Cyber-attacks – for money, fame and politics
According to Yuval Ben-Itzhak, chief technology officer at AVG Technologies in the Czech Republic, cybercrime has become "a booming global business." Furthermore, the UK’s Office of Cyber Security and Information Assurance (OCISA) warns that there is a ‘pandemic’ of cybercrime.
As pharmaceutical companies rely more on technology to conduct business, the industry has become particularly vulnerable to cybercrime. According to Frank Coggrave, General Manager EMEA at digital forensics company Guidance Software in the UK: "Counterfeit pharmaceuticals are a growing and profitable business for fraudsters."
"Pharmaceuticals are increasingly available on the internet to purchase; even banned products and those only prescribed by a fully qualified medical physician can now be obtained and sold on," says Coggrave.
"Physician’s information is of particular value as it can be used to write fake prescriptions to facilitate undercover operations involving the purchase and resale of prescription drugs."
Coggrave believes: "Cyber-attacks fall into three camps. Those in it for the money – who might sell the data to competitors or blackmail the company for its return; those in it for the fame – who might focus on taking down the networks or causing disruption; and those in it for the politics -‘hacktivists’ wanting to collect data to pillory the pharma industry as a whole."
Costs of cybercrime: the death of a company
Implications of cybercrime within the pharmaceutical and healthcare industry go beyond the obvious financial damage. A report by OCISIA, in collaboration with the UK information intelligence experts BAE Systems Detica, indicates that cybercrime is costing the UK economy as much as £27bn annually.
The hardest hit companies include those in the pharmaceutical and biotech industry. According to the report, £9.2bn has been lost through intellectual property (IP) theft, £7.6bn to industrial espionage and £2.2bn from extortion. Coggrave warns that: "Lost money is lost profit. Lost profit is lost future development. Lost future development is the death of a company."
Cybercrime also poses legal consequences through customer and client lawsuits, loss of productivity due to crimeware infections and subsequent downtime, as well as personal accountability for company executives held directly responsible for data breaches. This can lead to brand damage, since once a pharmaceutical organisation is exposed in the media for breaching data, it can be difficult to recover public trust.
Coggrave explains: "The reputational damage, though more difficult to quantify, is no less painful." Indeed, Martin Sutherland, managing director of Detica, agrees that: "We must mobilise joint government and industry forces to build a coherent picture of the threat and create a consistent mechanism that will allow businesses to report cybercrime without the risk of reputational damage."
Intellectual property theft – targeting sensitive data
The pharmaceutical industry is rich in IP and there is a particular need to protect drug recipes and research. Costs for IP theft within the UK pharmaceutical, biotech and healthcare sectors were reported in the OCISA report to cost £1.8bn annually, primarily due to the large volume of data generated by this industry. Cybercriminals can also use sensitive data obtained from the pharmaceutical industry to threaten or blackmail organisations and individuals.
In America, cybercriminals stole 8.3 million patient records from the Virginia Prescription Monitoring Program and demanded a $10m (approximately £6m) ransom.
It is only through tackling cybercrime that the pharmaceutical sector can address such huge financial, industry and individual costs.
Taking costly action against cybercrime, however, is becoming particularly difficult for pharmaceutical companies as they are increasingly looking to reduce costs and access a larger patient pool. Furthermore, the scope of cybercrime is changing constantly, preventing the industry from fully understanding the threats they face.
Coggrave provides some advice on how pharmaceutical companies can combat cybercrime and, in particular, how they can prevent IP theft. "The first step is knowing where your data is. Often companies secure their structured data sources – databases etc, but the challenge is that data is often scattered across unstructured sources ‘in the wild’ of an organisation.
"Having processes and procedures that are programmatically enforced to identify, report and remediate that data is one significant step to prevention."
Being prepared – locking the door before the horse has bolted
The advent of cybercrime within the pharmaceutical and healthcare industry is in its infancy and many organisations remain in denial of the true threat of cybercrime. According to Detica’s 2012 Cyber Security Monitor, ‘Business and The Cyber Threat: Curiously Confident?’, many businesses are still resistant to admitting their vulnerability to cybercrime; 89% were confident that they were adequately equipped to prevent targeted attacks.
Henry Harrison, technical director at Detica, says: "2011 has clearly led businesses to re-evaluate the level of cyber threat and impact, but it seems they are slower to recognise their true level of vulnerability."
He warns that: "We’d urge businesses to remain cautious and to evaluate their defences, rather than waiting until they are attacked before acting. We’ve seen a growing number of businesses lock the door after the horse has bolted."
Increases in data sharing, via electronic health records, personal health records, insurance portals and prescription sites, provide a wealth of opportunity for cybercriminals. The data shared via these means is more valuable to criminals than financial information; it comprises personal and sensitive information, as well as drug recipes and research data.
Beating cybercriminals: educating organisations
Challenges faced by the pharmaceutical and healthcare industry include the range of security risks posed by cybercrime and the necessity to educate within an industry where cybercrime has not traditionally been a problem.
In an effort towards such education, Detica have developed five steps for cybercrime risk appraisal: 1) establish potential attackers and threats; 2) assess the likely target of attacks (i.e. IP, customer databases, etc.); 3) determine the purpose of the attack; 4) assess the impact of an attack on the organisation; and finally, 5) identify which assets are high impact and require prioritising in terms of protection.