Looking Ahead: Cybersecurity Threats for Life Sciences

by Danilo Maruccia, Executive Consultant and Stephen Tyrpak Associate Vice President of MD Operations; US & Canada @ PQE Group

Global Malware, Ransomware and Phishing Attacks in 2022 and CIO Concerns in 2023

In the first half of 2022, there were 2.8 billion worldwide malware attacks [1] and 236.1 million ransomware attacks [2]. By year-end 2022, it was expected that six billion phishing attacks [3] will have been launched [4]. As we move into 2023, cybersecurity continues to top the list of CIO concerns [5]. This comes as no surprise. 

Cybercriminals have engaged in cyberattacks against healthcare organizations for years, and ransomware continues to be relevant despite efforts to combat it. Data breaches remain a common issue, and companies remain vulnerable. Threats are evolving and becoming more sophisticated and effective, with attack vectors increasingly used. Managed service providers, supply chains, and open source software are among those being compromised. And while Governments are increasingly aggressive in fighting back, healthcare organizations have as big a role as ever in defending themselves [6].

Cybersecurity Threats for Life Sciences_blog sito

Ransomware Attacks: A Permanent Threat in the Cyber Landscape and the Need for Adaptation

As threats become more significant, and as the attackers continually change their strategies and methods, organizations must relentlessly adapt to the ever-increasing efforts by the hackers and their intrusive operations [7]. Ransomware attacks are now a permanent feature of the cyber threat landscape, increasing in number and sophistication. Although Ransomware as a service (RaaS) providers are continually improving their software, RaaS has also made it easier for various threat actors — including those with little technical knowledge — to deploy ransomware against targets. This new paradigm consists of a core group of developers who set up and maintain the ransomware and payment sites and the affiliates they recruit who breach victims' networks and encrypt devices. Because of the significance and prevalence of ransomware in its impact, the United States Cybersecurity and Infrastructure Agency published its guidance on ransomware[8]. 

Attacks on life sciences and healthcare providers, including health technologies, pharmaceutical, biotechnology and medical device companies, have increased significantly in recent years, including the World Health Organization, which reported a fivefold increase in attacks in 2020 [9]. The growth in data loss and ransomware attacks on these organizations critically exposes companies and organizations and disables medical equipment and devices. The risks can lead to catastrophic consequences, including: 

  • Patient Safety / Death 
  • Intellectual Property Theft 
  • Legal Liability Lawsuit 
  • Regulatory penalties and fines 
  • Reputational Damage 

Several steps should be taken, on an ongoing basis, to mitigate cybersecurity and privacy risks [10]. These include: 

  • Performing privacy or security risk assessments to determine if potential risks and vulnerabilities exist and work with external counsel to mitigate identified risks and vulnerabilities; 
  • Evaluating existing privacy and security policies and cybersecurity insurance coverage to project the cost of an incident and address gaps in coverage; 
  • Evaluating enterprise-wide personal information data collection and retention practices to ensure compliance with state, federal, and international data collection laws;
  • Providing training to all types of staff, not just information technology, on phishing and ransomware awareness best practices (e.g., how attackers conduct it, what threat actors are looking for and practical advice for spotting and reporting the threat).
  • Including indemnification, restriction on data use and other clauses in vendor contracts to protect against harm and conduct regular contract reviews. 

The Future of Connected Medicine: Potential and Cybersecurity Risks

We believe that the future of healthcare is connected medicine. The potential for integrated pharmaceutical/biotech products and medical devices is infinite. It includes innovations such as knee implants that connect to a phone to track pH and degradation that can notify the patient or doctor of a possible infection or complication. Other examples are heart valves that can provide diagnostic feedback to a doctor that could help optimize pharmacological treatment or a chip implanted under the skin that could report if a cancer patient in remission is showing diagnostic signs that cancer may have returned.

While these may sound improbable, there was a time when nobody believed a pacemaker could save a person's failing heart. The one thing that all of these have in common is that if they were to enter the market, they would be highly dependent on appropriate software and IT communication and would ultimately call for a new level of cybersecurity. Until now, most cybersecurity concerns have focused on protecting patients and institutional information, which is critical and has costly impacts. However, as technology continues to progress, cybersecurity threats may cost organizations their earnings, reputations and people their lives.  

Pharmaceutical, biotech and medical device companies must design their products with built-in, robust cybersecurity measures, simultaneously performing appropriate cybersecurity risk assessments utilizing cybersecurity experts. As technologies continue to evolve, the need for these specialized professionals to identify the exact risks associated with the product regarding cybersecurity is critical. As with all risk matrix, you cannot mitigate the risk if you do not know its potential harm.  

In Conclusion

Healthcare businesses are becoming increasingly concerned about the possibility of cyberattacks as a result of the sharp rise in ransomware attacks in recent years. Patient safety, intellectual property theft, legal ramifications, regulatory fines, and reputational harm are just a few of the catastrophic effects of these attacks. Proactive actions must be taken to reduce these risks, including privacy and security risk assessments, reviews of privacy and security policies, staff training, and the inclusion of indemnification clauses in vendor agreements.

Healthcare firms must incorporate strong cybersecurity safeguards into their product designs to protect against possible attacks as technology develops. The need for specialist cybersecurity expertise to detect and mitigate risks associated with new goods is crucial as the threat landscape changes.

***

PQE Group is an ISO 9001-certified technology solutions and compliance consulting services company for the life sciences industry, providing global capabilities deliverable throughout the entire product quality life cycle. Established in 1998, PQE has 30 offices worldwide and more than 1500 industry subject matter professionals. PQE specializes in areas including Data Integrity Assurance, Digital Governance and Cybersecurity, Medical Devices, Qualification and Engineering, Laboratory Excellence, Quality Compliance, Regulatory Affairs, and Third-Party Audits. It also has a proven track record managing large multi-site projects as well as small, medium, and start-up pharmaceutical, biotech, and medical device clients.

PQE Group's highly professional subject matter experts can help ensure your IT systems are safe from ransomware, hackers, and other cyber threats. By partnering with PQE Group, you can be confident that your company will maintain FDA (and other regulatory agency) compliance and that your product can be safely developed and manufactured.  

References 

  1. Number of malware attacks per year 2022 | Statista 
  2. Number of ransomware attacks per year 2022 | Statista
  3. Phishing attack statistics 2022 (cybertalk.org)  
    (https://www.techrepublic.com/article/top-cybersecurity-threats/)
  4. Cybersecurity Tops the CIO Agenda as Threats Continue to Escalate - WSJ 
  5. Title (hhs.gov)Title (hhs.gov) 
    mandiant cyber security forecast 2023 - Search (bing.com)Title (hhs.gov) 
  6. CISA MS-ISAC Ransomware
  7. Guide2020: The Year the COVID-19
  8. Crisis Brought a Cyber Pandemic (govtech.com) 
  9. 2020: The Year the COVID-19 Crisis Brought a Cyber Pandemic (govtech.com)
  10. Cybersecurity and Privacy Threats and Risks for Life Sciences and Healthcare Companies (orrick.com) 

     



Want to know more?

PQE Group has developed a specific holistic approach to verify and assure that our client’s have the highest level of cyber security, analysing and solving any possible vulnerabilities, preventing future observations and violations.

MD Cybersecurity Guide    Connect with us