The Covid-19 pandemic has triggered a wave of cyberattacks in the life sciences industry this year, and the problem is likely to get worse. Biotech startups need to improve their cybersecurity, but where should they start?
In January 2020, it was time to open the champagne for Andrew Sewell, Professor of Infection and Immunity at Cardiff University, UK. His research group had hit the headlines with the discovery of immune cells that could lead to a universal cancer cell therapy. A week later, the group struck a licensing deal with the UK startup Ervaxx, now called Enara Bio.
Celebrations were brutally cut short. Less than 20 minutes after the announcement of the deal, Sewell realized that something was very wrong.
“The initial warning was a message from Facebook [stating] that they were taking my account offline as it was under attack,” Sewell said. “All my social media and university accounts were down within the hour. I had a feeling of extreme powerlessness that made me sick to my stomach, especially once my mobile phone went down too.”
The cyberattacks weren’t limited to Sewell himself.
“I realized how serious it was when they next went for my wife,” he related. “This seems to have come via a years-old wedding site that linked the two of us, as a few of the guests that had signed up to that were also targeted.”
“It makes you realize how we all leave such an online footprint out there that we don’t even think might ever be used maliciously.”
Sewell declined to comment on whether the attackers were identified or any data was lost. However, it’s likely that they were after his intellectual property, which had generated big excitement. Cell therapies for cancer such as CAR T have given rise to gargantuan deals in the past, with Gilead’s €10.1B acquisition of Kite Pharma in 2017 being one of the biggest examples.
“Various venture entities and others had offered me over $1B (€850M) for the associated intellectual property,” said Sewell.
Cybersecurity isn’t a new issue in the world of biotech and pharma. Cyberattackers range from lone individuals to government-sponsored organizations and strike in a variety of ways, such as stealing data or sabotaging companies. While espionage can often be carried out by people onsite, cyberattacks are becoming more prevalent in a life sciences industry that is going increasingly online.
Big pharma companies are usually the ones in the spotlight when it comes to cyber threats. In 2017, the US company Merck Sharp & Dohme (MSD) became the collateral victim of a Russian ransomware attack, which locks up your data until you pay the perpetrator to decrypt it. MSD lost at least €850M and is still battling with insurers to recoup the damages.
“More importantly, it actually led to a shortage of the HPV vaccine Gardasil in the US and we had to go through the strategic national stockpile,” said Charles Fracchia, CEO of the US life sciences and cybersecurity firm BioBright. “So we see that the impact of digital technology on real-world biotech and pharma workflows is very real, very tangible.”
As Sewell’s example demonstrates, big pharma companies aren’t the only ones that should be concerned about cybersecurity. There’s a worrying lack of data about how often small companies are in the firing line.
“There are no formal reporting structures or requirements, so we simply don’t know how often biotech startups and other entities are attacked, let alone whether they are more vulnerable or more attractive from an espionage standpoint,” explained Kathryn Millett, Research Provider at the UK non-governmental organization Biosecure.
What is clear is that cyberattacks on life sciences and healthcare organizations are intensifying amid the global Covid-19 pandemic.
In May this year, the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) warned that organizations working to tackle the pandemic are being increasingly targeted by cyberattacks, including the World Health Organization. In July, developers of Covid-19 vaccines were targeted by a Russian hacking group known as APT29. In September, a patient with a life-threatening condition died as a result of a ransomware attack that disrupted the operations of a German hospital.
While specific data is lacking, Fracchia estimates that the risk of cyberattacks has roughly tripled in the sector this year.
“Attackers are targeting across the board all the way down, even to the small actors,” said Fracchia. “And they are largely prioritizing their attack list by press releases and public information that’s out there about companies involved. So smaller biotechs and pharmas — nimbler, faster, scrappier — that do not typically have dedicated cybersecurity capabilities will get targeted.”
Why has there been a wave of cyberattacks during the pandemic? One big reason is politics around the development of a Covid-19 vaccine.
“Unfortunately, vaccine development has become a geopolitical national game as opposed to an international united fight against an adversary,” said Fracchia. “It’s been fundamentally driven by this idea you see in the public domain. Russia claims to have the first vaccine out there with Sputnik Five. It’s a matter of national pride.”
Matthieu Guitton, Professor at Université Laval, Canada, and expert in cyberbehavior, sees the biotech and pharma industry becoming a more lucrative target for profit-seeking cybercriminals thanks to the pandemic. The shift towards remote work caused by the pandemic could also be contributing to the problem.
“The massive switch to distance work and the ban on travel resulted in an increase of the proportion of espionage attempts carried out online rather than offline,” said Guitton.
Explosions in genomics, big data, and machine learning technology in the last several years are also showing their dark side. As they make it easier than ever to collect, stockpile, and analyze genetic data, they also make the data appealing to would-be cybercriminals.
