The pharmaceutical sector is a major target of cybercriminal activity. Pharmaceutical companies are integral to healthcare supply chains, they’re responsible for managing a large volume of extremely sensitive data, and they contend with security vulnerabilities that cybercriminals are increasingly adept at exploiting. These are a few of the reasons cyberattacks will continue to be among the most urgent threats to the sector.
There are many forms of pharmaceutical data that cybercriminals are eager to steal and hold hostage. This data includes drug formulas and other types of IP, clinical trial results and other research, and patient health data. One of the biggest vulnerabilities for pharmaceutical companies is human error, which has been implicated in many of the most crippling breaches in the sector. Another vulnerability is the reliance on vast and highly interconnected supply chains, from manufacturing facilities to retailers to healthcare systems. Breaches at any link of these supply chains have the potential to give cybercriminals the foothold they need to infiltrate secure networks and cause widespread disruption.
Pharmaceutical companies have been hit by a relentless barrage of cyberattacks in recent years, and this onslaught shows no sign of slowing. This is why companies in the sector must conduct a comprehensive assessment of their cybersecurity posture, from the level of cybersecurity awareness among employees to third-party vulnerabilities. Although pharmaceutical companies are under sustained attack, there are many ways to keep their data and operations secure — which will ensure that patients who rely on their services are safe.
Cyberattacks plague the pharmaceutical sector
There have been many devastating cyberattacks on pharmaceutical companies in recent years, which have compromised the data of millions of people, cost billions of dollars, and prevented patients from receiving the medication and care they need. According to IBM, data breaches in the pharmaceutical sector cost an average of $5.1 million — more than the average across industries. Because the sector is so intertwined with healthcare more broadly, pharmaceutical companies are often heavily impacted by healthcare breaches. This is an urgent problem, as the healthcare sector has suffered the costliest average breaches every year since 2011.
One of the largest providers of pharmacy services in the United States, PharMerica, was hit by a major ransomware attack in March 2023. The data of over 5.8 million people was compromised, and it included Social Security numbers, names and addresses, medication data, and health insurance information. During the COVID-19 pandemic, Microsoft detected a large-scale cybercriminal campaign targeting “leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea and the United States.” In December 2020, a spear-phishing attack on the European Medicines Agency (EMA) led to the theft and publication of documents relating to Pfizer and BioNTech COVID vaccine development.
It’s clear that the pharmaceutical sector remains firmly fixed in cybercriminals’ crosshairs. Security leaders at pharmaceutical companies must address the vulnerabilities that have led to these attacks, from human error to supply chain infiltration — a process that begins with understanding exactly what those vulnerabilities are.
How cybercriminals infiltrate pharmaceutical companies
Several factors make the pharmaceutical sector uniquely susceptible to cyberattacks. Beyond the immense value of the sensitive data that pharmaceutical companies are responsible for storing and protecting, there are many attack vectors cybercriminals can leverage in the sector. Complex supply chains give cybercriminals many opportunities to break into secure networks and launch wider attacks, increasingly digitized operations have increased the size of the attack surface, and social engineering attacks have proven to be extremely effective in the sector.
According to Verizon, the human element is involved in 68 percent of breaches. IBM reports that human error is among the “most common root causes for a pharma data breach,” while KPMG found that a top focus for CISOs in the sector is the “lack of an enterprise-wide cybersecurity mindset.” These facts highlight the importance of robust cybersecurity awareness training.
Third-party cybersecurity is also a critical issue in the pharmaceutical sector. Pharmaceutical supply chains encompass drug manufacturing, distribution, and sales, as well as digital ecosystems for patient interactions and collaboration with health providers. One of the largest cyberattacks in history hit Change Healthcare in early 2024. The breach affected 190 million people and had a massive impact on the pharmaceutical sector, as Change Healthcare provided payment processing for 67,000 pharmacies that serve 129 million patients. Many of these pharmacies couldn’t fill prescriptions or transmit insurance claims.
A lawsuit filed by the state of Nebraska against Change Healthcare alleges that the attack was caused by the breach of a “low-level” customer support employee’s account credentials. This is a powerful reminder that social engineering and third-party vulnerabilities are among the most severe and potentially destructive threats to pharmaceutical companies.
Building up healthy cyber resistance with employee awareness
Many cyberattacks on the pharmaceutical sector are attributable to social engineering. For example, cybercriminals targeted European Medicines Agency employees by impersonating colleagues and sending malware via email. In November 2020, AstraZeneca was the victim of a phishing scheme in which cybercriminals purported to be recruiters on LinkedIn and WhatsApp. Microsoft reported that many attacks on the pharmaceutical sector around this time used “spear-phishing lures for credential theft.”
The prevalence of social engineering attacks on the pharmaceutical sector is alarming, but it demonstrates that cybersecurity awareness training could dramatically improve the security posture of companies in the sector. IBM reports that employee training is the top mitigating factor in the cost of data breaches, outpacing encryption, AI insights, and many other cybersecurity resources. However, for this training to be effective, security leaders at pharmaceutical companies must focus on making it relevant, personalized, and engaging.
Relevant awareness training must cover the most urgent attack vectors in the pharmaceutical industry and how cybercriminals exploit them. For example, cybercriminals could manipulate employees with phishing messages that purport to be from hospital administrators, researchers, or manufacturers. AI has made these attacks even more effective, as cybercriminals can send plausible phishing messages without any industry knowledge. Personalization refers to awareness training that accounts for different behavioral profiles, learning styles, and roles within the organization. Engagement is necessary for sustainable behavior change because it focuses on capturing and holding employees’ attention with vivid real-world examples (such as the PharMerica or EMA breaches), personalized training content, and actionable information. Security leaders can also increase engagement with assessments like phishing tests.
While cybercriminals will continue to attack the pharmaceutical sector, security leaders can prepare by focusing on their biggest vulnerabilities — from weak links in the supply chain to employees’ susceptibility to social engineering. This will ensure that they continue to deliver vital medicines and other services to patients and keep the entire healthcare system safe.
Join our LinkedIn group Information Security Community!
