Picture this scenario: Researchers at a biotech company are working tirelessly on a potential coronavirus vaccine and planning to start a phase three clinical trial soon. This work results in more visibility for the company, and an influx of capital investment. But with that greater visibility and investment comes added risk, especially in the form of cybersecurity threats from competitors and nation states looking to steal valuable intellectual property and research.
As the pandemic continues, this scenario is not a hypothetical one for companies conducting this work. While life sciences companies have long been a target for threat actors and have always had to guard against cyberattacks, hackers’ focus on such firms has increased during the global pandemic as biotechs, pharmaceutical companies and other organizations race to develop vaccines and treatments for COVID-19. Making progress in this crucial research and embarking on clinical trials for promising drugs draws positive attention, of course, but it should also make life sciences business leaders reevaluate and address any data and cybersecurity vulnerabilities their companies might have.
The origins of these cybersecurity threats are varied. Hackers with links to a Russian intelligence service were “trying to steal information from researchers working to produce coronavirus vaccines in the United States, Britain and Canada,” The Washington Post reported July 16. A Politico article from just a few days prior said that “Canadian institutions pursuing COVID-19 research have been hacked.” In April, Iran-linked hackers targeted Gilead Sciences staff, according to Reuters. In May, the FBI issued a warning to organizations researching COVID-19 of “likely targeting and network compromise” by China.
Data from the threat intelligence platform Recorded Future shows a dramatic spike in references to cyber-related attacks on biotech and pharmaceutical companies in recent months. While the number of security threats has spiked, the techniques used in these attempts to gain access to biotech companies remain unsophisticated; most start through targeted COVID-19-themed phishing emails. Gilead, for instance, was targeted by an Iran-based advanced threat actor group known as APT35 (i.e. Charming Kitten) using a targeted spear phishing campaign. While the types of phishing emails vary, they typically appear to come from a legitimate group such as the World Health Organization or the U.S. Centers for Disease Control and Prevention.
Once an attacker obtains user credentials, getting access to sensitive network assets or data is often a trivial task, because 1) users tend to reuse credentials across multiple applications and 2) many applications lack multifactor authentication. RSM was able to demonstrate this same phishing technique during a recent penetration test of a large biotech company, resulting in access to a cloud-based laboratory information management system and the company’s intellectual property. Along with phishing, ransomware also remains one of the most popular types of software threat actors use to target companies in the biotech space. 10X Genomics, a California-based biotech company researching COVID-19 treatments, was hit with a ransomware attack back in April, resulting in the compromise of employee information.
Intellectual property theft has far-reaching implications. An IP breach during a merger or acquisition, for instance, might either kill such deals completely or lower deal valuations. Disruption resulting from an IP or clinical trial data breach will almost certainly slow down the clinical trial process.
Unfortunately, organizations in the life sciences space aren’t doing nearly enough to defend against these threats, primarily because IP isn’t heavily regulated and investment in information security controls is not a revenue-generating activity. While there is no silver bullet solution, organizations should establish and implement basic best practice information security governance and testing procedures, and periodically audit these procedures. Further, organizations should consider data protection controls such as encryption and classification. More specifically, RSM recommends that companies consider doing the following:
- Perform an information security risk assessment to identify and prioritize areas of high risk
- Conduct security testing such as external and internal penetration testing to supplement and validate results identified through the aforementioned risk assessment
- Develop a security roadmap that considers best practice security controls based off the results of the prior two phases
The life sciences space has a unique opportunity to drive considerable health and economic benefits during this crisis and well into the future as technology allows for more innovations. However, this is only possible if data used to achieve those results remains in the hands of those professionals using it for its intended purposes and, as such, it must be protected accordingly. To read more about how RSM can help, visit the links below: