Alan Brill didn’t strike me as an alarmist.
During our interview he was pleasant and calm, patiently explaining to me the ins and outs of cybersecurity.
But you shouldn’t mistake Brill’s composure for a lack of urgency.
With over 30 years of experience dealing with cybercrimes, Brill, who now serves as a senior managing director with Kroll’s Cyber Risk practice, has been in some high-pressure situations.
In 1991, on the fifth day after coalition forces re-took Kuwait from the Iraqi army, Brill led a small team on the ground seeking intelligence from computers left behind by retreating Iraqi forces. In 2008, when a foreign intelligence service penetrated the computer networks of the Obama campaign, it was Brill who was tapped to lead the effort to remove the hackers and prevent them from re-entering.
So when Brill refers to the cybersecurity problem in the pharma industry as “existential,” it’s probably a good idea to take heed.
“This is a real issue. You can’t simply say, ‘Talk to the CIO, it’s a technical problem’ or ‘Talk to the COO, it’s an operations problem,’” says Brill. “It has come down to the fact that what you’re dealing with is very often an existential problem — the company may live and die based on what happens.”
And Brill is not the only one trying to get the word out.
Last year, the Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) jointly issued a stark warning: China-affiliated cyber actors were caught trying to obtain valuable intellectual property and public health data related to COVID vaccines, treatments and testing. Pharma companies were among those targeted, and officials urged them to maintain dedicated cybersecurity because the delivery of treatment options — at a time when COVID was ravaging the world — was in jeopardy. Similar warnings have recently been sounded about hackers from both Russia and North Korea.
There is no shortage of data backing these warnings. According to a report from cyberthreat intelligence company BlueVoyant, cyberattacks on the biotech and pharma industry increased by 50% between 2019 and 2020. Black Kite, a cyber-risk management company, recently found that one in 10 global pharma manufacturers are at a high risk of suffering a ransomware attack.
Individual pharma companies are speaking out as well. During an online panel at the Aspen Cyber Summit last December, Johnson & Johnson’s Chief Information Security Officer (CISO), Marene Allison, said J&J had seen a 30% uptick in cyberattacks during the pandemic and that health care organizations are fending off attempted penetrations by nation-state threat actors “every single minute of every single day.”
With many experts warning that the attacks on pharma are not only more frequent but more sophisticated, the message is clear: Cybersecurity threats have become a very real part of doing business in pharma and the industry’s continued success — as well as the lives of millions of patients — depend on pharma’s ability to kick its cyber vigilance into high gear.
The lure of pharma
Among security professionals, 1930s bank robber Willie Sutton has become somewhat of a mythical figure. As the story goes (the incident was later refuted by Sutton himself in his autobiography), when a reporter asked the prolific thief why he robbed banks, Sutton replied, “because that’s where the money is.”
As one of the largest and most profitable industries in the world, pharma has long since been a darling of cybercriminals. To begin with, the industry is ripe with valuable intellectual property data on drug formulations and technologies.
“The ‘bad guys’ today know the pharma industry has trade secrets. The industry has information that they can monetize — that they can threaten to release and get money, or that they can encrypt and get money or some combination of the above,” says Brill.
The pharma industry is also the gatekeeper to massive amounts of personal health data collected during clinical trials. One analysis found that a patient’s full medical record can sell for up to $1,000 — nearly 10 times the going rate for social security numbers and credit card information.
One of cybersecurity’s most cautionary tales involves the 2017 NotPetya ransomware attack that hit, among many organizations, Merck & Co. Often touted as one of the most devastating attacks in cyber history, the virus infected Merck through a server in Ukraine and quickly spread. The attack led to a disruption of worldwide operations, ultimately resulting in a $1.3 billion insurance claim.
As was the case with Merck, the global nature of the pharma industry makes it a broader target for cyberattacks.
“If I’m a criminal and I think I’ve found a weakness in your plant in Malaysia or your plant in Turkey or wherever, why not hit there?” says Brill. “It’s all cyber-connected. They [cybercriminals] look for weak links — and they’ve gotten very efficient at exploiting them.”
