Experts encourage better 'cyber hygiene' as pharma breaches skyrocket amid the pandemic
As the Covid-19 pandemic thrusts pharma companies into the public spotlight and accelerates digitization, cybersecurity experts say it also places a huge target on their backs. Now, Constella Intelligence is reporting a dramatic rise in breaches that exposed millions of records from top pharma giants over the last three years.
Analyzing records from 2018 to 2021, Constella — a digital risk protection company — detected 9,830 breaches and leakages at the top 20 pharma companies on the Fortune Global 500 list, which includes J&J, Merck, Pfizer and others. Those breaches resulted in over 4.5 million exposed records, about two-thirds of which included personally identifiable information. Most of the exposures (76%) have occurred since 2020.
“Pharma’s role in developing life-saving medicines and vaccines makes them high-value targets for threat actors because their work tends to include intellectual property and proprietary information,” Constella wrote in the report.
The news comes on the heels of a Department of Homeland Security bulletin warning of potential Russian cyberattacks as tensions rise over conflict with Ukraine, according to a report by ABC News. Britain’s National Cyber Security Centre also issued a statement encouraging UK businesses to bolster their cybersecurity.
If Eric Perakslis, chief science and digital officer at the Duke Clinical Research Institute, were to give pharma companies a score on their so-called cyber hygiene, he’d give them a six out of 10.
“I would say that based against the level of threat that’s constantly improving,” he said. “So the same level of cyber hygiene five years ago might have been an eight or nine.”
Perakslis — who once served as the FDA’s CIO and held senior IT positions at J&J and Takeda — noted that it’s hard to quantify the severity of cybersecurity threats.
“Often the data is duplicated, meaning that, you know, 4.5 million people might be 1.5 million people where their data showed up in three places,” he added.
But the threat is real, he emphasized. And while companies are taking measures to increase their resilience against cyber threats, they’ve also increased their “attack surface,” or the different points at which a hacker might see an opening. Every time a user creates an account or uses a password, they’re contributing to their attack surface, he said. Working from home or using public WiFi increases that surface substantially.
“Say you’re a pharma employee at a manufacturing plant. Right? Well, something could jump from your kid’s laptop at their school, to your home network, your laptop to that factory,” Perakslis said. “There are lots of stories where this happens. Literally, people have been targeted by someone going to their kid’s school.”
In a sample of 78 executives from Fortune’s top 20 pharmas, Constella found that 58% of them had been exposed to a data breach since 2018. And of those execs, nearly one-third had been exposed in breaches that included passwords.
The firm also found that credentials were frequently exposed via non-essential domains — meaning employees were using their corporate accounts to register on retail, gaming, and other entertainment sites. Not only that, but 65% of passwords exposed were in plaintext, or used a weak algorithm.
The fix? Train employees on the proper use of corporate email addresses and personal data online, and how to maintain strong passwords, Constella says. But according to Perakslis, today’s run-of-the-mill training just doesn’t cut it.
“You’re getting hammered with trainings all day long. You just do them. You just do them and move on. And a lot of times people don’t get to a really kind of deeper understanding of why they’re taking some of these trainings and what the things that could go wrong are,” he said.
The potential cost of a cyberattack should be incentive enough. According to Constella, the average cost per breach in the pharma sector is $5 million. Bigger attacks, however, cause much more damage. In 2017, ransomware dubbed NotPetya eliminated years of research at Merck and crippled Gardasil 9 production facilities, forcing the company to dip into the US national stockpile. And though Merck wasn’t even the intended target of the ransomware, the pharma giant still suffered more than $1.4 billion in losses as a result.
In a worst-case scenario, BioBright CEO Charles Fracchia told Endpoints News a couple of weeks ago that a targeted attack could crumble “virtually all biomanufacturing infrastructure in the US” overnight.
“First and foremost, decide what has to be protected and make sure you protect it,” Perakslis said. “When I was in pharma, we probably had fire drills twice a year. I don’t know if we ever had a hack drill … How many of these places have actually had fires? Almost none. How many people in these places have been hacked? Yeah, most of them.”