Earlier this year, Sun Pharmaceutical Industries, one of India’s largest generic drug producers, reported a major cybersecurity breach, impacting its business operations. A ransomware group later claimed responsibility for the incident, which was one of several high-profile cybersecurity breaches in India over the past three years.
Pharma companies around the world have also faced similar threats, some of which have impacted national security and public health. The attackers use various tactics to gain unauthorised access to a computer system, network, or device with the intention of stealing, modifying, or destroying data for strategic or financial gain.
“With regards to cyber threats to the pharma industry, the pandemic was an absolute game changer,” says Charles Fracchia, CEO of Black Mesa Labs and co-founder of BIO-ISAC, an international organisation that addresses threats unique to the bioeconomy. “There was an exponential explosion of these incidents, as criminal syndicates, nation-states, and individual actors capitalised on the stress the industry was under. They tried to make money with ransomware, data theft, or other attacks.”
He adds that from an offensive perspective, cyberattacks can be waged swiftly and at low cost, yet can have a devastating impact on business operations and revenue – and perhaps “only 15-20% of these breaches are made public”.
As per a Healthcare Information and Management Systems Society (HIMSS) 2022 survey, there is a need for greater awareness on Health Insurance Portability and Accountability Act (HIPAA) and data privacy along with other measures. HIPAA laws are a series of federal regulatory standards relating to the Health Insurance Portability and Accountability Act of 1996, outlining the lawful use and disclosure of protected health information in the US.
“While [only] about 12% of healthcare cybersecurity respondents stated their organisations were attacked by ransomware, it is likely that ransomware will make a resurgence,” says Lee Kim, Senior Principal, Cybersecurity and Privacy, HIMSS. “Social engineering attacks will rise, in addition to phishing, smishing and deepfake attacks. There will likely be a great opportunity for data leaks of sensitive and otherwise confidential information with the rise of generative AI platforms such as ChatGPT and others.”
The problem, he explains, is not necessarily the technology, but rather the way in which these platforms are used. Many have clear disclaimers stating that sensitive or confidential information should not be imported, but people do so anyway which may have problematic consequences.
“A major challenge is that cyber literacy needs to improve in the pharmaceutical space,” adds Fracchia. “Right now, it’s compliance by checkbox, in a static way. While it is unreasonable to expect the level of security in the nuclear sector, we should have checks and balances at every step, creating a new level of assurance.”
“Regulators need to work together with industry to certify hot patches to quickly fix vulnerabilities while maintaining pharmaceutical quality,” adds Fracchia.
The regulatory landscape
The US Securities and Exchange Commission (SEC) has published a number of proposed rules regarding cybersecurity, including one on the disclosure of such incidents.
“Pharmaceutical companies that are publicly traded will need to pay attention,” warns Kim. “Pharmacies have also received EU General Data Protection Regulation (GDPR) fines for not being in compliance,” he adds. In 2019, a UK pharmacy was fined for not properly securing personal health information, while more recently GoodRx, the telemedicine platform, was fined for allegedly improperly using health data for advertisements.
Fracchia says he is encouraged by US Food and Drug Administration (FDA) guidelines relating to the cybersecurity of medical devices: “We want to see that kind of regulatory environment extend to critical bioeconomy infrastructure. Cybersecurity is necessary for biosecurity.” He points to the US Department of Defense investments in biomanufacturing and the Section 215 of the National Defense Authorization Act, which requires any future biomanufacturing investments to go hand-in-hand with cybersecurity investments to assess the threats and maintain the integrity of that process.
Kim is hopeful that cybersecurity in the pharma industry will benefit from increased automation. Artificial intelligence will help fill workforce gaps and capabilities, but employees will still be needed to review and have oversight, he adds.
“When leveraged appropriately, generative AI platforms can sift through thousands of lines of data within mere seconds to pinpoint anomalies and other patterns,” says Kim. “Our defences can be much more agile than they are today. It’s really important for pharma to leverage artificial intelligence to improve the state of cybersecurity within their organisations. AI will change the way we interact with others and do work. It already [has].”
Fracchia is more cautious. “We’re at a fork in the road,” he warns. “The more you dig into incidents, which we do at BIO-ISAC, the more you realise the fragility of the entire ecosystem.”
“There is also a debate as to how genomic information should be protected,” he adds. “Genomic data plays a central role in the future of the field, especially as new cell therapies and more personalised medicine comes of age. How we handle these questions from a technological and regulatory perspective is really critical.”
Either the regulators and the pharma industry come together, Fracchia says, to work on those foundations or we are going to see our industry’s ability to perform be deeply curtailed.