Charles River attack places spotlight on the cyber threat to the life sciences sector
On 1 May 2019, Charles River Laboratories revealed it was the victim of a ‘sophisticated and well resourced’ hacking attack and resulting data breach, discovered in mid-March and thought to have compromised about 1% of the company’s client data.
The attack makes Charles River the latest known example of a number life sciences companies targeted by hackers in recent years. According to a recent study by Proofpoint, cyber attacks (both malware and ransomware) aimed at the pharmaceutical industry have increased by 150% in the past year. The pharmaceutical industry is presently one of the most targeted industries for such attacks.
Last month, pharmaceutical company Bayer reported that it had found malware capable of remote access on its networks, which it had identified and resolved through its internal cybersecurity methods.
TSMC, UCLA Health, and Altran Technologies in France have reportedly also fallen victim to cyber-attacks. The most serious known incident appears to remain the NotPetya attack on Merck in 2017 in which data was encrypted and held to ransom through a spoof ransomware system. It has recently been suggested that the NotPetya attack total losses could reach an estimated US$915 million.
The urgent conclusion must be that every company and holder of sensitive data is vulnerable to cyber risks. That will have particularly serious potential consequences in the life sciences arena. Life science companies may hold both acutely commercially sensitive information (e.g. R&D related and IP) and also hold special category personal data such as medical records from clinical trials.
As with other industries, a context of acute competition to bring products to market and pressure on costs means there is a risk that security can be perceived as an obstacle or low priority, hampering the development and maintenance of adequate cyber security. The potential for a single attack to steal or corrupt critical personal or commercial data makes the issue urgent.
The permutations of possible losses and liabilities following a breach can be daunting, compared with the incentives for malicious actors which are numerous. The theft of clinical records can be more profitable than financial identity theft because medical information is data rich and durable whereas credit card data and passwords are short-lived. Stolen personal health information can be exploited to acquire expensive prescription medicines and medical devices. In the US, stolen data been used to obtain government benefits such as Medicaid or Medicare and it is certainly conceivable that sensitive data can be manipulated to embellish fraudulent claims for compensation. On top of this, hackers may demand ransom money in return for control of integral computer systems and operational data.
The consequences of such attacks can include disruption to research, destruction of data, theft of IP and very substantial costs in restoring systems and improving them where necessary to prevent future attacks. Of course, not all of which will necessarily be an insurable risk, even within the limits of insurance commercially available.
The impact of cyber attacks will not necessarily be limited to operational costs and productivity loss. Companies can suffer serious financial repercussions due to reputation damage in the event of publicity for such attacks, with knock-on effects including the impact on stock value. Reuters’ analysis suggests average share prices have been shown to fall by up 3% following publicised attacks. Reputational damage and loss of confidence can extend to impact consumers, investors, business partners and third party vendors.
Adapting to the threat
On a positive note, the growth of cyber attacks on life sciences companies means that companies are becoming more alive to hacking threats and are starting to prioritise information security as an integral part of their operation. They stand as a wake-up call for companies who are still tempted not to prioritise cyber security budgets or look carefully at the availability of insurance cover.
Life science companies must continue to educate staff in cyber security and make sure they understand from board room to shop floor the threats faced. Concepts like data separation and two-factor authentication should be familiar to everyone. The cyber threat environment is constantly and rapidly evolving and seems unlikely to become more benign any time soon.