Why drug companies should be laser-focused on cybersecurity right now

In late April, Vermont-based ExecuPharm announced that it had been the victim of a ransomware attack in which its own personnel records and those of its parent company were encrypted. Among the personal information held hostage were social security, credit card, and bank account numbers, along with passport and drivers’ license data.

InfoSecurity magazine called it a ‘major haul.’

If you’re wondering what keeps a bunch of penetration testers awake at night (other than near-lethal doses of caffeine), a pharma industry breach is near the top of the list.

Why? Because merely stealing data or encrypting it isn’t the worst thing hackers can do once they’re inside a network. Another, more frightening possibility is that they access and alter drug trial data. With labs around the world attempting to fast-track preventive and curative treatments for COVID-19, skilled hackers could breach a pharma company network, manipulate research data, and simply leave undetected.

Imagine a promising new vaccine shelved because it was falsely judged to be ineffective. Or, worse, a dangerous treatment that’s shipped worldwide because its harmful effects were hidden by hackers.

Data manipulation has happened before. In 2013, a bogus Associated Press report caused a brief but sharp decline in stock prices. The motive then was political – a foreign entity aiming to disrupt the US economy. That could also spur an attack on drug companies, but so too could the possibility of gaining a competitive advantage, weakening government institutions, or exacerbating global tensions.

There is a long list of reasons why the bad guys might try this tactic. What’s more important is how we can prevent it. Toward that end, here are some right here, right now suggestions from our team to Big Pharma. Who knows if they’ll take our advice, but we’ll sleep better knowing it’s out there.

Inventory assets and prioritize by risk

Different resources pose different levels of risk to the company. If a time clock application were to be compromised, it’s less impactful than a file server holding proprietary research data. In order to apply controls effectively, the risk must be quantified and associated with an asset by business criticality. In the case of drug companies, public safety must be the highest priority.

Threat modeling

In order to enact security measures, it’s necessary to understand the motivation and capabilities of the attacker. The measures necessary to protect against a hacktivist would be different than those necessary to protect against a rival company equipped for corporate espionage. It makes sense to develop a detailed profile of potential adversaries, their capabilities, and what assets would be valuable to them. This data set can be used as a basis to tailor additional security controls as the threat landscape continues to evolve.

Vulnerability Management

Once risks are identified, they should be prioritized as part of a formal vulnerability management program. This is a structured program that identifies vulnerabilities, assigns them a level of severity, and associates them with an asset. The outputs of this process can help drive remediation efforts so that technical resources are tasked efficiently in mitigating the attack surface in the environment. A vulnerability management program also includes a regular patching regimen so that network endpoints stay protected.

Network Segmentation

Network segmentation should be employed to isolate administrative interfaces and high-risk assets. Segmentation VLANS can be mapped a number of ways, but a common is to use a least privileged access hierarchy, starting with geographic region, then narrowing to facility, then business unit, and finally asset criticality. If only a small group of lab technicians need access to a file server, they should be the only ones to be able to reach the server.

Password management

We’ve said it before. You’ve heard it before. But this is by far the most common exposure to companies. Your data is only as safe as the credentials that protect it.  Most of the breaches we see involve a weak password somewhere along the way. An effective password policy should meet the following benchmarks at a minimum:

• Passwords or pass phrases at least 12 characters in length.
• If a pass phrase is used, it should be more than three words, and not comprised of predictable nomenclature. For example, ‘UnicornsSpaghetti’ is less predictable than ‘UnicornGlitter’.
• Dictionary words and phrases associated with local / corporate culture should be prohibited, such as brand slogans or local sports teams.
• Use a service like HaveIBeenPwned.com to make sure passwords have not been part of a previous breach.
• Use a password manager to make sure passwords are unique between authentication structures. As an example, your bank password should not be the same as your network password.
• Change passwords on a regular schedule.
• Conduct regular password audits to identify weak passwords.

^{Photo Credit: Centers for Disease Control}