• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Canada
  • United Kingdom
  • Subscribe
  • facebook
  • instagram
  • RSS
  • RSMUS.com

The Real Economy Blog

Search

  • Economics
  • Technology
  • Consumer
  • Industrials
  • Finance
  • Real Estate
  • Health Care
  • Life Sciences
Home > Canada > More promise, more problems: Cyberattacks threaten life sciences companies researching COVID-19 vaccine

More promise, more problems: Cyberattacks threaten life sciences companies researching COVID-19 vaccine

Jul. 22, 2020 by Andrew Weidenhamer, Adam Lohr and Steve Kemler

  • email
  • Twitter
  • Facebook
  • Linkedin

Picture this scenario: Researchers at a biotech company are working tirelessly on a potential coronavirus vaccine and planning to start a phase three clinical trial soon. This work results in more visibility for the company, and an influx of capital investment. But with that greater visibility and investment comes added risk, especially in the form of cybersecurity threats from competitors and nation states looking to steal valuable intellectual property and research.

As the pandemic continues, this scenario is not a hypothetical one for companies conducting this work. While life sciences companies have long been a target for threat actors and have always had to guard against cyberattacks, hackers’ focus on such firms has increased during the global pandemic as biotechs, pharmaceutical companies and other organizations race to develop vaccines and treatments for COVID-19. Making progress in this crucial research and embarking on clinical trials for promising drugs draws positive attention, of course, but it should also make life sciences business leaders reevaluate and address any data and cybersecurity vulnerabilities their companies might have.

The origins of these cybersecurity threats are varied. Hackers with links to a Russian intelligence service were “trying to steal information from researchers working to produce coronavirus vaccines in the United States, Britain and Canada,” The Washington Post reported July 16. A Politico article from just a few days prior said that “Canadian institutions pursuing COVID-19 research have been hacked.” In April, Iran-linked hackers targeted Gilead Sciences staff, according to Reuters. In May, the FBI issued a warning to organizations researching COVID-19 of “likely targeting and network compromise” by China.

Data from the threat intelligence platform Recorded Future shows a dramatic spike in references to cyber-related attacks on biotech and pharmaceutical companies in recent months. While the number of security threats has spiked, the techniques used in these attempts to gain access to biotech companies remain unsophisticated; most start through targeted COVID-19-themed phishing emails. Gilead, for instance, was targeted by an Iran-based advanced threat actor group known as APT35 (i.e. Charming Kitten) using a targeted spear phishing campaign. While the types of phishing emails vary, they typically appear to come from a legitimate group such as the World Health Organization or the U.S. Centers for Disease Control and Prevention.

Once an attacker obtains user credentials, getting access to sensitive network assets or data is often a trivial task, because 1) users tend to reuse credentials across multiple applications and 2) many applications lack multifactor authentication. RSM was able to demonstrate this same phishing technique during a recent penetration test of a large biotech company, resulting in access to a cloud-based laboratory information management system and the company’s intellectual property. Along with phishing, ransomware also remains one of the most popular types of software threat actors use to target companies in the biotech space. 10X Genomics, a California-based biotech company researching COVID-19 treatments, was hit with a ransomware attack back in April, resulting in the compromise of employee information.

Intellectual property theft has far-reaching implications. An IP breach during a merger or acquisition, for instance, might either kill such deals completely or lower deal valuations. Disruption resulting from an IP or clinical trial data breach will almost certainly slow down the clinical trial process.

Unfortunately, organizations in the life sciences space aren’t doing nearly enough to defend against these threats, primarily because IP isn’t heavily regulated and investment in information security controls is not a revenue-generating activity. While there is no silver bullet solution, organizations should establish and implement basic best practice information security governance and testing procedures, and periodically audit these procedures. Further, organizations should consider data protection controls such as encryption and classification. More specifically, RSM recommends that companies consider doing the following:

  • Perform an information security risk assessment to identify and prioritize areas of high risk
  • Conduct security testing such as external and internal penetration testing to supplement and validate results identified through the aforementioned risk assessment
  • Develop a security roadmap that considers best practice security controls based off the results of the prior two phases

The life sciences space has a unique opportunity to drive considerable health and economic benefits during this crisis and well into the future as technology allows for more innovations. However, this is only possible if data used to achieve those results remains in the hands of those professionals using it for its intended purposes and, as such, it must be protected accordingly. To read more about how RSM can help, visit the links below:

