The onset of the Covid-19 pandemic last year triggered a wave of cyberattacks in the life sciences industry, and the problem is likely to get worse. Biotech startups need to improve their cybersecurity, but where should they start?
In January 2020, it was time to open the champagne for Andrew Sewell, Professor of Infection and Immunity at Cardiff University, UK. His research group had hit the headlines with the discovery of immune cells that could lead to a universal cancer cell therapy. A week later, the group struck a licensing deal with the UK startup Ervaxx, now called Enara Bio.
Celebrations were brutally cut short. Less than 20 minutes after the announcement of the deal, Sewell realized that something was very wrong.
“The initial warning was a message from Facebook [stating] that they were taking my account offline as it was under attack,” Sewell said. “All my social media and university accounts were down within the hour. I had a feeling of extreme powerlessness that made me sick to my stomach, especially once my mobile phone went down too.”
The cyberattacks weren’t limited to Sewell himself.
“I realized how serious it was when they next went for my wife,” he related. “This seems to have come via a years-old wedding site that linked the two of us, as a few of the guests that had signed up to that were also targeted.”
“It makes you realize how we all leave such an online footprint out there that we don’t even think might ever be used maliciously.”
Sewell declined to comment on whether the attackers were identified or any data was lost. However, it’s likely that they were after his intellectual property, which had generated big excitement. Cell therapies for cancer such as CAR-T have given rise to gargantuan deals in the past, with Gilead’s €10.1B acquisition of Kite Pharma in 2017 being one of the biggest examples.
“Various venture entities and others had offered me over $1B for the associated intellectual property,” said Sewell.
Cyberattackers range from lone individuals to government-sponsored organizations and strike in a variety of ways, such as stealing data or sabotaging companies. The damage they can cause is immense; a high-profile attack in May 2021 affected the US’ Colonial Pipeline, disrupting fuel supplies across several states and triggering a state of emergency.
While espionage can be carried out by people onsite, cyberattacks are becoming more prevalent in a life sciences industry that is going increasingly online.
According to a report published in May this year, 10% of the biggest pharmaceutical companies worldwide are at high risk of cyberattacks. One of the biggest examples happened in 2017, when the US company Merck Sharp & Dohme (MSD) became the collateral victim of a Russian ransomware attack, which locked up the company’s data in the alleged hopes of receiving a ransom payment. MSD lost at least €850M in damages and is still battling with insurers to recoup the damages.
“More importantly, it actually led to a shortage of the HPV vaccine Gardasil in the US and we had to go through the strategic national stockpile,” said Charles Fracchia, CEO of the US life sciences and cybersecurity firm BioBright. “So we see that the impact of digital technology on real-world biotech and pharma workflows is very real, very tangible.”
As Sewell’s example demonstrates, big pharma companies aren’t the only ones that should be concerned about cybersecurity. There’s a worrying lack of data about how often small companies are in the firing line.
“There are no formal reporting structures or requirements, so we simply don’t know how often biotech startups and other entities are attacked, let alone whether they are more vulnerable or more attractive from an espionage standpoint,” explained Kathryn Millett, Research Provider at the UK non-governmental organization Biosecure.
What is clear is that cyberattacks on life sciences and healthcare organizations are intensifying amid the global Covid-19 pandemic. For example, ransomware attack attempts in the healthcare sector rose by a staggering 123% last year, according to a report by the research firm SonicWall.
“Attackers are targeting across the board all the way down, even to the small actors,” said Fracchia. “And they are largely prioritizing their attack list by press releases and public information that’s out there about companies involved. So smaller biotechs and pharmas — nimbler, faster, scrappier — that do not typically have dedicated cybersecurity capabilities will get targeted.”
Why has there been a wave of cyberattacks during the pandemic? One factor is that biotech investments went through the roof last year as the pandemic catapulted the industry into the spotlight. The resulting growth in lucrative biotech companies and research worldwide means more potential targets for criminals. Another factor is politics around the development and distribution of Covid-19 vaccines and treatments.
“Unfortunately, vaccine development has become a geopolitical national game as opposed to an international united fight against an adversary,” said Fracchia. “It’s a matter of national pride.”
According to Matthieu Guitton, Professor at Université Laval, Canada, and expert in cyberbehavior, the shift towards remote work caused by the pandemic could also be contributing to the problem.
“The massive switch to distance work and the ban on travel resulted in an increase of the proportion of espionage attempts carried out online rather than offline,” said Guitton.
Explosions in genomics, big data, and machine learning technology in the last several years are also showing their dark side. As they make it easier than ever to collect, stockpile, and analyze genetic data, they also make the data appealing to would-be cybercriminals.
“Biological data is unchangeable, so if someone gets hold of your genome sequence, you cannot replace or change it the way you would a compromised credit card or other personal information,” Millett said. “Therefore, biological data is more valuable than other types of personal data. In fact, there have been studies that show that the average cost of personal health information on the black market is worth over 300 times that of credit card details.”
