Lessons for Pharma from the Merck Cyber Attack

If you had to make a list of some of the most pressing issues that we’re facing as a society, cybersecurity would undoubtedly be right at the top. Cybersecurity is a critical and closely watched issue for pharmaceutical businesses in particular, for a number of reasons.

In 2017, a study conducted by Ponemon Institute revealed that about 54% of companies experienced one or more successful attacks that compromised data and/or their larger IT infrastructure at some point in the year. A massive 77% of those attacks utilized file-less techniques-meaning that instead of tricking someone into downloading and installing a virus, the attacks were executed using vulnerabilities that were already there. 

According to another study conducted by Deloitte, the pharmaceutical industry is regularly the number one target of cyber criminals around the world-particularly when it comes to stealing intellectual property (IP). In the UK, for example, damages from IP theft totaled 9.2 billion GBP during 2017. A significant 1.8 billion of that was attributed to pharmaceutical, biotechnology, and healthcare organizations. 

One of the biggest such attacks in recent memory struck Merck & Co. All told, the company employs more than 69,000 people and reportedly had an operating income of about $6.52 billion in 2017 alone. If this type of attack can hit a company as large and as old as Merck, it can happen to anyone-which is why learning from situations like these is always of paramount importance.

What actually happened?

In June 2017, word first broke that Merck was just one of dozens of businesses that were hit with a massive ransomware attack that ultimately ended up affecting organizations all over the world. On the morning of June 27, Merck employees arrived in the company’s offices across the globe to find a ransomware message on their computers. There was not a single location within the company that managed to get by unscathed, according to published reports at the time. 

When the incident was said and done, the pharma giant suffered a total worldwide disruption of its operations, forcing a halt on the production of new drugs, which ultimately impacted the company’s revenue for the year.

Merck, of course, wasn’t the only entity affected by the cyber attack, which reportedly began in Ukraine, then spread quickly through corporate networks of multinationals with operations or suppliers in Eastern Europe.  Nevertheless, according to published reports four months later, it was estimated that insurers could pay out as much as $275 million to cover the insured portion of Merck’s loss from the ransomware attack.

What have we learned?

To the industry’s credit, organizations do seem to have learned a great deal from the Merck incident-as evidenced by another high-profile intrusion attempt in July 2018, this time against North Carolina-based LabCorp.

Fortunately, LabCorp officials were able to detect suspicious activity almost immediately-far sooner than the 206-day average. The medical testing company took 50 minutes to contain the damage, thus mitigating the major ramifications moving forward. 

During that 50-minute window, some 7,000 LabCorp computers were affected-along with other resources, such as 300 production servers. The company says that it had 90% of those assets back online seven days after the attack.

LabCorp had a detailed response plan that it was able to act on after the attack began. This helped the company contain and minimize the impact of the breach, and its own CEO cites this level of preparation as a big part of what saved the organization. As a preemptive measure, it also instantly shut down certain strategic services in an effort to protect the confidentiality of its data.

All told, what happened in the aftermath of LabCorp’s attack looked far different than what immediately followed Merck’s. But how does a biopharma or life sciences organization make sure that its own cybersecurity situation can be contained with hopefully limited fallout? That, of course, requires one to keep a few key things in mind.

What do we do moving forward?

In an effort to help mitigate risk from these types of  cyber attacks in the future, pharmaceutical companies need to be willing to learn from each other’s mistakes and respond accordingly. This isn’t something that affects one organization more than others based on size or location-this type of data breach can hit any company at any time, and, collectively, everyone needs to be ready. 

Organizations must also be accountable, too. A company’s cybersecurity posture cannot singularly be

dependent on an IT department. All employees and key stakeholders must take the situation equally seriously and they must engage in cybersecurity best practices every day to help the organization as a whole avoid these types of incidents in the future.

First, it’s important to understand the industry-specific consequences that such a breach might entail. As the Merck case showed, a total disruption of an entire business is likely if you become the target of this type of significant breach-but that’s not the end of the story. Additional factors to consider include losses stemming from scenarios such as:

• Stolen IP.

• Being forced to repeat costly and time-consuming clinical trials.

• Litigation stemming from the breach itself.

• Lost revenue.

• Damages to products that are already in development or production.

• Significant production shortages in the supply chain.

Experts agree that in terms of pharmaceutical businesses in particular, hackers are looking for a company’s most valuable and sensitive data during an intrusion attempt. This includes elements like clinical data, IP, formulas for compounds, and, in some cases, patient or employee personal data. The amount of money that a hacker can get for a stolen proprietary formula on the black market significantly eclipses what they might be able to get for something like stolen credit card information. One study from the Security Strategy Risk & Compliance Division at IBM, for example, revealed that a stolen electronic medical record (EMR) by itself can be sold for up to $350 on the dark web.

With 3.15 million records being exposed across 142 industry breaches in Q2 of 2018 alone, according to data cited by  Health IT Security, a network of Xtelligent Healthcare Media, one can quickly see how it can add up. The amount of money that people can make using health information to blackmail individuals is even higher.

Therefore, it’s far more likely that hackers will target industries that yield bigger payouts than they would get by going after a private citizen via identity theft, for example.

It’s also important for drug manufacturers to apply learnings from past cases in the industry, all of which involved systems, partners, contractors, and subcontractors. “Pharmaceutical businesses in particular need to understand that all of these systems are connected,” says Kenneth Sprague, senior security engineer at Technical Support International (TSI). “If any link in the chain is broken, the entire chain becomes compromised. You need to be on the ball. Yes, security and patching are an ongoing battle, especially when you

consider the changing threat environment we’re dealing with. But it’s something you have to do in order to survive.”

One of the issues with big pharma from an IT perspective is that oftentimes organizations are dealing with infrastructures that are a collection of legacy systems, multiple systems that are difficult to properly integrate (and secure), Excel spreadsheets, purpose-built cloud systems, and more. Gaining the level of visibility one would need to adequately secure these resources is an ongoing and reactive process that requires the coordination of a company’s vendors, operational methodologies, and culture. Challenges can arise when IT functions are siloed. Legacy systems, for example, often lack the vendor support needed to update them against the latest threats. That alone can leave an organization exposed, regardless of how large it is.

This is a pressing issue for smaller pharma companies as well. Often, these organizations fail to believe that IT and planning for growth should be an area of immediate focus; in reality, it couldn’t be more important. IT can help empower the growth of an organization if properly built for agility and aligned with long-term goals.

Think like them

In the end, the most important thing for pharmaceutical companies, large or small, to understand is that getting hit with this type of cyber attack is no longer a question of “if,” but “when?” A company can invest in all of the cybersecurity measures that it wants-it still won’t prevent it from one day becoming the target of hackers with malicious intentions. 

But if an organization knows what someone is after, the good news is that it’s now in a much better position to mount the specific defense needed to protect it. That insight will act as a company’s first line of defense against these types of cyber criminals in the future. 

Chris Souza is the CEO of Technical Support International. He can be reached at csouza@tsisupport.com