Cyberbiosecurity and threats to the biomedical industry
Cyber-attacks targeting the biomedical industry also have a huge capacity to inflict harm – both against the bioeconomy and against human, animal and plant life as well as the environment. This section will focus on some of the concerns raised by cyber-attacks primarily targeting the biomedical industry since this sector (which includes healthcare providers and the biopharmaceutical industry). This sector is closely related to the issues of biosecurity and biosafety, as a biological accident, attack or naturally occurring disease outbreak relies on healthcare systems for treatment and disease investigation, and on the biopharmaceutical industry for key aspects of fighting disease, including diagnostic capabilities, vaccines and other therapeutics.
As mentioned in the introductory section (2.16), there are a number of ways such cyber-attacks can manifest. To recap, these are:
• sabotage (damage to digital or physical infrastructure),
• corporate espionage (access to sensitive information to gain a competitive advantage); and,
• Crime/extortion, as exemplified by the use of ransomware to cause system-denial.
These types of attack have already caused significant damage and disruption in both healthcare and the pharmaceutical industry, and the number of attacks on confidential or important information as well as cyber-physical systems continues to grow.
Information security integrity challenges
Healthcare systems worldwide generate and store vast amounts of sensitive data, from personal identifying information to disease tracking information. Confidential data is worth a lot of money to hackers who can sell it on easily – making the industry a growing target. One study put the average cost of Personal Health Information (PHI) on the black market at an average of $363 US dollars. By comparison, credit cards sold on the black market sell for an average of $1-2 dollars. PHI is valuable because it can be used to target victims with frauds and scams that take advantage of the victim’s medical conditions or victim settlements, create fake insurance claims, allowing for the purchase and resale of medical equipment and PHI can used to illegally gain access to prescriptions for their own use or resale. The average cost of a data breach incurred by a non-healthcare related agency, per stolen record, is $158. For healthcare agencies the cost is an average of $355.
Beyond confidential patient data, attacks on healthcare organisations and agencies can affect severely impact patient healthcare, with some research data showing that data breaches increase a hospital’s 30-day mortality rate as normal operations are disrupted and resources routed away from patient care.
In general, healthcare is significantly behind other industries in implementing information technology protection measures and strategies, and a healthcare failure can result in injury or even death.
There have been a number of high profile attacks against healthcare institutions and agencies, where the use of ransomware has led to a shutdown of healthcare facilities and the endangerment of human lives:
• In October 2019, Canadian medical testing company, Lifelabs, admitted there had been unauthorized access to the information of 15 million customers and the lab had to pay the ransom. Among the data stolen were personal identifying information including names, addresses, logins, passwords, health card numbers and lab test results. LifeLabs is the largest provider of medical lab diagnostic services in Canada, and almost half of Canada’s total population has had some sort of testing done by the company as part of their normal health care. It has been estimated that a class action law suit against the company could led to a payout of over $1 billion dollars.
• In 2017, the so-called ‘Wannacry’ ransomware targeted the UK National Health Service (NHS), resulting in the infection of 16 health centres and surgeries and 200,000 computers. This lead to nearly 20,000 cancelled appointments and paralysed more than 1,500 pieces of diagnostic equipment. People in affected areas were being advised to seek medical care only in emergencies.
• In 2016, SamSam ransomware attacked US company, MedStar Health, causing 10 hospitals and 250 outpatient centres to shut operations.
Other related facilities are also at risk, as shown by the 2019 cyber-attack on EuroFins Scientific – the UK’s largest forensic sciences provider. This led to a backlog of 20,000 samples, including specimens from suspects in criminal cases and evidence from crime scenes.
The average healthcare organisation spends $1.4 million USD to recover from a cyber-attack, so the cost of inaction is significant.
A survey by Clearswift found that 67% of healthcare organisations in the UK had experienced cyber-security incidents in 2019, mostly due to employees sharing data. The survey revealed that 48% of incidents occurred as a result of viruses or malware from 3rd-party devices.
When looking at the potential of such attacks through a traditional biosecurity lens, it is easy to envisage scenarios whereby a malicious actor gains access to a person – or group of people’s - confidential medical information to change patient records and compromise their patient care. More worrying on a wider scale might be a scenario whereby an outbreak of an infectious disease could be either deliberately coupled or made more complicated by ransomware shutting down healthcare systems and preventing patient care.
The biopharmaceutical industry is also particularly vulnerable to cyber-attack in terms of the financial incentive for malicious actors. In an act of industrial espionage, two hacker groups gained access to the environment of a leading pharmaceutical company for up to three years prior to detection. They stole IP and business data from the victim, information on bio cultures, products, cost reports, and other details pertaining to the company’s operations abroad. There is nothing more important to a pharmaceutical organization than the formula for one of its new drugs. Drug manufacturers are a prime target given the intellectual property on medicines and new compounds, which could be profitable on dark web markets. Gaining access to the formula for new drugs and vaccines can also lead to drug spoofing and easy knock-off drugs.