Hitch-hacking pharma’s digital journey
Pharma Manufacturing’s recent Smart Pharma Survey found a positive climate for digital innovation in the industry. Over 88% of respondents believe that, even if the manual processes used in their plants were seemingly effective, their companies would choose to automate processes if given the option. A similar percentage of respondents indicated that digitalization is an important part of the discussion when their companies are upgrading manufacturing facilities.
Digital innovations such as cloud computing, artificial intelligence and connectivity via industrial IoT are enhancing every aspect of pharma, from speeding up drug discovery to making plant floor operations easier and more efficient.
Despite all its benefits, digital transformation, if not handled carefully, also carries with it new cyber-risks.
For example, IBM Security's Cost of a Data Breach report found that misconfigured clouds were a leading cause of cyber breaches. For pharma, more than half of the industry’s cyber incidents happen during this move to the cloud — and to make matters worse, breaches that happen during cloud migrations are the most expensive.
While the pandemic has had a positive impact on pharma’s digital progress, forcing the industry to drop a lot of its traditional constraints, it also has created more opportunity for cyberattacks.
“The pandemic undoubtedly exacerbated the rise of cyberattacks,” says Liz Mann, EY Americas Life Sciences and Health Cybersecurity leader. “The shift to remote working facilitated an abrupt change to corporate network traffic patterns and to the degrees of controls implemented in a work-from-home environment.”
Last year, hundreds of thousands of workers in the pharma industry pivoted to remote work virtually overnight, which resulted in, among many things, an influx of personal devices on corporate networks.
During Aspen’s Cyber Summit, Meredith Harper, CISO at Eli Lilly, noted that the drugmaker’s decision early on in the pandemic to allow some 16,000-17,000 global team members to work remotely substantially increased the footprint of the cyberattack surface.
According to Harper, Eli Lilly went to great lengths to quickly roll out an educational awareness program about how to better protect against cyberthreats in a home environment, including offering employees financial allowances to properly secure their workspaces.
The impact of the pandemic on cybersecurity wasn’t exclusive to the pharma industry. Overall, the pandemic increased the threat of cyberattack for companies across all industries. Kroll and partners surveyed 500 security and risk leaders at large organizations — those with more than $500 million in revenue — on matters related to their cybersecurity programs, specifically threat detection and incident response. What they discovered was that the vast majority (93%) of organizations suffered a compromise of data over the past 12 months.
New attack models
The pharma industry is frequently heralded for its life-saving innovations in human health. But like drugmakers, cybercriminals are also fast evolving.
Wishful thinking aside, no industry is immune to attacks by nefarious actors, and despite its mission to save lives, this rule includes pharma. While it's concerning enough that attacks on pharma have become frequent, it’s even more troubling that the attacks are more targeted and sophisticated.
While the ransomware approach with the end goal of financial gain remains the most popular method of attacking pharma companies, experts are warning that the spectrum of attacks is widening.
“The thing about cyberthreats is that old experiences fuel new ideas, and the landscape is always changing. Threat actors continue to demonstrate patience, creativity and determination in the process,” says Mann.
Ransomware-plus
Ransomware — a form of malicious software (“malware”) designed to block access to a computer system or data — makes up almost half of all reported attacks on the pharma industry.
In its most basic form, ransomware works like this: Criminals encrypt a company’s data or systems and then force the company to pay a ransom in exchange for decrypting the information or restoring access to systems.
But according to Brill, criminals have also started “double-dipping” in the ransomware pool.
“Kroll’s internal intelligence group is seeing that in about half of our cases, before the ransomware is actually launched and everything is encrypted, the hackers steal the data,” says Brill. “The hackers say, ‘Pay me the ransom or you’ll never get your data back.’ And then after you pay the ransom, they say, ‘By the way, I stole a copy of your data. And if you don’t pay me more, it’s going to be made public on the internet.’”
Brill says that Kroll has also recently seen an influx of attacks bypass the ransomware altogether. In these cases, attackers go beyond simply disabling systems; instead they steal sensitive data and hold it for ransom, threatening to sell it if the ransom isn’t paid.
