Do your vendors have sufficient technical and organizational measures to safeguard your data and ensure business continuity?
October 09, 2020
Universal Health Services (UHS) was hit by a massive ransomware attack, which is believed to be one of the largest cyberattacks on a medical institution in the U.S.
Philadelphia-based software company eResearchTechnology (ERT), which offers software used in hundreds of clinical trials suffered a ransomware attack. The attack apparently began two weeks earlier. Staffers at the company found they were locked out of their clinical trial data—data, in some cases, being gathered for COVID-19 vaccine trials.
A ransomware attack is where hackers take over a computer system and threaten to destroy the data on it or permanently prevent access until the owners pay a ransom.
After a forensic probe was launched on September 21st, 2020 it revealed that the database of the clinical trial software company was hit by Ryuk Ransomware.
Ryuk Ransomware is a notorious malware spreading gang that first steals data and then encrypts the database until a ransom is paid. And as per the study made by Sophos, Ryuk is the biggest gang that made immense money by spreading ransomware in 2019.
How did the vendor react?
They were forced to take systems offline, directing staff to work off pen and paper, and bringing in outside security consultants to mitigate the damage.
Drew Bustos, ERT’s vice president of marketing, said the attack had been ‘contained’ and the FBI notified.
However, he refused to say whether a ransom had been paid, or whether they had identified suspects.
ERT did not identify the cybersecurity experts they hired but did say ERT was taking steps to prevent another incident from happening.
What is the impact for CROs and sponsors who use ERT software in clinical trials?
ERT has not specified how many clients and trials were affected, but the software is being used in clinical trials in North America, Asia and Europe. According to the company’s website, their software was used in about 75% of clinical trials that led to drug approvals by the U.S. Food and Drug Administration (FDA) in 2019.
Several of ERT’s clients were hit by this cyberattack; IQVIA, the contract research organization helping manage AstraZeneca’s COVID vaccine trial, and Bristol Myers Squibb, the drug maker leading a consortium of companies to develop a quick test for the virus.
Bristol Myers Squibb and iQVIA said they had been able to limit problems because data is backed up. Other ERT customers had to move their clinical trials to pen and paper.
The IQVIA statement confirms no sensitive data have been compromised, but that an investigation is still ongoing: “At this point in the investigation, we are not aware of any confidential data or patient information, related to our clinical trial activities, which have been removed, compromised or stolen.”
What are the internal consequences?
The CEO and President of ERT Jim Corrigan failed to take necessary measures in defending the attack on the database, he has been asked to step down now by the management and will be replaced by Joe Eazor, a former CEO of Conifer Health Solutions.
Is the Biopharma Industry well prepared to cyberattacks?
This incident is not the first one in the Biopharma Industry. This is an interesting sector for hackers because they know that by blocking the system, they will have a huge impact on your business and on people’s live. This situation is threatening the integrity of clinical trial activities.
Ransomware attacks are an increasing threat, especially given the enormous pressure on companies to come up with a safe COVID vaccine.
Money is the motivating factor behind most ransomware attacks and the ransoms can be considerable. This summer, the University of California San Francisco (UCSF) medical school paid a ransom of $1.14 million in Bitcoin, which is virtually untraceable.
Keep in mind, a medical record can be sold between 1$ and 1000$ on the dark web, depending on how complete it is.
So far this year, a total of 53 health care providers and health care systems in the U.S. have been hit with ransomware, impacting care at up to 503 individual hospitals and medical clinics, according to cybersecurity firm Emisoft.
In Germany, a ransomware attack resulted in the first known death from a cyberattack in recent weeks, after Russian hackers seized 30 servers at University Hospital Dusseldorf, crashing systems and forcing the hospital to turn away emergency patients. As a result, the German authorities said, a woman in a life-threatening condition was sent to a hospital 20 miles away in Wuppertal and died from treatment delays.
MyData-TRSUT strongly advises you to assess the high-risk processing activities and set up a procedure in case of a Data Breach (cyberattack or other).
The most important is to be prepared
It does bring up the issue of whether biopharma companies are prepared to deal with cyberattacks, made all the more pressing by the urgency of clinical trials for COVID-19 vaccines and therapeutics.
Are your processors prepared? According to the GDPR, data controllers may only appoint data processors which provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirements of the GDPR… Assess your vendors!
However, the risk zero does not exist; the key is to be prepared. At MyData-TRUST we encourage sponsors to have a data breach response team identified (data protection, IT, HR, Legal, PR…), each must know what will be expected, identify the company spokesperson as effective communications is important to control and limit the impacts. Finally, review your processes regularly in the face of changing business environment. How did you manage the situation? What aspects of the Process can be improved (new procedures, trained staff, new tools?) A cyberattack can happen and will probably, the best time to prepare is now.
In doubt, work with a professional team.