The ransomware attacks of 2017 and massive data breaches of 2018 showed the world the devastating scope and costs associated with a major cyberattack, and served as an example to many of why cybersecurity needs to be taken more seriously.
It is yet to be seen what the biggest cyber threat of 2019 will be, but with terabytes of crucial scientific data making its way onto the cloud, and millions of patients using internet-connected medical devices, the biotechnology and pharmaceutical industries may seek to heighten their cybersecurity efforts this year.
“When compared to other highly digitized and tightly regulated industries like financial services, biotech and pharma have historically spent far less on cybersecurity measures and policies, but we could see them step up their game this year,” said PJ Kirner, CTO and founder of data center and cloud computing security company Illumio, in an interview with R&D Magazine.
Improved “security hygiene” in biotech and pharma is one of the top cyber trends Kirner predicts for 2019, especially as the healthcare sector has been a top target of cybercriminals over the past several years. Between 2015 and 2017, the medical/healthcare sector suffered the second-highest amount of data breaches out of the five major sectors tracked by Identity Theft Resource Center. The sector saw just over 370 breaches each year between 2016 and 2017, and 181 in the first half of 2018, according to ITRC. This is nearly the equivalent of one breach per day targeting healthcare.
Some of the entities that guide and regulate these industries have taken steps to address the pressing need for hardier cybersecurity in the last half-decade. The U.S. Department of Health and Human Services created the Health Care Industry Cybersecurity Task Force after Congress passed the Cybersecurity Act of 2015, and they reported their findings on June 2, 2017 with six “imperative” recommendations for improvement. These recommendations, which were further broken down into action steps, included outlining and structuring the governance and expectations for cybersecurity in healthcare, better securing medical devices, and focusing specific efforts on protecting the R&D sphere.
Similarly, the Healthcare and Public Health Sector Coordinating Councils and HHS collaborated to provide further best-practice recommendations for preventing data breaches and other cyberattacks in a document published Dec. 28, 2018, and the U.S. Food and Drug Administration addressed the growing IoHT (“Internet of Healthcare Things”) in November 2016 by updating the nearly 20-year-old 1997 guidance document for manufacturers to submit reports about potential defects in medical devices.
But Kirner warns that it is still up to companies to dedicate more time and resources to defending their cyber systems and devices.
“While these (documents) are steps in the right direction, there’s no way to enforce these guidelines, so biotech and pharma companies need to invest further if they want to reduce and mitigate potential cyberattacks,” he explained. “They need to ‘assume breach’ and implement a comprehensive strategy to protect their most valuable data against a likely attack.”
Essentially, organizations should be prepared for the worst, as Illumio’s head of cybersecurity strategy Jonathan Reiber explains in a recent post on the company’s website. A part of this strategy is focusing on what an organization values the most, as well as what a potential hacker would be most likely to go after. He mentions the 2018 breach of SingHealth, a Singaporean health provider, in which 1.5 million patients’ data was stolen from a cloud-stored database.
“If a hostile actor seeks to gain an advantage, what will they try to steal, manipulate, or break in an organization?” Reiber writes. “If you assume breach, you need to focus on protecting the data that powers your most important missions.”
Kirner echoed this advice, and pointed out the unique position of biotech and pharma, which makes the security of these industries especially important.
“While protecting a company’s data is important to any industry, this information (i.e. research) is the biotech or pharma company in question—it’s their lifeblood and is the foundation for everything they do,” Kirner stressed. “If this research gets into the hands of bad actors, it won’t just cause issues with protecting sensitive, personal, and/or private information; that information could potentially be manipulated to develop bioweapons or to manipulate chemical or biological agents to negatively impact populations.”
This is especially significant, given the potential that a major cyberattack could come from a foreign adversary, Kirner added. Several malware outbreaks and data breaches have been attributed to overseas powers over the last few years, including the WannaCry ransomware attack of 2017, and the Marriott breach disclosed this past November.
“Imagine a scenario in which a hacker breaks into a research institution and manipulates drugs or biological agents to inflict harm on a large scale. Such a scenario would likely be executed by hostile nation-states—as they have the resources to carry out such a large-scale attack—to further their political agenda and motivations by targeting the general population,” Kirner said.
To mitigate the risk of hackers breaking into a network, Kirner recommends companies put more focus on internal safeguards for the most valuable information and resources in preparation for an attack, in addition to the outward defenses designed to stop such an attack before it begins.
“It helps to start by securing your data from the inside. The vast majority of companies have invested in strong perimeter defenses but few have worked to secure their datacenters and cloud environments internally,” Kirner said.
He suggests micro-segmentation of networks as a potential solution for keeping the most critical components just out of criminals’ reach.
“Think of your network and datacenter like a submarine: when a submarine’s hull is damaged, watertight doors on either side of the section are sealed, and so the flow of water is limited. This lets the submarine continue to function instead of sinking,” he explained. “Through micro-segmentation, the same effect is achieved for an organization’s network. It separates the high-value assets in your network (the ‘crown jewels’) away from the low-value areas (from which would-be intruders will start).”