Skip to main content
Article

Could your life science data be held to ransom?

N/A
N/A

January 6, 2021

The CISA has warned of ransomware attacks targeting life science and healthcare companies. So what are the main threats and how can you strengthen your resilience against them?

The recent U.S. advisory released by the Cybersecurity and Infrastructure Agency (CISA)1 warns of specific ransomware threats such as Ryuk and Conti, which can enter systems through phishing emails and potentially encrypt all of the victim’s data.

Typically the attackers demand a ransom – usually in Bitcoin – to decrypt files and avoid irreversible loss of data.

Ransomware attacks against life science, and the size of the ransom demanded, have been rising. Recent cases have highlighted the extent of the potential damage, going far beyond data theft – if systems are disabled, whole businesses can be put out of action with implications for patient care  and potentially large claims and losses.

Why are life science businesses a target?

As technology advances, the industry has become more heavily reliant on the data and systems that sit behind its innovations, from gene therapies to intelligent medical devices.

Life science businesses hold increasingly large volumes of highly sensitive data, such as patient data from clinical trials, manufacturing data on biologic drugs and commercial product and pricing data.

Regulators such as the U.S. Food and Drug Administration (FDA) require organizations to be in control of data at all times.

Because of these high stakes, the sector has become an increasingly attractive target for ransomware gangs. Recent reports suggest an increased risk for companies involved in COVID-19 research and trials (see example below).

The European Medicines Agency suffered a cyber attack in December 2020 during which documents related to the Pfizer/BioNTech vaccine were accessed.2

What are the potential risks and losses?

The ransom, and any data protection breaches, may be only a fraction of the total cost. A recent Allianz report showed that business interruption accounts for an average 60% of the value of all cyber claims.3

The U.S. based global pharmaceutical company reported suffering up to $1 billion in losses and costs when ransomware blocked its systems and brought production, sales and research & development to a halt.

Patient injury is also an increasingly real risk. Just recently, the U.S. Department of Homeland Security4 issued an alert highlighting serious vulnerabilities found in medical devices which could enable attackers to access patient applications within range of bluetooth communication.

Previously, in 2017, the FDA issued an alert highlighting cybersecurity flaws in 465,000 pacemakers which could have allowed attackers to gain unauthorized access to the medical device and issue commands and change user settings.5

While there was no evidence of patient injury in that case, bad actors are becoming more creative and effective at exploiting vulnerabilities and deploying more destructive forms of malware.

In September 2020, a hospital in Düsseldorf, Germany was subject to a ransomware attack which resulted in a patient death, the first reported due to a cyber-attack.

In some local reports it was mentioned that the hackers didn’t initially intend to attack the hospital and were targeting a different university.

The incident affected 30 servers, which crashed systems and forced the hospitals to turn away emergency patients. As a result, a woman with a life-threatening condition was diverted to another hospital 20 miles away and died from treatment delays.

Given that life science companies often play a key role in the delivery of patient care, it’s not hard to imagine similar patient injuries and potential claims – for example, if their devices or therapies are disabled as a result of a ransomware attack.

Does insurance cover the risks?

Many cyber policies may not be written widely enough to cover the true scale of losses, including lost production, ransomware demands, failure to supply products or services (including fines and penalties levied by the FDA), business interruption, data breaches and other forensics and legal compliance costs.

Life sciences companies may also have significant exposures to property damage and bodily injury arising from a cyber-attack or technology failure and specific extensions of coverage need to be negotiated to the cyber policy to address these risks.

Some third-party claims for damages may be covered under professional or general liability policies, while damage to systems may be covered under property insurance.

However, these policies may contain electronic data transmission or data liability exclusions which could preclude coverage. In one of the cases mentioned above, the ransomware attack was suspected to have come from a state and was mainly aimed at political targets.

Subsequently, the property insurers disputed coverage for the loss citing war exclusions.

In the case of patient injury, where policies contain a ‘contingent bodily injury’ clause, this may only respond if the injury is a direct result of the attack, which can be hard to prove.

What you can do to reduce the risk of a cyber attack

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Review remote access protocols and take action, if needed, to improve security.
  • Use multi-factor authentication (MFA) where possible.
  • Segment your network so sensitive data is not on the same server as email.
  • Set antivirus and anti-malware solutions to automatically update.
  • Identify business-critical assets. Create backups of these systems and house the backups offline.
  • Educate employees on how to detect and report phishing emails.

Increasing your resilience if a cyber attack occurs

  • Stress test your incident response, business continuity and disaster recovery plans for ransomware threats. Make sure you can remain compliant with your data protection and ePrivacy obligations if an incident occurs.
  • Maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
  • Train your senior management to prepare for a cybersecurity incident, including table top exercises to make it real.
  • Review your insurance cover. Is your cyber insurance up to date and does it cover ransom? Does your general or professional liability cover have data-related exclusions? Look closely at wordings and make sure they are broad enough to cover all the potential costs and losses of a ransomware attack. Request changes or additions if there are gaps.
  • Read all policy terms, such as those on war and terrorism, carefully to make sure they don’t block claims in ways that aren’t immediately apparent.

Any questions?

Get in touch if you have any concerns about ransomware threats and how to strengthen your resilience.

Footnotes

1 Ransomware Activity Targeting the Healthcare and Public Health Sector | CISA

2 Pfizer/BioNTech vaccine docs hacked from European Medicines Agency - BBC News

3 Allianz Cyber Risk Trends 2020 Cyber risk trends 2020 | AGCS (allianz.com)

4 https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01

5 https://www.fda.gov/medical-devices/safety-communications/firmware-update-address-cybersecurity-vulnerabilities-identified-abbotts-formerly-st-jude-medicals#:~:text=On%20August%2023%2C%202017%2C%20the,Jude%20Medical)%20pacemakers

For more information please contact

Amy Azlinda Ghazali
Assistant Manager, Malaysia

Related content tags, list of links Article Life Sciences

Related Capabilities

Contact Us