Embracing new technologies affords pharmaceutical companies opportunities to innovate, lower operational costs and derive vital business insights. More importantly, these technologies power vital processes to discover and develop new medicines, enabling us to live healthier lives. The recent wave of high-profile cyber-attacks has provided clear and irrefutable evidence that no industry is immune to cyber-risk – and the $1.1 trillion pharmaceutical industry is no exception. Cybercrime affects pharmaceutical companies in four primary ways:
A booming darknet market for counterfeit medicines
The internet is unquestionably one of the greatest human inventions. It enabled fast, open, and frictionless communications - precipitating economic growth, unlocking new markets and spurring human development. But the same features have been turned into vices, as they are facilitating online criminal activities.
The emergence of the dark web – part of the internet only accessible through encrypted protocols that render users practically anonymous - has propelled the development of a large, complex and expanding market for counterfeit medicines. The World Health Organization estimates 10 percent of medicines worldwide – and up to 50 percent of the drugs consumed in developing nations – are counterfeit. These include slimming pills, pain killers, anti-allergy drugs, antibiotics, steroids, doping substances, HIV/AIDS drugs, cancer medication, antidepressants, anti-malaria drugs and many more.
Criminal syndicates prefer selling counterfeit or illegal pharmaceuticals to unsuspecting victims as via the dark web as it enables them to anonymise their activities and maintain low profiles, thereby evade prosecution.
A thriving underground market for fake pharmaceuticals has three significant implications:
- Diverts financial resources from their highest-value use – funding legitimate research and development to discover new cures - to harmful and criminal activities.
- Interpol asserts that, “patients across the world put their health, even life, at risk by unknowingly consuming fake drugs or genuine drugs that have been doctored, badly stored or that have expired”.
- Undermines consumer confidence in legitimate medicines, healthcare providers and the global health system.
Pharmaceutical high-value IP a prime cybercrime target
Theft of intellectual property and trade secrets remains one of the biggest cyber related threats. General Keith Alexander, former head of the U.S National Security Agency (N.S.A) and of the U.S. Cyber Command, referred to the loss of American industrial secrets and intellectual property to cyber espionage as the greatest transfer of wealth in history. Pharmaceutical companies are highly sought-after targets for criminal syndicates, hostile competitors, and nation states, lured by troves of high-value intellectual property and drug research and development data.
Corroborating this view, a 2011 UK Government report, The Cost Cyber Crime, identified pharmaceutical, biotechnology, and healthcare companies as the primary victims of cyber related IP theft – losing an estimated ₤1.8b annually, out of a total of ₤9.2b cyber related IP theft.
A 2015 article published by The Economic Times, revealed that cyber criminals target pharmaceutical companies to infiltrate drug discovery programmes, clinical trial programmes, drug registration applications, molecular formulae, patient records, production processes, manufacturing records, quality assurance and compliance data.
IP theft can be particularly harmful to pharmaceutical companies, as the process of discovering new drugs is lengthy and costly. According to the Pharmaceutical Research and Manufacturers of America , from drug discovery through US Food and Drug Administration (FDA) approval, developing a new medicine takes at least 10 years on average and costs an average of $2.6 billion. Once this high-value intellectual property falls into the hands of a competitor, its value is severely degraded. Furthermore, potentially compromised clinical trial information can significantly dent a manufacturers brand or result in lawsuits.
Protecting intellectual property is particularly difficult for pharmaceutical companies, for at least 3 reasons:
- Intellectual property is a major target for some nation-state threat actors. Defending against these formidable adversaries is a mammoth task, given the enormity of their resources.
- Hostile competitors may deploy malicious insiders to act as secret agents behind the enemy lines. Trusted insiders are also difficult to protect against as they may have administrative access to an organisation’s crown jewels. Back in 2011, a USA Georgia former IT employee at Shionogi Inc., a United States subsidiary of a Japanese pharmaceutical company, crippled vital operations for a number of days, leaving company employees unable to ship product, cut checks, or communicate by email. The former employee remotely accessed the network using administrative passwords he had to access as an employee and activated a malicious program he secretly installed on the server several weeks earlier, and deleting 88 servers.
- Pharmaceutical high-value intellectual property is scattered across complex supply chains, including third parties engaged to undertake drug research from multiple jurisdictions. As many cyber security professionals can attest, securing high-value data across disparate suppliers can be a daunting task.
Industrial Control Systems exposed to cyber threats
The pharmaceutical industry heavily relies on Industrial Control Systems (ICS) to automate and monitor critical and complex drug manufacturing processes. Traditionally, ICS systems were not regarded as high-risk, as they ran proprietary protocols and were physically isolated from corporate networks. Thus, many of these decades-old systems were built without modern security capabilities. But integrating these legacy systems with core enterprise networks to enable remote access is exposing them to cyber-attacks.
The unprecedented, self-propagating computer worm called Stuxnet that infected the software of at least 14 industrial sites in Iran and destroyed a fifth of Iran’s nuclear centrifuges by causing them to spin out of control in 2010 brought sharp focus into the cyber threats facing ICS systems.
Applying security updates on these ancient systems is also a major challenge, as system availability and integrity are top priorities. Most organisations just can’t risk potential system outages or restarts normally associated with automated security updates. A cyber attack targeting these systems could cripple production systems, delay the delivery of critical medicines which may result in lawsuits, regulatory undertakings or diminished customer trust.
Medical health records a preferred cybercrime target
Pharmaceutical companies collect volumes of medical and personal information from volunteers and patients to conduct clinical trials for new medicines or medical devices, as well as for marketing purposes. As discussed in my previous article, Healthcare and the menace of cyber-crime, medical information sells for a fortune on the darknet, making it a key target for cyber criminals. Breach of pharmaceutical organisations’ health record systems exposes patients or volunteers to financial fraud, blackmail or other impacts of identity theft. Also, medical data breaches may discourage volunteers in participating in clinical trials, derailing vital drug discovery processes.
The important role technology plays in the pharmaceutical industry cannot be disputed. But embracing digital technologies will always be fraught with cyber risks. Pharmaceutical companies need to reassess their entire value chain, identify key vulnerabilities and fix them before the bad guys do. Here are some considerations:
- Identify their most valuable systems, especially those containing intellectual property, trade secrets of other mission critical research data, and apply stringent security controls around those assets.
- Implement robust cyber security governance over suppliers, including those charged with protecting high value IP and medical records, as well as those that connect to the enterprise network.
- Reassess the effectiveness of key controls around vital Industrial Control Systems. The NIST Guide to Industrial Control Systems (ICS) Security provides detailed guidance.
- Judiciously control privileged access to mission critical systems - especially those that contain IP – to minimise exposure to insider threats.
- Maintain cyber security savvy workforce through highly engaging awareness programs.