Cybersecurity and data privacy for middle market businesses

Harnessing technology and data: Considerations for life sciences companies

  • email
  • Twitter
  • Facebook
  • Linkedin

Related posts

  • Life science graphic
    Better data use has pros and cons for life sciences

    The volume and variety of health care data should expand significantly in 2019. Specifically, we will be monitoring growth in data sources outside those collected from traditional electronic health records, including information gleaned from wearable technology and direct-to-consumer…

  • Coronavirus pandemic highlights importance of life sciences industry

    While the coronavirus pandemic has slowed growth in the life sciences sector this year, it has also highlighted the importance of the biotech and pharmaceutical industries as the whole world battles the COVID-19 disease and its impacts. This…

  • Life sciences industry growth was on a strong trajectory. Then the coronavirus pandemic hit.

    Strong consumer spending, historically low unemployment and an easing of trade tensions with China initially fueled optimism early in the year for a 2020 bull market. But as the coronavirus pandemic has upended the global economy, uncertainty and…

Filed Under: Canada, Coronavirus, Life Sciences, United Kingdom Tagged With: coronavirus, Covid-19, cyberattacks, cybersecurity, life sciences, vaccine

About Andrew Weidenhamer

Andrew Weidenhamer is a director in the RSM LLP technology risk advisory services practice. With close to 15 years of consulting experience within the information security and data governance field, Andrew has a unique combination of technical and business related skills which allow him to perform in multiple roles. The bulk of his security/privacy experience is comprised of leading and conducting technical testing engagements which include internal, external, and web application penetration testing spanning a wide variety of industry sectors. As the national security testing team lead at RSM, Andrew’s responsibilities range anywhere from formal testing methodology and employee development to vendor evaluations and other business development activities.

About Adam Lohr

Adam is an audit partner and life sciences senior analyst in RSM's cutting-edge industry eminence program. In addition to providing assurance services to his clients, he sits on RSM’s national life science team and leads the San Diego office life science practice.

His senior analyst responsibilities include advising the firm’s life sciences care clients and client servers as they work to navigate the rapidly changing industry environment. Adam regularly writes, presents and advises on capital markets, digital transformation, policy and other issues transforming life sciences. He is an instructor at the regional and national level, and is experienced in the application of ASC 606 revenue recognition for the technology and consumer products industries.

Adam has over 12 years of accounting and finance experience, serving private equity-backed and private closely held companies in the middle market. He specializes in providing financial audit services and helping clients respond to technical, regulatory and economic changes that impact their business.

About Steve Kemler

Steve manages the Philadelphia market NetSuite team and provides NetSuite consulting services to a variety of clients in industries including life sciences, technology and wholesale distribution. Steve leads projects that require complex integrations, customizations and complex finance requirements.

As a member of RSM’s life sciences team, Steve consistently supports clients in the industry across the country. He also participates in the PACT MedTech series and is involved in multiple regional life sciences initiatives.

In May 2020, Steve was selected as a senior analyst in RSM’s cutting edge Industry Eminence Program, which positions its senior analysts to understand, forecast and communicate economic, business and technology trends shaping the industries RSM serves.

Primary Sidebar

Other Regions

  • Canada
  • United Kingdom

Categories

  • Economics
  • Technology
  • Consumer Products
  • Industrials
  • Financial Services
  • Real Estate
  • Health Care
  • Life Sciences

Recent Life Science articles

5 things to know in life sciences: Week of Jan. 18

Jan. 21, 2021

5 things to know this week in life sciences: Week of Jan. 11

Jan. 15, 2021

This year may be the busiest ever for health care and life sciences deal volume

Jan. 12, 2021

RSMUS.com links

The Real Economy

Middle Market Business Index

MMBI Special Reports

Footer

  • Facebook
  • Instagram
  • RSS

About The Real Economy Blog

The Real Economy Blog from RSM US LLP was developed to provide timely economic insights about the middle market economy. It is offered as a complement to RSM’s macroeconomic thought leadership, including The Real Economy monthly publication and the proprietary RSM US Middle Market Business Index (MMBI).

© 2021 RSMUS.com | Privacy Policy | Cookie Policy

The Real Economy Blog
  • Economics
  • Technology
  • Consumer
  • Industrials
  • Finance
  • Real Estate
  • Health Care
  • Life Sciences