Pharmaceutical companies have been front and center during the response to the COVID-19 pandemic by producing and distributing vaccines to millions across the world. Their contributions have been invaluable, but it’s also brought unwanted attention from malicious and state actors.
Navigating these challenges has led to a more complex threat landscape online. While many pharmaceutical companies previously conducted penetration tests to comply with the Food and Drug Administration (FDA) or the Health Insurance Portability and Accountability Act (HIPAA), offensive security strategies are shifting from compliance-based to risk-based to keep up with a dynamic cyber threat landscape.
Threats of intellectual property (IP) theft and data manipulation require staying one step ahead of foreign and domestic adversaries seeking to cause harm. As the recent attack on India’s Sun Pharma demonstrated, security needs to be a priority to keep operations running—it’s not a luxury.
Synack has worked with some of the most notable pharmaceutical companies globally on a strategic approach to security testing that prioritizes critical assets and identifies the root cause of vulnerabilities. These are some of the risks that we see as top priorities for our customers and how we are helping to address them.
Top 5 Cybersecurity Risks in the Pharmaceutical Industry
Intellectual property theft
A company’s IP is indispensable to its ability to innovate, compete and ultimately generate revenue. While the U.S. has strict laws defending pharmaceutical companies’ patent rights, other countries, such as China, have nullified patents in industries deemed important including pharmaceuticals. This opens up opportunities for corporate espionage.
Data manipulation
While data manipulation has been used intentionally in the past as a way to gain FDA approval, in more recent years there are fears that competitors or foreign adversaries could manipulate data to gain an economic advantage or cause harm. Whether an adversary is trying to trigger an event like releasing the wrong drug or defrauding your company with ransomware, it is more important than ever for pharma companies to make sure that their data is secure.
Compliance
The FDA’s Internet of Things (IoT) regulation has been front and center due to security research at DEFCON’s Medical Device Village and other lobbying efforts, and the industry at large has also been impacted by broader frameworks like GDPR, SEC regulations and HIPAA.
Companies that don’t adhere to compliance frameworks like those mentioned can face steep fines by failing to protect consumer data, for example. Clinical trial data is also among the top priorities for regulators at the FDA and HIPAA, which protects the patient’s personally identifiable information.
Insider threats
The New York Times recently wrote a piece about the extent to which Chinese industrial espionage has become a serious concern. Many company executives rightly want to trust their employees but are now faced with serious questions about how to detect insider threats.
One way to stymie a malicious insider threat is by segmenting your network to limit user privileges. Sometimes, functions of applications can leak sensitive information that can be exploited to gain additional access.
Supply chain risk
It goes without saying that your security is only as good as your providers, as we saw with the recent MOVEit vulnerability which is now estimated to have affected 530 organizations and 37 million people.
In the pharmaceutical industry, the supply chain is critical and large disruptions like a cyberattack can lead to losses as high as 24% of one year’s earnings. Companies across industries are experiencing the uncertainty of letting in a malicious actor via a third-party.
According to a Crowdstrike survey, 84% of respondents believe a supply chain attack is one of the biggest looming cyberthreats but only 36% vetted new and existing suppliers within the last year. The dissonance between understanding the threat of a supply chain attack and proactively doing something about it could be due to a lack of appropriate resources or tools.
NIST recommends implementing a cyber supply chain risk management process that identifies risks and critical systems, which could include regular pentesting of those systems to identify existing critical vulnerabilities and provide continuous monitoring.
How Synack Can Help
Synack provides continuous testing for your most critical assets that contain intellectual property and a blend of structured and unstructured testing to help prevent IP theft in a scalable, repeatable model. Synack tests for OWASP vulnerabilities that can be strategically used by attackers like broken access controls, authentication bypass, SQL injection and data leakage in our web and host premium checklists.
Additionally, Synack harnesses the creativity of a vetted community of security researchers to provide unstructured testing 24/7/365. Through continuous open vulnerability discovery, your team will have the chance to learn about new vulnerabilities, tools and tactics as 60+ vetted researchers test your network and applications all year long, instead of the traditional version of two pentesters for two weeks. You also have the ability to select researchers with specialized expertise to match the need.
Interested in a demo of the Synack Platform? Reach out!
