Speaking at BIO 2015 in Philadelphia yesterday, Weatherford said private industry is increasingly expected to cope with serious hackers who would once have been fought off only by the military.
“Indifference” from outsourcing partners to potential threats is rife, said the cybercrime expert. “They consider it trivial: ‘My clients aren’t asking for it, so why should I do it?’” But pressure from victimised consumers and the government are beginning to change attitudes, he added.
Cyber attacks: the threat to pharma
The potential for corporate losses from cyber attacks goes far beyond downtime and lost revenue. Companies can be sued for breach of contract or required to repeat clinical trials. If attacks delay the release of medicines to patients, they can endanger lives and result in punitive damages, said BIO’s panel on cybercrime.
Weatherford’s warning was echoed by Christina Reisinger, Senior Director, Enterprise Risk Management at CDMO Covance, who said the issue is no longer a worry only for IT departments:
“Boards of directors are getting concerned.” Leaked data can push share prices up or down, potentially incurring an SEC fine for negligent companies.
She said drug companies should consider the weaknesses in all their relationships, from research contracts to materials supply, big data, logistics, cloud solutions such as SalesForce used by sales and marketing companies, and file-sharing services.
Patient medical data are shared with numerous organisations throughout development and manufacturing, including data analytics and data mining service companies. All are links in the chain where confidential information could be leaked, opening up outsourcing companies to breach-of-contract claims by sponsors.
The industry has “a lot of confidence in blinded data,” said Reisinger. “Guess what: that data can be unblinded pretty quickly.”
Threats are not limited to lone criminals, she added. Clinical trial sites in popular research countries like Russia, India, and China are often state-owned, so sponsors “need to be careful about the flow of information” in countries known for their cyber espionage. While these markets are “desperate” for the healthcare that comes with hosting clinical trials, “it’s a huge risk for us,” she said.
Cyber attacks revealing confidential data or delaying supply chains can expose pharma companies to litigation from all sides, according to Ernie Koschineg of law firm Cipriani & Werner.
Other organisations can claim breach of contract around IP protection promises, while private individuals can bring class-action lawsuits on negligence grounds, and government agencies can also pursue hacked businesses.
For now, the extent of legal liability in this area is unclear. “No one in the world is an expert yet,” warned Koschineg, saying there are only a handful of US appellant and Supreme Court precedents, “but the law is growing every week.”
Covance’s Christina Reisinger stressed pharma companies must protect themselves with business continuity plans which assess the risks and vulnerabilities of third party suppliers, said Reisinger. Even if attacks on outsourcing vendors do not involve drugmakers’ data, they can still cause supply delays, especially if they are the sole source of an API.
Auditors should view outsourcing companies’ own risk plans, she said, but warned “don’t expect a copy,” as having them in circulation means needless exposure.
In February this year, Chinese hackers accessed the personal information of 80 million patients held by US health insurance company Anthem Inc. Three months previously, North Korean group “Guardians of Peace” claimed credit for releasing confidential data belonging to Sony Pictures Entertainment.
Cyber attacks have shaken pharma companies. In 2011 a former employee of Japanese company Shionogi remotely accessed the company’s computer infrastructure and deleted servers housing email, order tracking, and financial management software, leading to losses over $300,000.
Who are behind the threats?
There are three types of “bad guys”, according to Homeland Security expert Mark Weatherford.
Theft of intellectual property by nation states like:
- North Korea
Identity theft and supply chain manipulation by international criminals based in:
- Eastern Europe
- The Americas
“Hacktivists” and terrorists
Hacking for the “lulz”, political aims, and retribution. “This is where I worry the most, because these folks truly do not care about the ramifications of their actions.”
- Al Qassam Cyber Fighters
- Syrian Electronic Army
- Guardians of Peace