BIO 2015

Ex-Homeland Security cyber chief warns of threats to pharma

By Fiona BARRY

- Last updated on GMT

Hacking groups like Anonymous and LulzSec are a threat to industry, say experts
Hacking groups like Anonymous and LulzSec are a threat to industry, say experts

Related tags Pharma companies Clinical trial

The pharma industry must fight “vendor indifference” so suppliers and services companies are not prey to cyber attacks that can lose drug companies hundreds of thousands of dollars in minutes, according to US Homeland Security’s former head of cybercrimes Mark Weatherford.

Speaking at BIO 2015 in Philadelphia yesterday, Weatherford said private industry is increasingly expected to cope with serious hackers who would once have been fought off only by the military.

Indifference​” from outsourcing partners to potential threats is rife, said the cybercrime expert. “They consider it trivial: ‘My clients aren’t asking for it, so why should I do it?’​” But pressure from victimised consumers and the government are beginning to change attitudes, he added.

Cyber attacks: the threat to pharma

The potential for corporate losses from cyber attacks goes far beyond downtime and lost revenue. Companies can be sued for breach of contract or required to repeat clinical trials. If attacks delay the release of medicines to patients, they can endanger lives and result in punitive damages, said BIO’s panel on cybercrime.

Weatherford’s warning was echoed by Christina Reisinger, Senior Director, Enterprise Risk Management at CDMO Covance, who said the issue is no longer a worry only for IT departments:

Boards of directors are getting concerned.​” Leaked data can push share prices up or down, potentially incurring an SEC fine for negligent companies.

She said drug companies should consider the weaknesses in all their relationships, from research contracts to materials supply, big data, logistics, cloud solutions such as SalesForce used by sales and marketing companies, and file-sharing services.

Patient medical data are shared with numerous organisations throughout development and manufacturing, including data analytics and data mining service companies. All are links in the chain where confidential information could be leaked, opening up outsourcing companies to breach-of-contract claims by sponsors.

The industry has “a lot of confidence in blinded data,” said Reisinger.  “Guess what: that data can be unblinded pretty quickly.​”

Threats are not limited to lone criminals, she added. Clinical trial sites in popular research countries like Russia, India, and China are often state-owned, so sponsors “need to be careful about the flow of information​” in countries known for their cyber espionage. While these markets are “desperate​” for the healthcare that comes with hosting clinical trials, “it’s a huge risk for us,​” she said.

Liability

Cyber attacks revealing confidential data or delaying supply chains can expose pharma companies to litigation from all sides, according to Ernie Koschineg of law firm Cipriani & Werner.

Other organisations can claim breach of contract around IP protection promises, while private individuals can bring class-action lawsuits on negligence grounds, and government agencies can also pursue hacked businesses.

For now, the extent of legal liability in this area is unclear. “No one in the world is an expert yet,​” warned Koschineg, saying there are only a handful of US appellant and Supreme Court precedents, “but the law is growing every week.​”

Defence plans

Covance’s Christina Reisinger stressed pharma companies must protect themselves with business continuity plans which assess the risks and vulnerabilities of third party suppliers, said Reisinger. Even if attacks on outsourcing vendors do not involve drugmakers’ data, they can still cause supply delays, especially if they are the sole source of an API.

Auditors should view outsourcing companies’ own risk plans, she said, but warned “don’t expect a copy,​” as having them in circulation means needless exposure.

Cyber threats

In February this year, Chinese hackers accessed the personal information of 80 million patients held by US health insurance company Anthem Inc. Three months previously, North Korean group “Guardians of Peace” claimed credit for releasing confidential data belonging to Sony Pictures Entertainment.

Cyber attacks have shaken pharma companies. In 2011 a former employee of Japanese company Shionogi remotely accessed the company’s computer infrastructure​ and deleted servers housing email, order tracking, and financial management software, leading to losses over $300,000.

Who are behind the threats?

There are three types of “bad guys”, according to Homeland Security expert Mark Weatherford.

Cyber espionage

Theft of intellectual property by nation states like:

  • China
  • Russia
  • Iran
  • North Korea

Cyber Crime

Identity theft and supply chain manipulation by international criminals based in:

  • Russia
  • Eastern Europe
  • Asia
  • The Americas

“Hacktivists” and terrorists

Hacking for the “lulz​”, political aims, and retribution. “This is where I worry the most, because these folks truly do not care about the ramifications of their actions​.”

  • Anonymous
  • LulzSec
  • Al Qassam Cyber Fighters
  • Syrian Electronic Army
  • Guardians of Peace

Related news

Show more

Related products

show more

Ultra Low Temperature Packaging solutions

Ultra Low Temperature Packaging solutions

Content provided by Almac Group | 12-Feb-2024 | Case Study

Advanced Therapy Medicinal Products (ATMPs) offer ground-breaking opportunities for treating injuries and disease, in particular for cases of severe, untreatable...

Using Define-XML to build more efficient studies

Using Define-XML to build more efficient studies

Content provided by Formedix | 14-Nov-2023 | White Paper

It is commonly thought that Define-XML is simply a dataset descriptor: a way to document what datasets look like, including the names and labels of datasets...

Related suppliers

Follow us

Products

View more

Webinars