Pharma companies are facing a higher number of incredibly destructive cyber-threats than ever before.
Jeffrey Bernstein is the director of cybersecurity and data privacy for Kaufman Rossin’s risk advisory services. He recently spoke with Pharmaceutical Executive about the various risks pharma companies are facing and the ways they can protect themselves.
Pharmaceutical Executive: What are the main mistakes that healthcare companies make when building their software?
Jeffrey Bernstein: One of the most significant errors is neglecting security-by-design and privacy-by-design principles. These approaches ensure that security and privacy are integral to the software development process. The 2017 Equifax breach is a cautionary example of the consequences of not embedding security into design, where a failure to address a known vulnerability led to the exposure of sensitive data of 147 million individuals. Systems need to be thoroughly tested not only for compliance but for actual security–using penetration, red team and purple teams to test security, and including effective bug-bounty programs to prioritize finding and eliminating or mitigating possible threats and data leaks. It is also critical to perform secure code reviews and to review code modules for functionality updates to any specific application prior to software being put into live production situations. At each step of the design, programmers must also consider whether access to data sets are necessary, and how such access may impact not only patient care, but patient privacy.
Healthcare organizations often fail to map data flows accurately, leaving gaps in understanding how and where sensitive information is stored and transmitted. This oversight can lead to vulnerabilities, flaws, and other deficiencies. You cannot protect data if you do not know where that data is. Moreover, pharmaceutical and healthcare entities rely on dozens if not hundreds of third-party applications, vendors, suppliers, hardware developers, etc., through which sensitive data flows. Robotic and tele-medicine, EHR’s and increasing reliance on predictive systems which use artificial intelligence (including large data sets) only complicate the problem.
A significant mistake is not thoroughly understanding and controlling third-party access to systems and data. Many recent healthcare breaches have been attributed to phishing attacks on third-party vendors, highlighting the risks of insufficient oversight. You are only as secure as your weakest partner that has access to your data. While healthcare entities may be diligent in requiring third parties to execute business associate agreement (BAA’s), they frequently do not police or enforce the terms of the BAA’s. Moreover, most entities simply do not know who has access to data or systems or maintain an adequate list of all of their vendors–from insurers, accountants, regulators, to HVAC providers, cleaners, and food services. Anyone who touches the network or data must have adequate security and auditability.
Many pharmaceutical and healthcare organizations fail to require regular security audits for third-party vendors, partners, and consultants. This often introduces vulnerabilities and other exposure points. Many security compromises are the result of a third-party vendor’s compromised access. This underscores the importance of enforcing strict security audits of these sources. Many providers take a set-it-and-forget-it approach to vendor management. True security requires constant vigilance.
While AI and automation can enhance operational efficiency, over-reliance without proper oversight can lead to significant risks. For instance, IBM Watson faced challenges in cancer diagnosis accuracy, demonstrating the potential pitfalls of over-relying on AI in healthcare. The same is true for automated billing systems, robotic surgery, telemedicine, remote access, and embedded software in everything from drug manufacturing equipment, oxygen delivery systems, and blood pressure monitoring devices. Modern healthcare often looks and feels less like a patient provider than an IT system that happens to deliver healthcare as a product.
Human error, often due to insufficient training, remains a leading cause of cybersecurity incidents. Most expert sources say that approximately 90% of data security compromises involved a human error. Many recent high-profile healthcare breaches involving disruption to operations highlight the importance of comprehensive cybersecurity education for all users. This challenge is exacerbated by several factors–physicians’ resistance to change, overreliance on predictive models and insurance models to determine the appropriate procedures, an understandable desire to put patient care above all other priorities (including privacy and security), and a general failure to understand the nature of the risks. When it comes to drugs and healthcare, providers often place a priority on ease of use and access. Unfortunately, ease of use and access often comes at the cost of security.
A lack of redundancy and resilience can lead to severe operational disruptions, as seen during many recent high profile pharmaceutical and healthcare compromises including several recent compromises which led to prolonged outages and impacted patient services. Recent hacks of this kind included those that targeted blood providers resulting in supply chain disruption and the activation of emergency protocols at hundreds of hospitals. One of the reasons healthcare providers are so vulnerable to ransomware attacks is the lack of truly resilient systems that back up critical data to offsite and security locations.
Offshoring critical components introduces additional risks, particularly when offshore vendors do not adhere to the same security standards as the parties that they serve. The 2020 SolarWinds breach, which affected multiple sectors (including pharmaceutical and healthcare), exemplifies the dangers of offshoring without stringent oversight. In fact, in most enterprises, IT directors may not even know the identity of the hundreds of companies upon which the entity relies for day-to-day operations.
A common issue in healthcare is the lack of clear individual accountability for cybersecurity. Many breaches from the pharmaceutical and healthcare sectors where sensitive data was exposed may be credited to the actions of a single employee. This emphasizes the importance of establishing clear accountability. This is particularly a problem where healthcare personnel have competing demands for their time and priorities. Having documented security policies and socializing them among staff can help these organizations better govern security internally.
Pharmaceutical and healthcare organizations often retain large amounts of data for extended periods, increasing the risk of breaches. This may be understandable since information that may be decades old may be relevant to diagnosis or treatment, and information relevant to family history that may be even older may similarly be relevant. As a result, healthcare providers tend to retain massive amounts of data permanently.
