What does good cybersecurity look like in 2022?
The pharma industry is becoming an increasingly hot commodity for cybercriminals. In recent years, digital adoption has accelerated at a rapid pace, with companies racing to integrate cloud-based platforms and telehealth services to expand the delivery of modern healthcare. Combined with the sudden arrival of COVID-19, this perfect storm of events handed cybercriminals an opportunity to exploit weaknesses in fledging systems and processes.
Pharma companies hold masses of vital data sets, from classified intellectual property to proprietary information about drugs and clinical trial developments. The value of such data is not lost on cybercriminals. This was illustrated in 2021, amid growing awareness of the pharma industries' efforts to develop and distribute COVID-19 vaccines. According to cybersecurity firm Critical Insights, the number of cybersecurity breaches in healthcare reached an all-time high in 2021, exposing an unprecedented amount of protected health information.
Cyber attacks can be highly damaging, both financially and to a company’s reputation. Therefore, it is essential that necessary steps are taken, both at a company and individual level, to understand and prevent the risk of cyber threats. But what does good cybersecurity actually look like? To help navigate the complex world of digital crime, Adarma’s threat consultant Mike Varley, KnowBe4 lead security awareness advocate Javvad Malik, CEO and founder of CyberSmart Jamie Akhtar, and senior engineer at Trend Micro Simon Walsh offer their insights into key trends and best practises for pharma companies.
Why is the healthcare industry a particular target for cyberattacks?
Javvad Malik (JM): Historically cybercriminals were after money, so they often ignored healthcare providers. However, with increasing sophistication within the criminal economies and the ability to monetise data through ransomware, other means of extortion, or resale, healthcare providers have become an almost ideal target for criminals.
Simon Walsh (SW): Despite statements from would-be attackers to the contrary, the healthcare and pharma industries became prime targets during the COVID pandemic, particularly for ransomware operators, as we saw during the breach of the Irish Healthcare Service Executive in May 2021.
There are several reasons for this: they’re seen as easy targets because of their relative lack of security maturity; the COVID pandemic-induced strain they’re already under makes them more likely to pay the ransom; and the fact that the data they hold – patient records – is extremely valuable and opens additional paths to extortion.
Jamie Akhtar (JA): Many healthcare providers have weak or limited defences. These range from poor staff awareness of threats to creaking, outdated operating systems and tech, but whatever the reason, cybercriminals are aware that many healthcare providers make for easy pickings.
Mike Varley (MV): We can expect to see a rising number of ransomware attacks on the healthcare sector. Healthcare is recognised as national critical infrastructure, which makes it an attractive target to malicious foreign entities looking to create chaos and harm. Similarly, when human life is put at risk by an attack, organisations are more likely to pay up, so attackers often view these structures as a quick pay-day.
Where do you see the most mistakes being made in healthcare when it comes to addressing cyber threats?
JM: Perhaps the biggest mistakes or challenges healthcare faces when addressing cyber threats are having outdated or unpatched software running, being too quick to purchase or adopt internet-connected devices without demanding rigorous security testing, and, finally, the lack of security awareness and training amongst IT staff.
SW: Security maturity and the ability to successfully detect and withstand attacks comes from understanding cyber risk and building and developing a cyber security strategy around that understanding. This of course needs to be adopted and driven by the board and C-level executives and too often this is not the case, with a lack of understanding and investment resulting in a weakened security posture.
Over-reliance on security technology without adequate human oversight further weakens this posture. The Irish hospitals who successfully prevented the attack in May 2021 were those who not just detected stages of the attack but also understood what those detections meant and acted as a result.
Developing a human oversight function – for example a Security Operations Centre – in house is costly, difficult, and takes time. So, for many in the healthcare/pharma industry, the quickest route to success on this front is working with the correct partner who will provide that function.
JA: There are two areas in which most organisations, not just healthcare providers, could be doing better. Many aren’t doing the simple things that can thwart most cyber-attacks. For example, regularly updating software and operating systems, using strong passwords and MFA, developing clear policies for staff to follow, and ensuring security tools are configured properly.
On top of this, employee awareness of cyber threats just isn’t widespread enough. An organisation can have the best cybersecurity software around but, if an employee doesn’t know what a phishing email looks like and clicks a malicious link, it’ll be hacked just the same. The way to counter this is basic cybersecurity training. It doesn’t have to be comprehensive, just enough to help your people make informed choices.
What trends are you seeing in cybersecurity at the moment?
JA: The most worrying trend is the rise in supply chain attacks. Cybercriminals have worked out that the best way to target large enterprises with solid defences, is to attack a smaller, less well-defended supplier who can give them a backdoor in. As a result, we’re seeing more major attacks originate in this way.
Alongside this, phishing continues to be the single most common form of attack. Due to the general lack of awareness in the working population, many organisations are still struggling to contain the threat.
MV: Increasingly I think we will see healthcare sector organisations turning to managed security service providers who have the expertise, capability, and technology to deal with an increasingly complex and harmful cyber landscape.
The healthcare sector is expected to provide an elevated level of cyber protection and with a shortage of cyber talent and the prohibitive cost of establishing a Security Operations Centre internally, organisations will need a trusted security partner that can provide that level of proactive protection.
What advice would you give to companies looking to improve their cybersecurity policies, both on a company-wide scale and individual basis?
JA: Above all, make them clear and easy to follow. Avoid technical jargon, where possible, as this will only disengage people. And, explain why the company has adopted the policies it has; your staff will find it much easier to follow them if they know why. Also, store them somewhere that’s easy to access from anywhere. There’s little use in a policy if it’s buried deep in a shared drive where nobody reads it.
MV: Cybersecurity policies should be informed by a threat-led approach. Regular threat modelling will highlight what threats you are facing and how adversaries are likely to target your organisation. With this information on areas of commonality, your security teams can focus on implementing layered security and monitoring.
Your policy should consider asset awareness. As basic as it sounds, it can be easy for a small handful of assets to fall under the radar within vast enterprises, which leads to out-of-date operating systems and software.
JM: Organisations should look to take a data-driven approach. That means, that in addition to following what is occurring externally in terms of attacks, they should look through a year or two worth of internal security logs to see what was the root cause of the incidents during this time period.
Once the root causes have been identified, they should be prioritised, and then controls be put in place to address those specific root causes. Those should inform the cybersecurity policies and tailor them to the specific risks the organisation is facing.
SW: For companies, start at the top and ensure that the board and C-level executives are capable of understanding and assessing risk. This will drive investment in cyber strategy and improve your chances of mitigating that risk. Human oversight of security-related activity in the organisation is also fundamental.
For individuals, heightened awareness and ongoing education are key. We all have a role to play in cyber-security as 100% reliance on technology is unfortunately never enough.