A month ago, almost to the date, Dr Reddy’s Laboratories detected a cyber attack and isolated all data centre services. Soon enough, Lupin too reported an “information security incident”. The two incidents, barely a fortnight apart, had industry watchers question if it was merely an eerie coincidence or was there a concerted effort against the Indian pharmaceutical industry?

Indian drug makers have been playing a key role during the Covid-19 pandemic, from supplying hydroxychloroquine (when it was much sought after) to working on Covid-19 vaccine candidates. DRL, for instance, has an alliance on the Russian Sputnik V vaccine.

Not too long ago, cyber attacks were reported on US research facilities that worked on Covid vaccines. Adding to the intrigue, a joint cyber-security advisory from US authorities, including the Federal Bureau of Investigation (FBI), late October, cautioned of “an increased and imminent cyber crime threat to US hospitals and healthcare providers.”

Given the heightened global alert, Indian drugmakers are playing their cards close to the chest when it comes to protecting themselves from online miscreants, who range from random troublemakers to serious criminals in search of data. Initial information suggests that one of the drug-company attacks came from the East European region.

“Even talking about it could attract those in search of a challenge,” a pharma industry representative explains. Companies have been engaging consultants and training employees in “online hygiene”, especially during the pandemic when digital services have increased and many work from home, leaving online networks with unsecured entry points.

Hackers are a step ahead and they need to get it right just once, laments a top executive with a drug major.

The cost of data breach

The increasing cyber threats seem to be an attack on the Indian pharma industry in the light of the pandemic, says Srinivasan HR, Vice-Chairman and Managing Director with TAKE Solutions. “With each year, cyber attacks are becoming more sophisticated and businesses are becoming more vulnerable. The key here is to stay vigilant and informed, to take precautions and advise employees on the do’s and don’ts when it comes to operating or downloading resources from the internet,” he says.

Citing IBM’s Cost of a Data Breach 2020 report, he says the average cost of a data breach in healthcare is $7.3 million. “Healthcare industry incurs the highest average data breach cost. It is 84 per cent higher than the global average. Even though this figure varies across geographies, the average cost of a data breach in healthcare has been the most expensive for over a decade. This year was a 10 per cent increase over 2019.”

On the US warnings, he says pharma companies should assess existing security policies, infrastructure, and fix vulnerabilities. Continuous investment in keeping data secure and a comprehensive cyber security strategy are critical.

Incidents of hackers trying to breach firewalls of healthcare companies have increased “because of the sensitive and valuable data collected by pharmaceutical companies — patient information, proprietary information about patented drugs, technological advancements, etc. Losing control over such data can have adverse effect and erode patient and consumer trust,” he points out.

Cat-and-mouse game

It is a “cat-and-mouse game”, so a multi-pronged strategy is needed to avoid and limit the damage that such threat actors can create, says Sreeji Gopinathan, Lupin Chief Information Officer.

“There has to be a constant vigil of internal and external indications of compromise and attack. This assessment should lead to strategies like perimeter monitoring for in/out traffic, lateral movement within internal systems, end-point detection and response management for vulnerabilities, segregation and micro segmentation of networks to protect critical operations and assets, threat intelligence including behaviour analysis … effective back-up protocols, etc,” he explains.

In the event of a breach, there should be “a robust mechanism to contain the spread and recover safely as quickly as possible to minimise business disruption and data loss.”

Clearly documented back-up plans should be activated and an emergency response team should be in place to keep critical operations running. Data recovery from offline back-ups should be along defined priorities in the recovery plan. And, importantly, adequate cyber insurance would help mitigate any financial impact to a great extent, he says.

As strong as the weakest link

Across industry, Covid accelerated digital plans, says Sujay Shetty, PwC’s Health Industries Leader. A plan for five years later has been advanced, sensitive data is stored virtually (on Cloud); connectivity has increased (via Internet of Things); automation links shop floors, labs, etc.

Srinivasan observes that hackers usually pick high-value targets for attacks. “The chain is only as strong as its weakest link, so every segment needs to be secured and there cannot be a bias when it comes to security,” he cautions, on the threat that lurks within the digital ecosystem.

Cyber breaches
  • Hackers seek proprietary information that directly profits them.
  • Common breaches are through phishing, business email compromise, malware, Man in the Middle attack and Zero-day exploit.
  • Companies are deploying red team/blue team exercises to secure data infiltration points and patch network vulnerabilities.
  • Ransomware and other cyber attacks increased sharply this year; hospitals have been vulnerable during the pandemic. Since July 2020, US hospitals in New York, Nebraska, Ohio, Missouri and Michigan have all been attacked by some form of ransomware.