Examining Data Breaches in Pharma Companies During COVID-19

Rebecca L. Rakoski, Esq.

While the nation and the entire globe battles the seemingly endless COVID-19, there is another battle that is being waged just beneath the surface against the pharmaceutical industry. An unprecedented number of attacks occur as hackers see pharmaceutical companies as "benefiting" from the pandemic. However, pharmaceutical companies frequently look to the perimeter in terms of defense while the biggest threat is already inside the building: third-party vendors. The supply chain in the pharmaceutical industry is complex and global. It naturally follows that with this global supply chain is an increased risk to the integrity of data being collected and stored. Yet, when it comes to vendor and supply chain management, pharmaceutical companies are still struggling.

Why the urgency?

Ever since the U.S. has been attempting to furiously stem the tide of the pandemic, hackers have found that the pharmaceutical industry is more vulnerable, and more open, than ever. The FBI and the Department of Homeland Security's cybersecurity agency issued a joint statement disclosing that the FBI is investigating "the targeting and compromise of U.S. organizations conducting COVID-19-related research" by the Chinese military and other Chinese hackers.

In March of this year, the Vermont AG notified the public that hackers published internal data from ExecuPharm, Inc. following a ransomware attack. The information stolen included: social security numbers, taxpayer IDs, driver’s license numbers, passport numbers, bank account details, credit card numbers, NI numbers and beneficiary information. And it is impossible to forget the massive Merck data breach which resulted in millions of dollars in lost proprietary information and years worth of pharmaceutical research. As data breaches continue to plague the pharmaceutical industry, one issue that is a persistent threat is vendors. Pharmaceutical companies are using vendors more and more. They are creating complex international supply chains, and yet vendor management continues to be a major issue. Consider that from a hacking perspective, it is one-stop shopping to go after the vendors that service the pharmaceutical industry. After all, why hack each company when hacking a vendor gets access to all the companies that use that vendor?

Vendor use

The number of vendors that provide necessary services to various areas of the pharmaceutical IT infrastructure system can be staggering. Without fail, almost every piece of software or device connects to the internet, creating a corresponding higher threat level than in a normal scenario. Now with COVID-19 shifting workplace attitudes toward what most are calling a "new" normal, many of the vendors used by healthcare organizations have employees that are working remotely but creating a perfect, if not predictable, storm of fast-paced work, large attack surfaces and consequential practices that are less secure. The issue is further heightened, and becomes more costly, because of the significant struggles the healthcare industry deals with in terms of addressing third-party vendor risk management, or rather the lack thereof.

According to a Ponemon Institute survey conducted in the fall of 2018, 56% of organizations have had a breach that was caused by one of their vendors. Correspondingly, companies are more and more reliant on third-parties and providing those third-parties access to an organization's sensitive information. This survey makes for an astonishing response when considering the volume of confidential data stored by pharmaceutical companies and the undeniable sensitivity attached to it, making it all the more in-demand to potential hackers and also unlawful nation state actors.

A more recent study by the Ponemon Institute and IBM Security shows that highly regulated industries, like pharma, experience on average a significantly greater total cost of a data breach than those in less regulated industries. In fact, according to the 2020 study, the pharma industry’s average total cost of a data breach is $5.06 million, making it fourth on the list just behind healthcare, energy, and finance. This figure is further compounded when considering that third-party breaches amplified the average total cost of a data breach to organizations overall as part of the study by an average of $207,411. Numbers like that are especially troubling given increasing cyber-attacks by hackers on pharma manufacturers targeting their rich intellectual property and corresponding profitability on the dark web.

The solution

Unfortunately, the frequent call to use automation and IT tools to create what may seem like an effective "solution" at the time is not so effective down the road when it serves to generate needless costs without providing the corresponding solution. Taking the human element out, and frankly the legal element out of the equation, will just cause these organizations to throw proverbial good money after bad. Furthermore, automation tools can admittedly be helpful in generating vendor assessment questionnaires and updating risk profiles, but there certainly needs to be a collaborative approach between all the significant corporate players, such as technology, compliance, the C-Suite, and legal, to truly begin to develop a program that will continuously manage third-party risk. This collaborative interplay leads, of course, to the inevitable question of where to begin.

Step One: Create a third-party vendor management program that sets parameters, guidelines, procedures, and, yes, consequences for failure to abide. This is critical. It has to be more than just a vendor questionnaire. Use appropriate tools but do not stop there. All of the tools and technology in the world will be worthless if there is not a recognized commitment from executives and verifiable consequences both internally and for the vendors that choose not to comply. Creating a full-scale program is the only true and effective way to invest in vendor management.

Step Two: Use a third-party to perform vendor assessments. Having a third-party perform the assessment creates a two-fold benefit. One, it can reduce costs to the organization by diverting internal resources to other work. The third-party can undergo the examination and analysis, which leaves the healthcare organization to review the result rather than get bogged down in the minutia of the process. Second, it reduces the ability of executives doing an end-run around the process. Reports with liability and risk evaluations are critical to the process, but more importantly it also creates accountability for executives who do not want to be tagged with "blame" for problems that arise with a partnering vendor. The right vendor can without a doubt be a critical asset that is not a significant risk. Nevertheless, it is equally important to keep in mind that outside vendors are part of the external, and sometimes unsecured, data chain being unknowingly, but no less purposely, brought into the organization's internal ecosystem that can be vulnerable to unsuspecting attacks from within. Bottom line - ensuring that an outside vendor does not plainly create another external repository of the healthcare organization's data that can then open up the company's confidential infrastructure to breach and criminal exploitation is unquestionably a top priority.

Step Three: Plain and simple - start early but start now! The Ponemon Report clearly demonstrates the urgency of getting an effective vendor management program started. Many organizations are seeing a marked increase in regulatory fines and investigations as a result of enforcement. With a global supply chain comes global regulatory obligations. The EU's General Data Protection Regulation ("GDPR") levies hefty fines for failure to comply, and the California Consumer Privacy Act of 2018 ("CCPA") does technically exempt covered entities under the Health Insurance Portability and Accountability Act ("HIPAA"). Such exemption however may only apply to protected health information ("PHI") and not the other personal or financial data that hackers appear to be presently targeting.

In sum, vendor management is broken, but not beyond repair, for many pharmaceutical companies. Current approaches to manage the risks of third-party vendors are falling increasingly short of what is necessary in this cybersecurity environment. Regardless of where an organization sits in the life sciences field, vendor management is a key component to any data privacy or cybersecurity initiative. Finding the right legal, technological and management team is above all critical. If COVID-19 has demonstrated anything, it is the importance of having trusted vendors that can quickly pivot and adapt. Using the knowledge we have gained from this crisis can and should inform the vendor management programs that healthcare organizations implement going forward. After all and as any profitable (or successful) organization knows, organizations are only as strong as their weakest vendor link.

Rebecca L. Rakoski, Esquire, Co-Founder and Managing Partner at XPAN Law Group, LLC​, rrakoski@xpanlawgroup.com​