Merck’s Cyberattack And Biopharma’s Rising Interest In Cybersecurity

July 26, 2017

By Ann Neuer 

July 26, 2017 | On June 27, pharma giant Merck was among dozens of companies hit by a sprawling cyberattack. According to The Washington Post, it was caused by a virus similar to Petrwrap or Petya, which exploits a vulnerability discovered by the National Security Agency several years ago. On that Tuesday, at 11:03 AM, Merck sent two tweets confirming its computer network had been compromised as part of a global hack and that it would investigate and release information once it became available.

That morning, as Merck employees fired up their computers, they were greeted with a ransomware note, advising them that their computers were infected. Online examples of this type of Petya note stated that files were no longer accessible as they had been encrypted, and for a bitcoin sum, victims could purchase the decryption key. Merck remained mostly mum on the breach, but Microsoft addressed the attacks in a blog stating that the company first saw infections in Ukraine, followed by infections in 64 more countries, including the United States. Microsoft immediately released cloud-delivered protection updates. At this point, the story get a little murky. Merck does have an office in Ukraine, but the pharma has provided only minimal information in tweets on June 28 and June 30, namely that no company data appear to have been compromised and it believes the problem was contained. Also, it is working with the U.S. government, which confirmed that the malware responsible for the attack infected company systems despite installation of recent software patches.

Merck did not to respond to numerous requests to be interviewed for this article, but according to a document from the National Health Information Sharing and Analysis Center (NH-ISAC), the only confirmed infection vector of the June 27 attack is an update to MeDoc, which is accounting software used widely in Ukraine. Denise Anderson, President of NH-ISAC, comments, “There is a lot of hypothetical speculation about who was behind the attack but we don’t know who it was.”

Cybersecurity has hardly been biopharma’s main focus, but it demands attention given the volume of collaborations, the varying levels of security each partner maintains, the widespread use of personal devices to access a sponsor’s system, and the importance of protecting a company’s most precious intellectual property—its data. Fortunately, the tide may be turning. “There is absolutely a rising interest in cybersecurity for healthcare and life sciences. This is growing in importance due to the increasing pressures to collaborate with partners who are frequently operating outside your firewalls,” says Jon Cohen, VP, Product Strategy, Specialty Products Group at Synchronoss.

A new report issued by Health Care Industry Cybersecurity Task Force—a group created by the Department of Health and Human Services, the Department of Homeland Security, and the National Institute of Standards and Technology—zeroes in on a key reason why healthcare poses a particularly complicated security risk. An open sharing, collaborative culture that prioritizes quick access to information to provide patient care sometimes overrides strict adherence to cybersecurity policy. Specifically, to respond to critical care issues pronto and maintain a seamless workflow, health care personnel sometimes leave workstations unlocked and unattended to expedite access to patient information and to share data with other practitioners. This practice highlights a limited understanding of how cyberattacks can devastate businesses through the leaking of protected private information. “Within the health care industry, cybersecurity has historically been viewed as an IT challenge, is approached reactively, and is often not seen as a solution that can help protect the patient,” the report authors assert.

A shift is clearly needed. Mollie Shields-Uehling, CEO and President of SAFE-Biopharma, a non-profit association, explains that its digital identity and signature standard, plus efforts from others such as NH-ISAC’s Cyberfit, offer much needed risk mitigation. “They provide critical tools for keeping out bad actors, including a two-step authentication. But unfortunately, there continues to be friction between those charged with on-going operations and the collective will to implement security standards,” Shields-Uehling says.

Two-step authentication goes beyond the simple user ID and password. It adds another layer of protection, such as a second password or a biometric. Verizon’s 2017 Data Breach Investigations Report states that 81% of hacking-related breaches leveraged either stolen or weak passwords, and 15% of breaches involved healthcare organizations. To address this issue, two-step authentication is named in the report as one of the critical tactics for improving cybersecurity.

But simply updating a company’s authentication policies is not enough. The ransomware that infected the Merck system had worm capabilities, allowing it to move laterally across infected networks, Microsoft reported. This type of ransomware poses a particular challenge to the healthcare and life sciences industries: a mix of a few big-time global players, modest-sized biotechs, start-ups, and the small medical practices that provide many of the investigators for clinical trials. These smaller groups often lack the resources to invest in tools to combat threats to confidential information, and therefore, can serve as entry points to much larger networks, which house a treasure trove of patient data.

The risk is finally getting the attention it deserves in the C-suite, but implementation across organizations will take time, Shields-Uehling warns. “Addressing cybersecurity risk has taken high profile in the C-suite in the past three to four years, but how do you put that into daily practice? First, you have to understand where the assets are, what tools are needed to protect them better, and how to involve all of your external partners across the globe. This is hugely complicated and takes a while to figure all of this out.”

If anything, Merck serves as an example of a company committed to security that still found itself vulnerable. Terry Rice, Merck’s VP IT, Risk Management, and Chief Information Security Officer (CISO), sits on the Health Care Industry Cybersecurity Task Force that published the June 2017 report. Just two days before the ransomware attack he and a roundtable of other CISOs and cyber threat experts were featured in an article on cybersecurity in In Vivo. He commented that over time, his focus has evolved toward finding new ways to manage IT, cybersecurity, and risk assessment practices.

New solutions and better risk assessment certainly help, but Denise Anderson of NH-ISAC adds another essential component: “I would beseech everyone to work together instead of against each other when global incidents occur.”