In 2018, a report by Proofpoint found that pharmaceutical companies were the most targeted by hackers in the last quarter with an average of 71 fraud attacks per business and 282 attacks on the pharma industry for that year.
One of the most significant cybersecurity attacks on a pharmaceutical company in recent history hit Merck &Co in 2017 during the NotPetya attack. Merck was significantly affected with the attack disrupting its operations globally, forcing the company to halt the production of new drugs and causing a loss of over $300 million in just one financial quarter that year. Since the NotPetya malware affected computer systems used to control Merck’s manufacturing process, the attack resulted in shortages of the Gardasil vaccine and may have contributed to stock-outs of the Hepatitis B vaccine. The incident led Merck to borrow $240 million worth of Gardasil vaccine from the Center for Disease Control’s stockpile, with a total estimated cost of the cyberattack close to $1 billion.
Two other major pharmaceutical firms, Roche and Bayer, confirmed in 2019 that they had been impacted by a cyber attack called ‘Winnti’ while an attack against a biopharma company in March 2019 resulted in the comprise of data on 1% of its clients. The Winnti attacked has been alleged to have been carried out by the Chinese government.
When considered through a biosecurity perspective, a company being forced to halt drug or vaccine production could severely impact our ability to respond quickly and effectively to a disease outbreak.
Healthcare devices for hospitals can be vulnerable to computer viruses and intrusions that could disrupting a facility’s ability to provide healthcare, disable devices (such as patient monitors), harvest personal health information (PHI), change alarm settings and alter device functionality. This cyber compromise of medical devices can occur in a number of ways and might be initially tricky to detect.
Concerns over the cyber vulnerabilities of medical devices entered the public consciousness in 2012 when a popular TV series depicted a political assassination attempt by hijacking a pacemaker. That same year, the US Government Accountability Office identified multiple security vulnerabilities associated with mobile medical devices including: unsecure access, unencrypted data transfer, and an inability to update or install security patches or software updates.
These vulnerabilities have been proven to enable artificial hearts to be reprogrammed to produce a lethal 830 volt shock and insulin pumps to dispense clinically unnecessary insulin in sufficient doses to to kill its wearer. In 2013, it was revealed that US Vice President Dick Cheney’s defibrillator was disabled due to the possibility it could be remotely inactivated because of its unsecured wireless capability. Hijacking the sensing/monitoring function of medical devices could also lead to user being given the wrong information regarding the status of their health and malware could be used to make the device perform functions that were unintended, such as transmitting a malicious code into the health system.
In early January 2020, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) announced that six different design flaws are present in General Electric’s CareScape product line, including in telemetry servers (which automatically record and transmit data) and patient monitors. Hundreds of thousands of devices used globally were thought to be affected. In April 2019, researchers created an AI-driven malware that can be used to hack hospital CT scans, generating false cancer images, potentially leading to false diagnoses.
Biopharmaceutical products, or biologics, are also potentially vulnerable to cyber intrusions due to their use of engineered biological systems as platforms to manufacture therapeutic products to prevent or treat a variety of health conditions, such as cancer, diabetes, autoimmune disorders, and microbial infections. These products include vaccines, traditional protein therapeutics, such as monoclonal antibodies, as well as emerging biotechnologies, such as cell and gene therapies. Although the processes differ in how various classes of therapeutics are manufactured, in each process, information flows repeatedly between biological information (i.e., genetic) and cyber (i.e., digital) information, creating myriad opportunities for attacks on unsecured systems.
Biopharmaceutical companies employ cyber-physical systems across a range of functions, including raw materials sourcing, cell line development and optimization, upstream and downstream process development, manufacturing, validation studies, clinical trials, supply chain management of products, post-market drug safety monitoring, and interfacing with health providers. Such processes could be disrupted by altering the processing time or equipment performance. In the case of the NotPetya virus attack that affected Merck and others in 2017, while the attack didn’t specifically target Merck’s biological production or manufacturing control systems, it did affect the production of the pediatric vaccine, Garadasil, that helps protect against certain forms of cancer.
Cyber-attacks directed specifically at biological production facilities could not only result in the loss or destruction of product, but also potentially lead to the creation of potentially harmful products that make their way to end users. The ‘Dragonfly’ malware programme specifically targets cyber-physical systems used in manufacturing equipment, stealing trade and manufacturing secrets, as corporate espionage and has also been suggested that it could be used for physical sabotage in the future.
© Biosecure Ltd