Life sciences companies a likely targets of these kinds of attacks.
Life sciences companies are particularly attractive targets for cyberattacks–an unwelcome attempt to steal or destroy information through unauthorized access to computer systems–because of the valuable intellectual property they frequently store and manage. Recent research into the top 20 global Fortune 500 pharma companies revealed that total breaches and records exposed since 2020 are escalating at an alarming rate.
Ransomware is a specific type of cyberattack that has effectively demanded large monetary payouts. More specifically, ransomware is malicious software, called malware, that is deployed on a computer or system and threatens to either publish or block access to data through encryption. In all cases, the victim must pay a ransom fee to the attacker to regain access to their content. Ransomware groups are known to demand payments by a specific deadline. If not paid, the threat is that the data could be lost forever and used to harm the organization. In other instances of non-payment, the ransom might increase exponentially. The deep pockets and critical nature of the work done by life science companies make them highly likely targets for ransomware.
Therefore, the best way for life sciences organizations to protect against cyberattacks, specifically ransomware, is to establish a proactive security posture. This is a call to action for life science industry leaders to partner with experts in data governance to achieve this goal. This article highlights common challenges and vulnerabilities that can impact security practices in the life sciences industry and examines the potential for ransomware to impact researchers negatively, while also sharing options for companies to fortify defenses against looming threats.
The DNA of Software in Life Sciences
At a fundamental level, software development in life sciences may be one of the reasons it's a common target for malicious hacking groups. Sometimes, the software is created by industry experts who are laser-focused on business process compliance and regulatory needs for the industry to operate safely. Their primary focus is not on developing critical elements like the software's security or encryption. While the end goal is to help research development (R&D) teams conduct their essential work to regulatory standards, the result is typically clunky software compared to platforms designed from inception with privacy and security in mind.
Industry regulations and software validation can deter regular software updates that fix security vulnerabilities. In other words, if IT changes how users create, access, or share content, they must also revalidate the standard operating procedures to ensure that people follow them correctly. These updates might be delayed if they happen during a clinical trial, which might introduce a vulnerability for months to a year until the clinical trial is complete. The problem is deemed “too inconvenient” and one that doesn't render the ROI to justify the task.
Impact of Standards on Security and Innovation
The hallmark of studying science has traditionally been a bold exploration of our natural world. However, the regulations governing life sciences have produced an increasingly risk-averse industry. Some pharma and biotech companies remain conservative about the technology used for business operations to avoid the possibility of non-compliance. It's no surprise that failure to embrace newer technologies can limit the ability to innovate.
But just as it accelerated transformation in other industries, the recent Covid-19 pandemic expedited the adoption of cloud technologies in life sciences companies to digitize and use electronic methods for innovative data management. According to McKinsey, 16 of the top 20 pharmaceutical companies refer to cloud technology in recent reports and news releases.
Cloud content and governance platforms are highly sophisticated and can significantly improve accessibility, reliability, and centralization of data. Further, the cloud streamlines a company's data since it's not stored in various places. It allows more flexibility to scale and automate without struggling with policies and rules around each data store. In turn, IT can easily manage all company assets and better mitigate ransomware risk as long as the right content governance platform is in use.
The Connected Nature of Biotech
While many biotech companies are small and outsource much of their clinical operations to contract research organizations (CROs), working with various software vendors gives cybercriminals a larger attack surface to potentially exploit. This increases the likelihood that cybercriminals could find a way into sensitive systems and move laterally around the network without detection to find the desired target.
Creating a Security-Minded Culture
Cyberattackers also tend to target the weakest link in an organization. While those on the front line are tech users, they may not necessarily be IT security specialists trained to understand the many types of threats, including how to identify a phishing email, etc. Someone on a clinical team may not have the same understanding or know their role in helping to protect the rest of the organization against threats. Perhaps they view data protection and data governance as outside their domain expertise and, therefore, not a priority.
This narrow view can sometimes result in a data breach or data loss. Therefore, establishing a security-minded culture is necessary for removing knowledge barriers. IT should be regarded as a diligent and trusted partner, with cybersecurity viewed as a collective effort rather than just a line-item.
Sidestepping the Fallout of Ransomware
Ransomware attacks can negatively impact scientists and researchers, putting unnecessary strain on their vital work. Suppose a sponsor doesn't have a secure collaboration platform during a clinical trial and is faced with having patients redo what was completed last week. In that case, it can increase the participant dropout rate and add a significant delay. The costs of delayed clinical trials can range from hundreds of thousands to millions of dollars every day. In fact, according to a 2022 IBM Security report, the average total cost of a data breach in pharmaceuticals is $5 million.
It is also crucial for life science companies to have a disaster mitigation plan in place in the event of natural or man-made events that impact day-to-day operations. With proper backups and plans prepared, downtime can be drastically reduced. Along with disaster planning is company training. Employees and contractors should be trained to distinguish a legitimate email from a malicious spear-phishing email to cultivate a culture of security. They must know what to do if they suspect they have fallen prey to an attack. And they need to be reassured that it is more important to report a breach than to hide it and hope no one notices.
To lower the risk of ransomware and, in turn, reduce susceptibility to costly trial delays, life sciences organizations should prioritize data protection. Cyber threats are prevalent, and attacks can happen to any organization at any time. With informed preparation, advanced planning, and technology partnerships, life science companies can be better equipped to defend against various cyberattacks but especially the very costly threat of ransomware.