28 Data Protection PHARMACEUTICAL EXECUTIVE DECEMBER 2018

WWW.PHARMEXEC.COM

Lessons for Pharma from could pay out as much as $275

million to cover the insured por-
tion of Merck’s loss from the

the Merck Cyber Attack ransomware attack.

What have we learned?

Almost a year and a half later, key understandings have emerged To the industry’s credit, organi-
to help companies better combat future data-breach attempts zations do seem to have learned
a great deal from the Merck
f you had to make a list of billion in 2017 alone. If this type i ncident — as ev idenced by

I some of the most pressing

issues that we’re facing as a
society, cybersecurity would
undoubtedly be right at the top.
Cybersecurity is a critical and
of attack can hit a company as
large and as old as Merck, it can
happen to anyone—which is
why learning from situations like
these is always of paramount
another high-profi le intrusion
attempt in July 2018, this time
against North Carolina-based
LabCorp.
Fortunately, LabCorp offi-
closely watched issue for phar- importance. cials were able to detect suspi-
maceutical businesses in particu- cious activity almost immedi-
lar, for a number of reasons. What actually happened? ately—far sooner than the
In 2017, a study conducted by In June 2017, word fi rst broke 206-day average. The medical
Ponemon Institute revealed that that Merck was just one of doz- testing company took 50 minutes
about 54% of companies expe- ens of businesses that were hit to contain the damage, thus mit-
rienced one or more successful with a massive ransomware igating the major ramifications
attacks that compromised data attack that ultimately ended up moving forward.
and/or their larger IT infrastruc- affecting organizations all over During that 50-minute win-
ture at some point in the year. A the world. On the morning of dow, some 7,000 LabCorp com-
massive 77% of those attacks June 27, Merck employees puters were affected—along
utilized file-less techniques— arrived in the company’s offices with other resources, such as

For personal, non-commercial use

meaning that instead of tricking
someone into downloading and
across the globe to fi nd a ran-
somware message on their com-
300 production servers. The
company says that it had 90% of
installing a virus, the attacks puters. There was not a single those assets back online seven
were executed using vulnerabili- location within the company that days after the attack.
ties that were already there. managed to get by unscathed, LabCorp had a detailed
According to another study according to published reports at response plan that it was able to
conducted by Deloitte, the phar- the time. act on after the attack began.
maceutical industry is regularly When the incident was said This helped the company con-
the number one target of cyber and done, the pharma giant suf- tain and minimize the impact of
criminals around the world— fered a total worldwide disrup- the breach, and its own CEO
particularly when it comes to tion of its operations, forcing a cites this level of preparation as
stealing intellectual property halt on the production of new a big part of what saved the
(IP). In the UK, for example, drugs, which ultimately impacted organization. As a preemptive
damages from IP theft totaled the company’s revenue for the measure, it also instantly shut
9.2 billion GBP during 2017. A year. down certain strategic services
significant 1.8 billion of that was Merck, of course, wasn’t the in an effort to protect the confi-
attributed to pharmaceutical, only entity affected by the cyber dentiality of its data.
biotechnology, and healthcare attack, which reportedly began All told, what happened in
organizations. in Ukraine, then spread quickly the aftermath of LabCorp’s
One of the biggest such through corporate networks of attack looked far different than
CHRIS SOUZA is the
attacks in recent memory struck multinationals with operations what immediately followed Mer-
CEO of Technical Merck & Co. All told, the com- or suppliers in Eastern Europe. ck’s. But how does a biopharma
Support International. pany employs more than 69,000 Nevertheless, according to pub- or life sciences organization
He can be reached at people and reportedly had an lished reports four months later, make sure that its own cyberse-
csouza@tsisupport.com operating income of about $6.52 it was estimated that insurers curity situation can be contained
38 Data Protection PHARMACEUTICAL EXECUTIVE DECEMBER 2018
WWW.PHARMEXEC.COM

Continued from Page 29

alone, according to data cited by are difficult to properly integrate
tional factors to consider include Health IT Security, a network of (and secure), Excel spreadsheets,
losses stemming from scenarios Xtelligent Healthcare Media, purpose-built cloud systems, and
such as: one can quickly see how it can more. Gaining the level of visi-
» Stolen IP. add up. The amount of money bility one would need to ade-
» Being forced to repeat costly that people can make using quately secure these resources is
and time-consuming clinical health information to blackmail an ongoing and reactive process
trials. individuals is even higher. that requires the coordination of
» Litigation stemming from the Therefore, it’s far more likely a company’s vendors, opera-
breach itself. that hackers will target indus- tional methodologies, and cul-
» Lost revenue. tries that yield bigger payouts ture. Challenges can arise when
» Damages to products that are than they would get by going IT functions are siloed. Legacy
already in development or pro- after a private citizen via iden- systems, for example, often lack
duction. tity theft, for example. the vendor support needed to
» Significant production short- It’s also important for drug update them against the latest
ages in the supply chain. manufacturers to apply learn- threats. That alone can leave an
Experts agree that in terms of ings from past cases in the indus- organization exposed, regardless
pharmaceutical businesses in try, all of which involved sys- of how large it is.
particular, hackers are looking tems, partners, contractors, and This is a pressing issue for
for a company’s most valuable subcontractors. “Pharmaceuti- smaller pharma companies as
well. Often, these organizations
fail to believe that IT and plan-
Gaining the level of visibility one would need to ning for growth should be an
area of immediate focus; in real-
adequately secure these resources is an ongoing ity, it couldn’t be more impor-
and reactive process that requires the coordination tant. IT can help empower the
growth of an organization if

For personal, non-commercial

of a company’s vendors, operational methodologies,
use
properly built for agility and
aligned with long-term goals.
and culture
Think like them
and sensitive data during an cal businesses in particular need In the end, the most important
intrusion attempt. This includes to understand that all of these thing for pharmaceutical com-
elements like clinical data, IP, systems are connected,” says panies, large or small, to under-
formulas for compounds, and, in Kenneth Sprague, senior security stand is that getting hit with this
some cases, patient or employee engineer at Technical Support type of cyber attack is no longer
personal data. The amount of International (TSI). “If any link a question of “if,” but “when?”
money that a hacker can get for in the chain is broken, the entire A company can invest in all of
a stolen proprietary formula on chain becomes compromised. the cybersecurity measures that
the black market significantly You need to be on the ball. Yes, it wants—it still won’t prevent it
eclipses what they might be able security and patching are an from one day becoming the tar-
to get for something like stolen ongoing battle, especially when get of hackers with malicious
credit card information. One you consider the changing threat intentions.
study from the Security Strategy environment we’re dealing with. But if an organization knows
Risk & Compliance Division at But it’s something you have to do what someone is after, the good
IBM, for example, revealed that in order to survive.” news is that it’s now in a much
a stolen electronic medical record One of the issues with big better position to mount the spe-
(EMR) by itself can be sold for pharma from an IT perspective cific defense needed to protect it.
up to $350 on the dark web. is that oftentimes organizations That insight will act as a com-
With 3.15 million records are dealing with infrastructures pany’s first line of defense against
being exposed across 142 indus- that are a collection of legacy these types of cyber criminals in
try breaches in Q2 of 2018 systems, multiple systems that the future.
Copyright of Pharmaceutical Executive is the property of Advanstar Communications Inc.
and its content may not be copied or emailed to multiple sites or posted to a listserv without
the copyright holder's express written permission. However, users may print, download, or
email articles for individual use.