Laboratory image

Photo by Edward Jenner from Pexels

For pharmaceutical companies, cyberattacks can get expensive quickly. 

In 2021, the average cost of a data breach was $5 million, which is the third-highest of any industry, according to the IBM Cost of a Data Breach report. 

Cyberattacks can also cause operational disruptions. For example, in 2017, Merck & Co. (NYSE: MRK) struggled to keep up with demand for hepatitis B vaccine because it was a victim of Notpetya ransomware. Merck estimated the damages from that attack to be roughly $1.4 billion. 

Breaches in the pharma industry are rampant, concludes a recently published report from the cybersecurity firm Constella (Los Altos, California), which analyzes data exposures, breaches and leakages within the industry from January 2018 to September 2021. In that time frame, the company identified 9,030 breaches or leakages and more than 4,500,000 exposed records containing everything from passwords to financial data. 

Some pharmaceutical industry employees have played a role in the breaches by using corporate email accounts to register for sports, travel, gaming, entertainment sites.   

Jonathan Nelson

Jonathan Nelson

The widespread use of corporate email accounts for non-business services is “frustratingly common,” said Jonathan Nelson, a digital intelligence specialist at Constella. 

The practice increases the risk of data breaches, which cybercriminals can use for everything from phishing attacks to account takeovers. 

Based on a survey of 78 pharma execs working at Fortune 500 companies, 58% had their data exposed, according to Constella. Of those with exposed data, almost one out of three had their passwords compromised.

“Executives are a critical vector for cybercriminals,” Nelson said. 

Cybercriminals aim to target executives because they tend to have broad access to IT systems and can be exploited in impersonation attacks. 

Also complicating matters is the rise in virtual work during the pandemic and poorly-secured Internet of Things-based Pharma 4.0 initiatives, leading to an increase in attack surface. 

In addition, the pandemic has also raised the profile of intellectual property in cybercriminals’ minds. The data linked to the development of a COVID-19 vaccine, for instance, is “incredibly valuable,” Nelson said.