A new report shows that cybersecurity risks in pharma run a lot deeper and wider ranging than once thought. Findings from an analysis conducted by Constella Intelligence, a digital risk protection company, show widespread cybersecurity vulnerabilities that are costing pharma companies significantly.
Constella released their Pharma Sector Exposures Report: 2018–2021 Digital Risk Findings and Trends, which focused on analyzing digital risks to the top 20 pharma companies on the Fortune Global 500 list. The report includes information on breaches, exposures and leaks in the pharma sphere.
The report included data from January 2018 to September 2021 that was obtained through analysis of identity records from data breaches and leaks spotted in open sources as well as on the surface, deep and dark web.
According to information in a press release from Constella, the company identified 9,030 breaches/leakages and more than 4.5 million exposed records. Almost two thirds of the pharma cybersecurity breaches included personally identifiable information (PII) items like email addresses, phone numbers, passwords and even credit/banking information. The sensitive information exposures pertained mostly to employee corporate credentials.
If the pharma cybersecurity breaches expand and become widely circulating, it could lead to cyberattacks such as phishing, impersonation and account takeover — these could then lead to more coordinated, high-level attacks such as ransomware or coordinated disinformation campaigns. In worst-case situations, Constella says they can impact supply chains, lead to theft of trade secrets and cause reputational damage.
Related: Medtronic Expands Two Insulin Pump Recalls, Including One Over Cybersecurity Concerns
“The Pharma sector’s role within the healthcare ecosystem, especially with today’s public health needs, only emphasizes how critically important it is that these companies protect themselves from cyber threat actors,” said Constella Intelligence CEO, Kailash Ambwani. “As we have seen before, only one exposed employee credential can lead to a company having their systems or supply chain shut down by a data breach leading to a ransomware attack, resulting in a shortage of life-saving supplies.”
According to Constella’s report, approximately 59 percent of the total pharma cybersecurity breaches and 76 percent of total exposed records identified in Constella’s pharma report occurred after 2020, “signaling both are escalating in the pharma sector at an alarming rate.” Things, therefore, got worse in 2021, which is concerning as it was during the height of COVID-19 pandemic-fighting efforts, including vaccine distribution.
Concerningly, among a pool of 78 top pharma company executives (C-suite profiles), 58 percent have had their corporate credentials exposed in a third-party breach or leakage since 2018.
Pharma Cybersecurity and Cyber Attacks
Merck’s NotPetya incident was among the most notable pharma cyberattacks in recent history. The attack occurred in June 2017 and was linked to the Russian military. It cost the company almost $1 billion and hit its in-house API production, specifically impacting formulation and packaging systems along with R&D and other segments as well.
Merck will be able to cover its losses through a payout of $1.4 billion from its insurers, which came after a legal battle between the two. Merck’s insurers had denied coverage for the NotPetya attack citing that the policy excluded acts of war. A New Jersey court ruled a few weeks ago that the insurer could not claim the act of war exclusion because it applies to military conflict.
Last summer, The New York Times report that PR firm Fazze had attempted to recruit social media influencers in France and Germany to make misleading claims about Pfizer and BioNTech’s COVID-19 vaccine. According to the NYT, the trail was found to lead to Russia after some other influencers began investigating the issue.
Jonathan Nelson, a digital intelligence specialist at Constella, told Fierce Pharma that companies can protect themselves through continuous monitoring. Companywide password protocols, using secure VPNs and investment in cybersecurity infrastructure for remote work can be added layers of protection.
Join or login to leave a comment
JOIN LOGIN