Beating back ransomware: How hospitals, tech vendors and big pharma can help each other
U.S.-based pharmaceutical kingpin Merck was among many organizations affected June 27 by the Petya cyberattack, showing pharmaceutical giants are just as susceptible to attack as hospitals and health systems. The same goes for IT vendors, with Nuance experiencing service outages that lasted longer than two weeks as well as providers including Princeton Community Hospital in West Virginia, which had to replace computers after the incident.
Hospitals, technology vendors, even big pharma: When it comes to today’s cyberattacks they share the same risks and they can all learn from each other.
A recent examination of threats pharmaceutical companies face and how they deal with them, for instance, holds lessons for hospital and IT information security professionals.
BitSight researchers estimated that 89 percent of pharmaceutical companies are vulnerable to security bug DROWN and 98 percent are vulnerable to a Logjam attack. These vulnerabilities allow hackers to downgrade the encryption of client-server connections and potentially eavesdrop on their communications, said Stephen Boyer, chief technology officer and co-founder of BitSight Technologies.
“It’s important to consider that many pharmaceutical companies work with large, distributed networks of vendors, many of which have access to valuable intellectual property and the personal information of research participants, employees and doctors,” Boyer said. “As a result, it’s especially important for pharmaceutical companies to protect not just their own networks, but to also continuously monitor the security posture of their trusted vendors.”
The loss of intellectual property can be particularly damaging in the pharmaceutical sector, he added. As can intellectual property for IT vendors and protected health information or personally identifiable information for hospitals or networks.
“As the threat of new attacks becomes more common, and potential new cybersecurity regulations arise, we will likely see an added focus on end-user training and awareness in addition to additional investment in new tools and capabilities to monitor third parties,” he said.
Recent ransomware attacks, of course, have brought to light new cybersecurity issues and the steps organizations need to take to protect their data.
“These organizations must be vigilant about monitoring the security of their own networks as well as the networks of their vendors and other third parties,” Boyer advised. “To optimize their vendor risk management processes, teams should categorize their vendors, tier them based on their criticality to the business, and establish formal lines of communication so that when security issues arise, they can resolve them quickly and effectively with the appropriate contacts.”
Additionally, healthcare entities should look for ways to stay on top of emerging threats in their sector by assessing how their industry peers are performing against new vulnerabilities and data breaches, Boyer added. Many are changing the organizational structure and executive reporting to better optimize risk management both internally and across the extended enterprise ecosystem, he said.
Boyer said there are more areas where pharmaceutical companies and healthcare provider organizations should be taking the same precautions.
“Systems need to be protected and updated, users need to be aware of threats, and staff must be trained to identify issues and quickly respond,” he said. “Vendor risk teams should also monitor the security posture of their trusted vendors and identify the appropriate contact at each vendor site so that when security issues arise, they can respond in a timely manner and reduce their exposure to risk.”