Biopharma Confronts a Rising Tide of Ransomware Attacks

Pictured: Photograph of a server room/iStock, Jiawei Chang

When the Japanese pharmaceutical company Eisai announced last week that a ransomware attack had hit it, it joined a crowded club.

Sun Pharmaceuticals saw some of its file systems compromised in an attack in March. Novartis fell victim to such an attack last year. AstraZeneca was targeted by hackers in 2020, Reuters reported. And, in perhaps the most notorious such episode, malware infected computers at Merck in 2017, costing the company hundreds of millions of dollars and disrupting the production of its HPV vaccine.

Breaches at biopharma companies increased during the COVID-19 pandemic as the race to develop vaccines raised the sector’s profile, according to Constella Intelligence. A report from the company released in 2022 found that for the top 20 pharma companies, the total number of data breaches rose from 1,930 in 2018 to 3,619 in 2020. And the pace of attacks continues to rise, with NCC Group reporting in its April Cyber Threat Intelligence Report that the overall numbers of successful ransomware attacks in the first four months of 2023 are trending far higher than last year.

Such attacks can be disruptive—and costly. According to Constella’s 2022 report, the average data breach cost in this sector is $5 million.

In the pharmaceutical industry, “any exploitation can jeopardize the quality and safety of drugs, disrupt distribution channels, and pose potential harm to patients,” Sue Bergamo, an advisory chief information security officer at the risk-management firm Panorays, told BioSpace via email.

“Malware is any software used to gain unauthorized access to IT systems to steal data, disrupt system services or damage IT networks in any way,” according to the U.S. Cybersecurity and Infrastructure Security Agency. While ransomware is malware that can prevent a target’s access to certain of its data or systems until a ransom is paid.

In a 2021 post on the website of professional services firm KPMG, associate partner Caroline Rivett wrote that the life sciences industry’s “massive revenues and endless volumes of sensitive data” make it “an ideal target” for ransomware attacks.

Sharon Polsky, president of the Privacy and Access Counsel of Canada, told BioSpace via email that larger firms are more popular targets than small ones, “It’s the bigger companies have the most to lose if their services are interrupted, and the money to pay ransoms.”

In her post, Rivett said that the organized crime groups that carry out such attacks have moved toward “double extortion,” meaning that they demand ransoms both to de-encrypt critical files or systems their targets need to do business and to refrain from posting companies’ sensitive data on the dark web for anyone to download.

Oren Koren, CPO and cofounder of cybersecurity firm Veriti, echoed this point in an interview with BioSpace. “In most cases, if you will pay, you will just need to pay again.”

As cyber criminals continuously evolve to circumvent security measures, “It is crucial for companies to recognize that no security program can guarantee long-term safety without ongoing evaluation and adaptation,” Bergamo told BioSpace.

She recommended measures such as regularly monitoring logs and systems activity for suspicious activity, encrypting and securely storing sensitive data, using multi-factor authentication to control access to sensitive data or systems and installing reliable software to protect against malware actively.

Koren said an issue he sees is that even when companies have invested in the protective software they need, they often avoid fully enabling it for fear of disrupting their operations. Security software can cause issues with specialized computers such as those used to control manufacturing processes or complex medical imaging equipment, he explained. His firm specializes in helping companies secure their systems while avoiding such disruptions.

Polsky argued that companies and other targets could ward off attacks by better training all employees to spot attempts to access an entity’s systems. In one such attempt on AstraZeneca, Reuters reported that “hackers posed as recruiters on networking site LinkedIn and WhatsApp to approach AstraZeneca staff with fake job offers. . . . They then sent documents purporting to be job descriptions laced with malicious code designed to gain access to a victim’s computer.”

Vikram Venkateswaran, a partner in risk advisory at Deloitte India, told BioSpace via email that “remote working has also inadvertently created multiple areas that can be exploited by these agents.”

While companies typically require employees to complete training on cybersecurity best practices, in Polsky’s view, such training is typically no more than a box-ticking exercise.

Koren said that an additional layer of security is using security systems that screen emails and attached files for dangerous links or even recreate email attachments as clean, link-free versions of the original file. At a high level, companies should identify the most critical component of their business operations and focus on eliminating vulnerability around it.

“You cannot protect from everywhere, everything,” he said. “You just need to define what are your crown jewels.”

Shawna Williams is a freelance science writer and editor based in Washington State. Reach her at shawna.williams@gmail.com.