Ransomware Attacks: A Permanent Threat in the Cyber Landscape and the Need for Adaptation
As threats become more significant, and as the attackers continually change their strategies and methods, organizations must relentlessly adapt to the ever-increasing efforts by the hackers and their intrusive operations [7]. Ransomware attacks are now a permanent feature of the cyber threat landscape, increasing in number and sophistication. Although Ransomware as a service (RaaS) providers are continually improving their software, RaaS has also made it easier for various threat actors — including those with little technical knowledge — to deploy ransomware against targets. This new paradigm consists of a core group of developers who set up and maintain the ransomware and payment sites and the affiliates they recruit who breach victims' networks and encrypt devices. Because of the significance and prevalence of ransomware in its impact, the United States Cybersecurity and Infrastructure Agency published its guidance on ransomware[8].
Attacks on life sciences and healthcare providers, including health technologies, pharmaceutical, biotechnology and medical device companies, have increased significantly in recent years, including the World Health Organization, which reported a fivefold increase in attacks in 2020 [9]. The growth in data loss and ransomware attacks on these organizations critically exposes companies and organizations and disables medical equipment and devices. The risks can lead to catastrophic consequences, including:
- Patient Safety / Death
- Intellectual Property Theft
- Legal Liability Lawsuit
- Regulatory penalties and fines
- Reputational Damage
Several steps should be taken, on an ongoing basis, to mitigate cybersecurity and privacy risks [10]. These include:
- Performing privacy or security risk assessments to determine if potential risks and vulnerabilities exist and work with external counsel to mitigate identified risks and vulnerabilities;
- Evaluating existing privacy and security policies and cybersecurity insurance coverage to project the cost of an incident and address gaps in coverage;
- Evaluating enterprise-wide personal information data collection and retention practices to ensure compliance with state, federal, and international data collection laws;
- Providing training to all types of staff, not just information technology, on phishing and ransomware awareness best practices (e.g., how attackers conduct it, what threat actors are looking for and practical advice for spotting and reporting the threat).
- Including indemnification, restriction on data use and other clauses in vendor contracts to protect against harm and conduct regular contract reviews.
The Future of Connected Medicine: Potential and Cybersecurity Risks
We believe that the future of healthcare is connected medicine. The potential for integrated pharmaceutical/biotech products and medical devices is infinite. It includes innovations such as knee implants that connect to a phone to track pH and degradation that can notify the patient or doctor of a possible infection or complication. Other examples are heart valves that can provide diagnostic feedback to a doctor that could help optimize pharmacological treatment or a chip implanted under the skin that could report if a cancer patient in remission is showing diagnostic signs that cancer may have returned.
While these may sound improbable, there was a time when nobody believed a pacemaker could save a person's failing heart. The one thing that all of these have in common is that if they were to enter the market, they would be highly dependent on appropriate software and IT communication and would ultimately call for a new level of cybersecurity. Until now, most cybersecurity concerns have focused on protecting patients and institutional information, which is critical and has costly impacts. However, as technology continues to progress, cybersecurity threats may cost organizations their earnings, reputations and people their lives.
Pharmaceutical, biotech and medical device companies must design their products with built-in, robust cybersecurity measures, simultaneously performing appropriate cybersecurity risk assessments utilizing cybersecurity experts. As technologies continue to evolve, the need for these specialized professionals to identify the exact risks associated with the product regarding cybersecurity is critical. As with all risk matrix, you cannot mitigate the risk if you do not know its potential harm.
In Conclusion