Biotech startups face big cybersecurity risks. Many of them rely on internet-connected lab devices to complete experiments; a recent hack of lab equipment in a University of Oxford structural biology lab demonstrated how vulnerable these devices can be to hijacking. Also, the software employed by startups often has its roots in academic labs, which have historically had little need for built-in security measures.
“Those softwares are not sustained for a long period of time. Usually, they stop getting updated with funding and with personnel; once the postdoc or the PhD student leaves, that’s usually that,” noted Fracchia. “The capitalization of software by companies has largely been based on the core function without any regards towards security authentication.”
On a higher level, many biotech companies fail to give enough thought to their cybersecurity measures. According to a survey published by Biosecure in 2019, 90% of the participants — leaders in biotech and cybersecurity firms — felt that insufficient time and resources were devoted to cybersecurity in their companies. Additionally, European life sciences companies seem to lag behind US firms in this issue.
“In fact, the only sources of external guidance identified by any companies we surveyed at the time were all US-based,” Millett said.
There are many reasons why biotech startups need to take cybersecurity seriously, no matter what stage they are at. First, having manufacturing or lab operations vulnerable to tampering can cause major safety risks. Second, there is the risk of intellectual property theft, which no biotech entrepreneur wants. A third reason is the potential damage to drug development programs, which rely on trustworthy scientific data when liaising with regulators.
“If you get into Series A and all of a sudden your process is revealed to have been infiltrated for years and manipulated, or even that there was a potential for manipulation, that really changes the regulatory landscape,” Fracchia said. “That changes how you can trust the data in the beginning.”
Thankfully, biotech companies are becoming more aware of the need for cybersecurity, especially after media coverage of high-profile cyberattacks.
“Anecdotally, we have seen increased interest within European companies relating to cybersecurity in biotech in recent years, and this is likely to rise given espionage efforts connected with Covid-19 certainly don’t seem restricted to targeting US companies,” Millett said.
Nevertheless, this awareness needs to catch up to a fast-moving threat. Fracchia sees cyberattacks getting a lot worse going forward.
“The problem is that it’s become much more focused. Whereas before it was more opportunistic, the next stage is going to be advanced groups attacking,” Fracchia said. “If cybercriminal gangs can make money off of it, then we’re screwed. We’re screwed because then there’s a financial incentive and this stuff is just going to become background. And that’s a very scary prospect.”
Governments worldwide are also slow to lead the life sciences industry in its efforts to keep up with the evolving landscape of cyberthreats. Millett explained that this lack of leadership makes it nearly impossible to enforce the adoption of cybersecurity measures in research facilities, and leaves many firms on their own in their efforts to protect themselves.
So are some ways that biotech startups can protect their data going forward? Sewell recommends keeping some backups of key data offline and locked in a safe. Millett advises biotech companies to audit their own security measures regularly and seek the help of specialized cybersecurity companies. Fracchia advocates getting proprietary data-sharing software that offers security measures such as end-to-end encryption.
“If you’re a company, you have to use vendor software and you will have to evaluate security in a strong manner,” he said. “Ask for those [cybersecurity] features; force the vendors to put this in.”
While protection from outside cyberattacks is essential, it’s also important to remember data can be leaked by people inside the company, either inadvertently or intentionally. In 2019, for example, an employee at the Australian biotech giant CSL allegedly stole 25 gigabytes of sensitive corporate data to help him land a job at the Dutch company Pharming Healthcare. Some precautions against this include letting only a few employees access sensitive information and keeping visitors under supervision.
Furthermore, cybersecurity awareness needs to be drilled into every employee, not just those at the top level or those specialized in IT.
“The main issue with data security in biotech is that most people focus their attention on technology, while the weakest link of the cybersecurity chain is the behavior of people,” Guitton said.
Most fundamentally, biotech companies need to invest in cybersecurity from the founding stage.
“Biotech startups tend to focus the majority of their resources on R&D, clinical trials and advanced lab systems, while their IT systems and infrastructure tend to be given a lower priority,” Millett explained. “Considering your cybersecurity needs from the outset rather than shoe-horning in security measures at a later date gives businesses and entrepreneurs the best security start.”
Even for biotech companies that are starting out with a shoestring budget, Fracchia told me that it’s still cost-effective to have cash ring-fenced for cybersecurity, and this should be clear to investors as well.
“If I created a biotech tomorrow, and I were to go out for funding, I would put [cybersecurity] in my budget because the reality is that I cannot risk losing the entire integrity of my company two weeks before I closed my Series A,” he explained. “It is on everybody to realize that change. It’s on the founders; it’s on the VCs to understand that this is a risk problem, and it’s easily manageable.”
In order to tackle the cybersecurity problem in biotech long-term, Fracchia recommends blending the culture of cybersecurity with that of biotechnology. With this aim in mind, the cybersecurity and life sciences expert BioBright and partners set up a non-profit organization in August this year called the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) to make it easier to pool and obtain knowledge about cybersecurity in the biotech industry.
“We are not mixing that culture, even in synthetic biology,” Fracchia concluded. “We need to be creating a whole new class of people who truly understand this merging of software engineering, computer science, and biology. Cybersecurity will need to play a role.”