capital Markets’ Healthcare Technology Analyst, Sean Dodge, spotlights a new breed of tech-enabled providers who are rapidly transforming the way clinicians deliver healthcare, and explores the key question: can this accelerating revolution overturn the US healthcare system?

Key points

Tech-enabled healthcare providers are poised to help the US transition to value, not volume, as the basis for reward.
The move to value-based care has policy momentum, but is risky and complex for clinicians.
Outsourced tech specialists are emerging to provide the required expertise, while healthcare and tech are also converging through M&A.
Value-based care remains in its early stages, but the transition is accelerating and represents a huge addressable market.

Clay Siegall, Morphimmune CEO

Up­dat­ed: Ex-Seagen chief Clay Sie­gall emerges as CEO of pri­vate biotech

Clay Siegall will be back in the CEO seat, taking the helm of a private startup working on targeted cancer therapies.

It’s been almost a year since Siegall resigned from Seagen, the biotech he co-founded and led for more than 20 years, in the wake of domestic violence allegations by his then-wife. His eventual successor, David Epstein, sold the company to Pfizer in a $43 billion deal unveiled last week.

Endpoints News

Keep reading Endpoints with a free subscription

Unlock this story instantly and join 163,600+ biopharma pros reading Endpoints daily — and it's free.

No­vo Nordisk oral semaglu­tide tri­al shows re­duc­tion in blood sug­ar, plus weight loss

Novo Nordisk is testing higher levels of its oral version of its GLP-1, semaglutide, and its type 2 diabetes trial results released today show reductions in blood sugar as well as weight loss.

In the Phase IIIb trial, Novo compared its oral semaglutide in 25 mg and 50 mg doses with the 14 mg version that’s currently the maximum approved dose. The trial looked at how the doses compared when added to a stable dose of one to three oral antidiabetic medicines in people with type 2 diabetes who were in need of an intensified treatment.

Endpoints News

Keep reading Endpoints with a free subscription

Unlock this story instantly and join 163,600+ biopharma pros reading Endpoints daily — and it's free.

Ly­me vac­cine test com­ple­tion is pushed back by a year as Pfiz­er, Val­ne­va say they'll ad­just tri­al

Valneva and Pfizer have adjusted the end date for the Phase III study of their investigational Lyme disease vaccine, pushing it back by a year after issues at a contract researcher led to thousands of US patients being dropped from the test.

In a March 20 update to clinicaltrials.gov, Valneva and Pfizer moved the primary completion date on the trial, called VALOR, from the end of 2024 to the end of 2025.

Endpoints Premium

Premium subscription required

Unlock this article along with other benefits by subscribing to one of our paid plans.

FDA ad­vi­sors unan­i­mous­ly rec­om­mend ac­cel­er­at­ed ap­proval for Bio­gen's ALS drug

A panel of outside advisors to the FDA unanimously recommended that the agency grant accelerated approval to Biogen’s ALS drug tofersen despite the drug failing the primary goal of its Phase III study, an endorsement that could pave a path forward for the treatment.

By a 9-0 vote, members of the Peripheral and Central Nervous System Drugs Advisory Committee said there was sufficient evidence that tofersen’s effect on a certain protein associated with ALS is reasonably likely to predict a benefit for patients. But panelists stopped short of advocating for a full approval, voting 3-5 against (with one abstention) and largely citing the failed pivotal study.

Endpoints News

Keep reading Endpoints with a free subscription

Unlock this story instantly and join 163,600+ biopharma pros reading Endpoints daily — and it's free.

Eu­ro­pean doc­tors di­al up dig­i­tal com­mu­ni­ca­tion with phar­mas, but still lean to­ward in-per­son med meet­ings, study finds

As in-person sales rep access declines in the big five European countries, a corresponding uptick in virtual rep access is happening. It’s not surprising, but it does run counter to pharma companies’ assessment – along with long-held sales rep sway in Europe – that in-person access hadn’t changed.

CMI Media Group and Medscape’s recent study reports that 75% of physicians in the EU5 countries of Spain, Germany, Italy, France and the UK already limit engagements with pharma sales reps, and 25% of those surveyed plan to decrease time with reps.

Endpoints News

Keep reading Endpoints with a free subscription

Unlock this story instantly and join 163,600+ biopharma pros reading Endpoints daily — and it's free.

Judge al­lows ex­pert tes­ti­mo­ny in GSK tri­al al­leg­ing Zan­tac link to can­cer

A California judge will allow a plaintiff in a state court case to introduce expert testimony connecting a potential carcinogen in former blockbuster medicine Zantac to cancer.

The order was handed down on Thursday from state judge Evelio Grillo, who is now allowing both parties to introduce expert testimony in an upcoming trial after what’s known as a Sargon hearing, where a judge determines the admissibility of expert witnesses and expert opinions.

The Melon family, as seen in Concussion Awareness Now's latest campaign

Ab­bott in­tro­duces the Mel­on fam­i­ly to raise con­cus­sion aware­ness

Abbott is renewing its concussion awareness campaign, weeks after the company received FDA clearance for its lab-based traumatic brain injury (TBI) blood test.

The unbranded campaign features three generations of the Melon family — animated talking melons who slip on toys or take a spill while playing pickleball.

“Don’t mess with your melon. If you hit it, get it checked,” a narrator says.

Sen. Maria Cantwell (D-WA) (Drew Angerer/Pool via AP)

Sen­ate com­mit­tee ad­vances PBM bill as bi­par­ti­san re­forms gain trac­tion

Pharmacy benefit managers are beginning to see enemies on both sides of the aisle: On Wednesday, a US Senate committee advanced to the full chamber a bill to increase PBM transparency and crack down on what lawmakers and critics say are deceptive practices.

The Senate Committee on Commerce, Science and Transportation advanced the bill by a bipartisan 18-9 vote, after hearing testimony last February documenting how PBMs control several key areas of the drug distribution and payment system. The Pharmacy Benefit Manager Transparency Act, introduced by committee chair Maria Cantwell (D-WA) and Budget Committee ranking member Chuck Grassley (R-IA), would make it unlawful for PBMs to engage in:

Endpoints News

Keep reading Endpoints with a free subscription

Unlock this story instantly and join 163,600+ biopharma pros reading Endpoints daily — and it's free.