PE: What unique threats does the healthcare industry face when it comes to cybersecurity?
Bernstein: Ransomware remains a significant threat due to the critical nature of healthcare services. Many ransomware attacks on healthcare have caused widespread disruption, demonstrating the sector’s vulnerability. Threat actors target healthcare entities for ransomware attacks because the data and availability are both time and mission critical. Lives are also at stake and therefore, they are much more willing to pay ransom to get data returned and maintain healthy operations.
Business email compromise (BEC) frauds have become a significant threat to the healthcare industry, often leading to misdirected payments and substantial financial losses. In BEC schemes, attackers typically gain access to or spoof legitimate email accounts of executives or financial personnel, using this access to deceive employees into transferring funds to fraudulent accounts. Healthcare organizations, with their complex billing processes and numerous transactions, are particularly vulnerable to these types of attacks. The consequences can be severe, as funds intended for critical operations or payments to vendors can be diverted, leading to operational disruptions, financial strain, and reputational damage. Additionally, the sensitive nature of communications in healthcare means that BEC frauds can also expose confidential patient information, compounding the impact of the breach. This highlights the importance of implementing stringent security measures on email and other communication channels, thorough verification processes for financial transactions, and regular employee training to recognize and prevent such fraudulent activities.
Insider threats are particularly challenging in healthcare, where employees often have access to vast amounts of sensitive data. Many recent publicly disclosed breaches have shown to be the result of an employee improperly accessing patient records, exemplifying this kind of risk.
The growing use of connected medical devices introduces new security challenges. The FDA’s recall of certain Medtronic insulin pumps due to cybersecurity vulnerabilities highlights the risks associated with IoT devices in healthcare.This is particularly true for robotic medicine and remote medicine (telemedicine) which permits access to sophisticated medical technology remotely. Moreover, providers may not know or have access to information about how these systems work and may inadvertently expose these systems when they place data or access online.
State-sponsored groups often target healthcare organizations for their valuable research data, particularly in areas such as drug development and disease research. The increase in cyberattacks on vaccine research facilities during the COVID-19 pandemic emphasizes the strategic importance of this data.
PE: What sort of data are hackers looking to steal?
Bernstein: Personally identifiable information (PII) and protected health information are prime targets due to their value on the dark web. Many recent high-profile healthcare and hospital system breaches have resulted in the exposure of the PII and PHI of many millions of individuals, highlighting the high stakes involved in protecting this type of information. This permits threat actors to impersonate patients, access other patient accounts, commit identity fraud or identity theft, and other types of criminal fraud.
Healthcare organizations manage significant amounts of financial data, making it a target for cybercriminals. Many recent breaches of pharmaceutical and healthcare organizations have resulted in the theft and/or leakage of sensitive financial data alongside medical records and other sensitive information. This illustrates the risks involved. In addition, hackers may use this data to commit medical insurance fraud, piggybacking medical care off the insurance information gleaned from a data breach or data theft.
Hackers target medical records for their potential use in fraud and blackmail. Many recently disclosed healthcare network breaches demonstrate the importance of securing medical records. These records may be used for extortion, blackmail, research, and other fraudulent exploits.
Research data and intellectual property related to medical advancements are highly sought after by cybercriminals, especially those backed by nation-states. Hacks targeting COVID-19 vaccine research data during the pandemic demonstrates the critical importance of protecting this information.
PE: How important is it for companies to stay up to date on their cybersecurity systems?
Bernstein: Staying up to date with cybersecurity systems is essential for compliance with regulations like HIPAA, GDPR, and HITECH. Failure to comply can result in severe penalties, as seen in multiple recent HIPAA settlements which followed many recent security breaches.This means not only keeping up with regulations but understanding your threat environment. As of June 2024, the U.S, Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed 145 cases related to HIPAA. As mentioned within the introduction section of my response, settlements have resulted in approximately $150,000,000 being paid. This data may be found on the OCR Breah Portal which is also known as the OCR Wall of Shame.
Cyber threats are continually evolving, requiring healthcare organizations to keep their cybersecurity systems updated to defend against new threats. Many security compromises may be credited as the result of failing to apply critical security patches. AI and other cutting-edge technologies are being used by threat actors to further sophisticated attacks, including virtual impersonation of personnel, predictive attacks, and constant probes.
Healthcare data is incredibly sensitive, and maintaining up-to-date cybersecurity systems is crucial for its protection. Many recent ransomware attacks against healthcare systems compromised many millions of patient care and data records, underscoring the importance of maintaining current defenses. Patient data remains a valuable target for hackers and the results of a loss can be catastrophic.
A strong cybersecurity posture is vital for maintaining trust with patients and regulators. Many breaches have led to significant reputational damage and regulatory scrutiny. Moreover, reputational damage and losses may not be fully covered by cyber insurance policies, and may persist years or decades after a breach.
Building redundancy and resilience into healthcare systems is crucial for ensuring continuity of operations during and after a cyberattack. The Scripps Health ransomware attack in 2021 highlighted the consequences of insufficient resilience and redundancy in critical healthcare systems. For healthcare entities, it is critical that data and services remain online and available, and that there are robust and redundant backup systems.