One year after the Merck cyber attack pharma takes stock of what the industry has learned and what to do moving forward.
If you had to make a list of some of the most pressing issues that we're facing as a society, cybersecurity would undoubtedly be right at the top. Cybersecurity is a pressing issue to pharmaceutical businesses in particular, for a significant number of reasons.
In 2017, one study revealed that about 54% of companies experienced one or more successful attacks that compromised data and/or their larger IT infrastructure at some point in the year. A massive 77% of those attacks utilized file-less techniques-meaning that instead of tricking someone into downloading and installing a virus, the attacks were executed using vulnerabilities that were already there. 1
According to another study conducted by Deloitte, the pharmaceutical sector is regularly the number one target of cyber criminals around the world-particularly when it comes to stealing intellectual property. In the UK, for example, total damages from IP theft amounted for 9.2 billion pounds during 2017. A significant 1.8 billion of that was attributed to pharmaceutical, biotechnology, and healthcare organizations. 2
One of the biggest such attacks in recent memory struck Merck & Company. All told, the company employs more than 69,000 people and had an operating income of about $6.52 billion in 2017 alone.3 If this type of attack can hit a company as large and as old as Merck, it can happen to anyone-which is why learning from situations like these is always of paramount importance.
The Merck cyber attack: What actually happened?
In June of 2017, word first broke that Merck was just one of more than a dozen businesses that were hit with a massive ransomware attack that ultimately ended up affecting organizations all over the world.4 One morning, Merck employees arrived in the company's offices all over the world to find a ransomware message on their computers. There was not a single location within the company that managed to get by unscathed.
Merck was quick to discover what so many other organizations already know: ransomware attacks are not to be trifled with. By the time the incident was said and done, the organization suffered a total worldwide disruption of its operations and this forced a halt on the production of new drugs, which ultimately made a significant impact on its revenue for the year.5
But Merck wasn’t the only entity affected by this incident. It was estimated in October of 2017 that insurers could be forced to pay out as much as $275 million to cover the insured portion of the drugmaker's loss from the ransomware attack.6
What have we learned?
To the industry's credit, organizations do seem to have learned a great deal from the Merck incident-as evidenced by another high profile intrusion attempt in July of 2018, this time against LabCorp.
Thankfully, LabCorp officials were able to detect suspicious activity almost immediately-far better than the 206-day average. They also took only 50 minutes to contain the damage, thus mitigating the major ramifications moving forward. The difference between Merck's response and LabCorp's is significant, but straightforward just the same. Merck had a reactive approach to cybersecurity. LabCorb had a proactive one.
During that 50-minute window, some 7,000 LabCorp computers were affected-along with other resources like 300 production servers-and LabCorp says that it had 90% of those assets back online just seven days after the attack, which in their case was a more than acceptable recovery time.
LabCorp had a detailed response plan that they were able to act on immediately after the attack began. This helped them contain and minimize the impact of the attack and their own CEO cites this level of preparation as a big part of what saved them. As a preemptive measure, they also instantly shut down certain strategic services in an effort to protect the confidentiality of their data.
All told, what happened in the aftermath of LabCorp's attack looked far different than what happened immediately following Merck's. But how do you make sure that your own cybersecurity situation looks far more like the latter than it does the former? That, of course, requires you to keep a few key things in mind.
What do we do moving forward?
In an effort to help mitigate risk from these types of attacks moving forward, pharmaceutical companies need to be willing to learn from each other's mistakes and act accordingly. This isn't something that affects one organization more than others based on size or location-this type of attack can hit any company at any time, and collectively, everyone needs to be ready. Everyone must also be accountable, too. A company's cybersecurity posture cannot singularly be dependent on an IT department. All employees and key stakeholders must take the situation equally seriously and they must engage in cybersecurity best practices every day to help the organization as a whole avoid these types of incidents in the future.
First, it's important to understand the industry-specific consequences that such a breach might entail. As Merck showed, a total disruption of an entire business is likely if you become the target of this type of significant breach-but that's not the end of the story. Additional factors to consider include losses stemming from things like:
Experts agree that in terms of pharmaceutical businesses in particular, hackers are looking for a company's most valuable and sensitive data during an intrusion attempt.7 This includes elements like clinical data, IP, formulas for compounds, and in some cases patient or employee personal data as well. The amount of money that a hacker can get for a stolen proprietary formula on the black market significantly eclipses what they might be able to get for something like stolen credit card information. One study from the Security Strategy Risk & Compliance Division at IBM, for example, revealed that a stolen EMR alone can be sold for up to $350 on the dark web.8 With 3.15 million records being exposed across 142 industry breaches in Q2 of 2018 alone, you can quickly see how it can add up. The amount that people can make using health information to blackmail individuals is even higher.9
Therefore, it's far more likely that they'll target industries that yield bigger payouts than they would get by going after someone like a private citizen via identity theft.
It's also important to learn from the mistakes made by organizations like Merck in an effort to make sure you don't repeat them yourself. "Merck's problem was that they had systems, partners, contractors, and subcontractors that were not secure and patched in the ways that they should have been," said Kenneth Sprague, our Senior Security Engineer here at TSI. "Pharmaceutical businesses in particular need to understand that all of these systems are connected. If any link in the chain is broken, the entire chain becomes compromised. You need to be on the ball. Yes, security and patching are an ongoing battle, especially when you consider the changing threat environment we're dealing with. But it's something you have to do in order to survive."
One of the issues with "Big Pharma" from an IT perspective is that oftentimes organizations are dealing with infrastructures that are a collection of legacy systems, multiple systems that are difficult to properly integrate (and secure), Excel spreadsheets, purpose-built cloud systems, and more. Gaining the level of visibility, one would need to adequately secure these resources in an ongoing and reactive process that requires the coordination of your vendors, operational methodologies, and company culture. Merck’s breach could have arguably been attributed solely to a cultural flaw that they siloed IT and overlooked it. Legacy systems, for example, often lack the vendor support needed to update them against the latest threats. That alone will leave an organization like Merck exposed, regardless of how large they are.
All of this is a particularly pressing issue for smaller pharma companies as well. Oftentimes these organizations fail to believe that IT and planning for growth should be an area of immediate focus when, in reality, it couldn't be more important. Not only can IT empower the growth of an organization if properly built for agility and aligned with its long-term goals, but remember that preparation is the only thing that saved Merck from disaster.
In the end, the most important thing for pharmaceutical companies, regardless of their size, to understand is that getting hit with this type of cyber attack is no longer a question of "if," but "when?" You can invest in all of the cybersecurity measures that you want-it still won't prevent you from one day becoming the target of hackers with malicious intentions. But if you know what someone is after, the good news is that you're now in a much better chance to mount the specific defense needed to protect it. That insight will act as your first line of defense against these types of cyber criminals in the future.