“Biological data is unchangeable, so if someone gets hold of your genome sequence, you cannot replace or change it the way you would a compromised credit card or other personal information,” Millett said. “Therefore, biological data is more valuable than other types of personal data. In fact, there have been studies that show that the average cost of personal health information on the black market is worth over 300 times that of credit card details.”
Biotech startups could face big cybersecurity risks. Many of them rely on internet-connected lab devices to complete experiments, which could be vulnerable to hijacking. Also, the software they employ often has its roots in academic labs, which have historically had little need for built-in security measures.
“Those softwares are not sustained for a long period of time. Usually, they stop getting updated with funding and with personnel; once the postdoc or the PhD student leaves, that’s usually that,” noted Fracchia. “The capitalization of software by companies has largely been based on the core function without any regards towards security authentication.”
On a higher level, many biotech companies fail to even give enough thought to their cybersecurity. According to a survey published by Biosecure in 2019, 90% of the participants — leaders in biotech and cybersecurity firms — felt that insufficient time and resources were devoted to cybersecurity in their companies. Additionally, Millett told me that European life sciences companies seemed to lag behind US firms in this issue.
“In fact, the only sources of external guidance identified by any companies we surveyed at the time were all US-based,” Millett said.
There are many reasons why biotech startups need to take cybersecurity seriously, no matter what stage they are at. First, having manufacturing or lab operations vulnerable to tampering can cause major safety risks. Second, there is the risk of intellectual property theft, which no biotech entrepreneur wants. A third reason is the potential damage to drug development programs, which rely on trustworthy scientific data when liaising with regulators.
“If you get into Series A and all of a sudden your process is revealed to have been infiltrated for years and manipulated, or even that there was a potential for manipulation, that really changes the regulatory landscape,” Fracchia said. “That changes how you can trust the data in the beginning.”
Thankfully, biotech companies are becoming more aware of the need for cybersecurity, especially after media coverage of high-profile cyberattacks in 2020.
“Anecdotally, we have seen increased interest within European companies relating to cybersecurity in biotech in recent years, and this is likely to rise given espionage efforts connected with Covid-19 certainly don’t seem restricted to targeting US companies,” Millett said.
Nevertheless, this awareness needs to catch up to a fast-moving threat. Fracchia sees cyberattacks getting a lot worse going forward.
“The problem is that it’s become much more focused. Whereas before it was more opportunistic, the next stage is going to be advanced groups attacking,” Fracchia said. “If cybercriminal gangs can make money off of it, then we’re screwed. We’re screwed because then there’s a financial incentive and this stuff is just going to become background. And that’s a very scary prospect.”
What are some ways that biotech startups can protect their data going forward? Sewell recommends keeping some backups of key data offline and locked in a safe. Millett advises biotech companies to audit their own security measures regularly and seek the help of specialized cybersecurity companies. Fracchia advocates getting proprietary data-sharing software that offers security measures such as end-to-end encryption.
“If you’re a company, you have to use vendor software and you will have to evaluate security in a strong manner,” he said. “Ask for those [cybersecurity] features; force the vendors to put this in.”
While protection from outside cyberattacks is essential, it’s also important to remember data can be leaked by people inside the company either inadvertently or intentionally. Last year, for example, an employee at the Australian biotech giant CSL allegedly stole 25 gigabytes of sensitive corporate data to help him land a job at the Dutch company Pharming Healthcare. Some precautions against this include letting only a few employees access sensitive information and keeping visitors under supervision.
Furthermore, cybersecurity awareness needs to be drilled into every employee, not just those at the top level or those specialized in IT.
“The main issue with data security in biotech is that most people focus their attention on technology, while the weakest link of the cybersecurity chain is the behavior of people,” Guitton said.
Most fundamentally, biotech companies need to invest in cybersecurity from the founding stage.
“Biotech startups tend to focus the majority of their resources on R&D, clinical trials and advanced lab systems, while their IT systems and infrastructure tend to be given a lower priority,” Millett explained.
“Considering your cybersecurity needs from the outset rather than shoe-horning in security measures at a later date gives businesses and entrepreneurs the best security start.”
Even for biotech companies that are starting out with a shoestring budget, Fracchia told me that it’s still cost-effective to have cash ring-fenced for cybersecurity, and this should be clear to investors as well.
“If I created a biotech tomorrow, and I were to go out for funding, I would put [cybersecurity] in my budget because the reality is that I cannot risk losing the entire integrity of my company two weeks before I closed my Series A,” he explained.
“It is on everybody to realize that change. It’s on the founders; it’s on the VCs to understand that this is a risk problem, and it’s easily manageable.”
In order to tackle the cybersecurity problem in biotech long-term, Fracchia recommends blending the culture of cybersecurity with that of biotechnology.
“We are not mixing that culture, even in synthetic biology,” Fracchia concluded. “We need to be creating a whole new class of people who truly understand this merging of software engineering, computer science, and biology. Cybersecurity will need to play a role.”
Images from Anastasiia Slynko and Shutterstock