Examining the Pharmaceutical Industry’s Top Cybersecurity Threats

Industry Perspectives

As pharmaceutical companies continue to embrace digital transformation, their highly sensitive, valuable information becomes even more at risk for cyberattacks. Today’s threat actors are better resourced and more capable of achieving their nefarious goals than ever before. In addition to hackers seeking financial gain, members of the pharmaceutical industry also contend with the full capabilities of nation-states or other pharmaceutical companies with state sponsorship. 

This threat became especially salient throughout 2020. In the U.S., several government agencies joined forces early on to safeguard pharmaceutical companies that were developing a vaccine or working on manufacturing and distribution. That’s because it’s understood that the consequences of a successful data breach are serious and may include contaminated drugs, stolen intellectual property (IP), the need to repeat clinical trials, damaged reputation, downtime, litigation, and lost revenue.

To successfully defeat attacks aimed at the pharmaceutical industry, it’s important to understand some of the top threats they are facing. 

3 Pharmaceutical Cyber Threats to Study

The threat level for the pharmaceutical industry has never been higher. But to prepare for the future, it’s essential for pharmaceutical companies to look to the past. Here are a few cyber threats that have disrupted this industry in the past ten years:

• Dragonfly (or Energetic Bear) – In 2014, threat actors targeted intermediaries for multiple pharmaceutical companies through SCADA and ICS systems. This attack perfectly illustrated the importance of security across the entire supply chain.

• NotPetya – In 2017, Merck and Co. experienced a ransomware attack that caused over $1 billion in damages by locking down 30,000 devices and 7,500 servers as they researched an HPV vaccine. 

• Winnti – In 2019, two pharmaceutical companies, Roche and Bayer, were subject to a cyberattack that included malware from a family known as “Winnti.” Luckily, both companies reported that the threat was discovered and handled before any sensitive data was leaked.

7 Cybersecurity Challenges for the Pharmaceutical Industry

Traditionally, compliance requirements like HIPAA drove cybersecurity strategies in the pharma industry. However, pharmaceutical leaders are beginning to realize that approach is no longer sufficient enough. In addition, pharmaceutical data breaches continue, therefore the need to take action is clear. There are a number of challenges facing the pharmaceutical industry. 

1. A growing threat landscape

Thanks to the Internet of Things (IoT) and Industrial Internet of Things (IIoT) device integration via OT/IT convergence, the attack surface has greatly expanded. A number of other digital innovations are also contributing to the large number of attack targets within pharma networks. These include cloud migrations, connected medicine and telehealth, the proliferation of endpoints, and the massive surge in remote work.

2. An increasingly complex network

For years, organizations have “bolted on” security point products needed to meet specific security or compliance requirements. Consequently, a majority of pharma companies are faced with maintaining very complex security systems. There are a number of high-level problems with this beyond the security gaps inherent with this approach. 

• The IT team has to be trained on all the different management and reporting systems 

• Because end-to-end visibility is lacking, security events are not detected or understood

• Due to lack of communication between products, threat response cannot be automated and is not fast or effective 

• Security teams need more integrated solutions that are woven into the network infrastructure allowing the organization to be agile with organizational growth and digital transformation.

• It is prohibitively resource-intensive to demonstrate compliance

• Companies waste IT resources on the time-consuming task of separately managing all the security controls

3. Distributed networks and acquisitions 

The growth-by-acquisition strategy can create security challenges because sometimes the acquisition targets do not possess adequate or easily integrated security infrastructures. Such acquisitions need to consider cybersecurity best practices as part of connecting to an already complex digital web. 

Intellectual property, electronic protected health information (ePHI), and other sensitive operational data is routinely accessed and transferred. Owing to their disconnected systems, pharma enterprises struggle with challenges of visibility, data control, access auditing, and compliance reporting throughout their networks. 

4. The cyber skills gap

As of 2021, the global shortage of cybersecurity professionals exceeds 2.72 million. While pharma companies can be strategic about attracting and retaining top cybersecurity talent, people with these skills will be scarce for the foreseeable future, making it difficult—and expensive—to fill new positions. 

5. Threats from within

Pharmaceutical companies face risks from insider threats. Damage from insider sources can be hard to detect because these threats encompass a wide range of behaviors and motives. It could be a disgruntled employee attempting to disrupt operations, a staff member looking to earn extra cash by selling customer data, or a well-intentioned co-worker who merely sidesteps a company policy to save time. 

6. Compliance requirements

As regulatory requirements evolve and become more complex, the difficulty of manually achieving network-wide visibility and enforcing the required security controls only increases. In addition, demonstrating compliance can be time-consuming, especially when networks are composed of disparate point products that don’t share reporting capabilities. 

Traditionally, pharmaceutical companies have focused their security efforts on meeting compliance requirements. But the reality is that most organizations struggle to demonstrate comprehensive compliance – and data integrity is an important new requirement to address as digitalization takes hold.

7. IT/OT convergence and aging OT environments

Legacy software and hardware are typical in pharmaceutical manufacturing. Almost always, these operational technology (OT) devices and systems were not created with security in mind and were dependent on an air gap for separation. 

As digital innovation and business intelligence gains compel OT networks to converge with IT networks, OT networks are suddenly exposed to the entire threat landscape. These technological advances offer cybercriminals the opportunity to exploit inherited vulnerabilities. 

The Pharmaceutical Industry Needs an Architectural Revival

There are multiple and ever-evolving cyber threats facing pharmaceutical companies, including compliance needs, nation-state-sponsored attackers, and increasing network complexity. Rather than try to solve each issue separately, a better plan is to take a comprehensive architectural approach to network security. Such an approach provides the automation, visibility, and fast response to threats that easily demonstrate compliance and defeat attackers.

Learn more about enabling the latest advances to safeguard pharmaceutical companies while protecting against cyberattacks with Fortinet healthcare cybersecurity solutions.