Digital espionage
Stories of suspected nation-state cyberespionage, sometimes reminiscent of old spy film plots, frequently light up the news headlines. Their intrigue is compounded by the fact that they are often shrouded in mystery — confirmed by “unnamed government sources” and lacking details regarding the perpetrators, whether the attacks were successful and what data may have been compromised.
Brill ran point on one of the most high-profile cases of suspected cyberespionage in history.
During the 2008 U.S. presidential election cycle, the FBI and U.S. Secret Service determined that both the Obama and the McCain campaigns were being targeted by hackers. A team of experts from Kroll, led by Brill, was dispatched to Obama’s campaign headquarters and to the Democratic National Committee to identify the infection, cleanse infected systems and bolster defenses. Kroll investigators determined the compromise occurred through a phishing email made to look like the outline of a meeting agenda and containing a malicious .zip file attachment.
U.S. officials later attributed the attack to hacking units backed by the People’s Republic of China. Dennis Blair, who served as President Obama’s director of National Intelligence from 2009-2010, told NBC News that the hackers were, “looking for positions on China…surprises that might be rolled out by campaigns against China.”
While espionage isn’t the top cyberthreat faced by pharma companies, the pandemic has created an ideal scenario for nation-state attacks. The amount of valuable, proprietary information being generated by drugmakers during COVID vaccine development, combined with an international scramble for information and supplies, and the rise of vaccine nationalism, make vaccine data an almost irresistible target.
Early on in the pandemic, U.S. federal agencies accused both Chinese and Russian cyberespionage groups of attempting to steal COVID vaccine information from drugmakers.
Then, in December of last year — when the U.S. was just days away from authorizing its first vaccines — The Wall Street Journal reported that North Korean hackers targeted at least six pharma companies* working on coronavirus treatments and vaccines in the U.S., U.K. and South Korea. A few months later, South Korea’s intelligence agency claimed that North Korea had attempted to steal information on vaccines and treatments by hacking Pfizer.
Supply chain attacks
As the pharma supply chain becomes increasingly global and complex, cybercriminals are capitalizing on new opportunities.
“One of the approaches we see today is what’s referred to as a ‘supply chain’ attack,” says Mann. “In this case, supply chain refers to a ‘one to many’ attack, where the attack is launched at a third party or a technology manufacturer, but the intent is to reach the companies in its supply chain.”
Hackers look for a weak link in cybersecurity protocols and use it as an entry point.
“Cybercriminals attack once, land in many places, and see what can be accomplished. A lot of damage can be done quickly in this manner,” says Mann.
The pandemic has further extended the pharma supply chain and by doing so, created more potential points of attack. The need to transport millions of doses of vaccines with unique cold storage requirements has introduced new partners to the pharma supply chain. And these new partners bring new security issues.
A recent BlueVoyant logistics report found that attacks on shipping and logistics firms tripled between 2019 and 2020.6 While most pharma companies have robust cyber defenses in place, that is not always the case with delivery and logistics companies. Connecting systems via GPS and digital apps exposes all partners in the chain, warns Brill.
As a case in point last November, Americold, the world’s largest owner and operator of temperature-controlled warehouses — and one of the companies tapped to provide the specialized cold storage required for the Pfizer vaccine — disclosed that its computer network was affected by a cyber incident, later revealed to be a ransomware attack.
The attack on Americold wasn’t an isolated incident either. A month later, the cyber teams at IBM and the Department of Homeland Security’s CISA warned of a phishing campaign spanning across six countries that targeted multiple organizations associated with Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform — a program put in place in 2015 to help improve the global availability and installation of high-performing cold chain equipment.
Insider threats
Insider threats come in various forms, and they don’t always have to be malicious.
As the pandemic took hold, the combination of a hasty transition to remote work, a high-stress climate and the need to work quickly created an environment where even the most well-intentioned employee could inadvertently enable a cyber breach.
In September 2020, cybersecurity experts at Positive Technologies investigated an elaborate social engineering attack against a major pharma company. The attack involved North Korean hackers using a fake LinkedIn profile with hundreds of connections and bogus job offers to trick employees into running code that eventually compromised the corporate network.
