Are You a Target? Weighing Cybersecurity Risk Factors in Life Sciences & Healthcare

by Richard Golob, VP, Global Head of Life Sciences, EPAM

August 15, 2017

Cyberattacks are More Common in Life Sciences & Healthcare

Data breaches and other types of modern, large-scale cyberattacks have been making headlines for more than a decade, but recently, it seems like organizations in the life sciences and healthcare industry have been taking on more than their fair share. As it turns out, it doesn’t just seem that way – it’s actually happening according to Verizon’s 2017 Data Breach Investigations Report, which states that 15% of these attacks hit healthcare organizations.

We don’t have to go very far back in time for a good example of one of these attacks on a healthcare or pharma organization. On June 27, 2017, Merck, one of the largest pharma companies in the world, and 2,000 other companies were hit with ransomware called Petya that infected employees’ computers across 65 countries and left a ransomware note demanding a bitcoin payment to decrypt their infected files. Weeks later, the pharma giant is still trying to get their infrastructure back on track.

So, before a company like Merck – or any company for that matter – can determine a plan of action to prevent the next cyberattack, it must consider why the attack happened in the first place. With that in mind, let’s explore a few narratives that could come into play in the process of becoming a cyberattack target.

Four Narratives that Could Explain Why

  1. A decade ago, cybersecurity was all about securing the perimeter to ensure that corporate IT systems were closed to outsiders. In the past five years, however, working remotely has become more and more ubiquitous with a high percentage of employees working outside of the perimeter, accessing sensitive data through the cloud and unsecured systems, and often doing it all via a mobile device. As a result, the entire enterprise has become fundamentally more vulnerable, making it difficult to determine where the perimeter ends and the outside world begins.
  2. Healthcare and life sciences companies have long been slow to innovate when it comes to digital, and this hasn’t been helped by the fact that technology is not their core business proposition. In fact, as other industries have had to adopt new business models to grow their revenues, which typically resulted in disproportionate investment into technology, healthcare and life sciences have stayed a little behind the digitization curve.
  3. For many organizations, being slow to innovate is not by choice. Instead, it’s often for compliance reasons, like in a scenario where a business has to choose between meeting the latest regulatory standard and rolling out a new technology. In this case, the company may stay in business without the new software component, but not without meeting the regulatory standard. Indeed, compliance has long been a burden to the CIO agenda.
  4. Finally, considering the above narrative about the ever-expanding perimeter and how the June cyberattack on Merck affected so many employees, it’s worth noting that the companies making headlines for data breaches aren’t small or even medium-sized. Instead, hackers go after the biggest and, by extension, most profitable targets – companies with the highest numbers of employees, locations, and potential entry points.

How to Plan for What’s Next

Considering the size and scope of the data breach against Merck, it’s hard not to start posing what-if questions. What if they had implemented better or more security controls sooner? What if they had run a mixture of Windows and iOS to stave off Windows-attacking viruses like WannaCry and Petya? What if they had identified the virus before it made its way across the entire enterprise?

There will always be what-ifs, but with so many possible access points for a data breach, it’s nearly impossible to ever be 100% uncompromised, especially when you’re a huge company trying to balance growth and revenue with compliance and security.

It’s not easy, but it is absolutely worth your time to not only determine a plan to improve your cybersecurity, but also create a plan for how to respond if your company falls victim to a cyberattack. The best way to get started is to assume you’re already compromised, or that you’ll be compromised tomorrow at the latest, and then find a partner who can help you. The faster you make cybersecurity a priority, the better off you’ll be.