There are also occasions where, as the famous line goes, “the call is coming from inside the house.” Aside from occasional data breaches perpetrated by a disgruntled employee, experts at Kroll have spotted a new trend whereby criminals enlist the help of pharma insiders to pull off their attacks.
“In recent weeks, we’ve seen some of the cybercriminal gangs reaching out to people inside an organization and saying, ‘If you will plant some malware for us, we’ll give you a percentage of whatever we get in ransoms,’” says Brill.
To this end, experts have warned of the rise of a new business model used by ransomware developers, referred to as Ransomware as a Service (RaaS). Essentially, criminals are selling kits on the dark web that allow wannabe-hackers who lack the tech skills to develop their own ransomware to simply buy what they need to launch attacks. The ransoms are then shared between the buyer and the RaaS company.
Don’t turn your back
For pharma companies, dealing with cyberthreats is part of doing business. But despite the robustness of systems in place, Brill argues that it must always stay top-of-mind.
“The way I look at it, if you’re in the pharma or biotech business, you may not like to think about it, but you’re in the cyber business,” says Brill. “Whether you like it or not, the risks are there. The only choice is whether you’re going to ignore them or you’re going to understand them.”
As threats change and become more advanced, being proactive has become more crucial.
“What we’ve seen is an evolution in our client base — from ‘protect the perimeter and hope for the best’ to active monitoring, where you really have people looking at what’s going on and trying to get as near to real-time feedback when things go wrong," says Brill.
Being proactive also extends to situations such as upgrading to new, more connected technologies on the plant floor. The digital plant can offer tremendous benefits, provided manufacturers make cybersecurity part of the discussion from the start.
“The magic lies in recognizing that cybersecurity needs to be embedded in emerging technologies from the outset, and by design,” says Mann. “The mistake organizations make is in introducing new technologies first, and then trying to secure them later. It is better, faster, smarter and less expensive to embed security into the process from the beginning.”
Making cybersecurity a top initiative means starting conversations from the top.
Big Pharma has seen the rise of in-house chief information security officer positions and increasingly, according to Mann, these leaders have a seat at the boardroom table. “The movement from the back office/IT to front office/business strategy, is occurring, albeit slowly,” says Mann.
For the smaller companies who may not have the means to have a dedicated cybersecurity executive, there are experts for hire, like Brill and his colleagues working in Kroll’s Global Cyber Risk practice, offering end-to-end cyber-risk solutions. Mann notes that some pharma companies may also opt for a part-time or “on-call” CISO.
"We recognize it’s not always feasible to have a dedicated executive, but the threat is significant, therefore organizations all need to figure out a way to address it,” says Mann.
Brill stresses that cybersecurity can’t happen in a bubble. Recognizing patterns and methods of attack can help defend against breaches. It’s here that experience and exposure makes a big difference.
“We handle several thousand cases a year. And as a result, we’re able to collect a lot of data on what’s happening right now, this week, last week, last month, etc.” says Brill.
Collaboration, or “crowdsourced cyber security” is also a viable method of broadening experience.
The Health Information Sharing and Analysis Center (H-ISAC) is a global, non-profit organization offering health care stakeholders a forum for coordinating and sharing physical and cyberthreat intelligence. The community — which consists of clinicians, payers, pharma, academia and health IT — is focused on sharing intelligence on threats, incidents and vulnerabilities as well as advice and best practices for mitigation.
“As an industry, pharma recognizes that a threat to one is a threat to all,” says Mann. “In my experience, I have seen pharma CISOs help one another during cyberattacks. When human or animal life is at the center of the business, perhaps it inspires better collaboration.”
Ultimately, eliminating cyberattacks entirely is not possible, so it comes down to a familiar concept in pharma — managing risk.
“In a nutshell, no one can protect everything with equal rigor. This is a fact. Therefore, risks need to be assessed and defenses implemented based on the likelihood of a breach and the potential for harm,” says Mann. "The cyberthreats are significant and ever-changing, so the equation is one of balancing risk with resources.”