Connect with us

Science

How prepared is biopharma for the cyber doomsday?

One of the largest cyberattacks in history happened on a Friday, Eric Perakslis distinctly remembers.
Perakslis, who was head of Takeda’s R&D Data…

Published

on

One of the largest cyberattacks in history happened on a Friday, Eric Perakslis distinctly remembers.

Perakslis, who was head of Takeda’s R&D Data Sciences Institute and visiting faculty at Harvard Medical School at the time, had spent that morning completing a review on cybersecurity for the British Medical Journal. Moments after he turned it in, he heard back from the editor: “Have you heard what’s going on right now?”

Eric Perakslis

He had not. While he was knee deep in the review, a ransomware later known as WannaCry ripped through the globe at breakneck speed, descending on a quarter million computers in more than 150 countries. One of the hardest hit groups was the United Kingdom’s National Health Service, which saw tens of thousands of devices — computers, MRI scanners, blood-storage refrigerators and other equipment — compromised, bringing many hospitals to a standstill for several days. By the time the NHS sorted through the rampage, government officials estimated the attack had cost them £92 million, or $120 million, both in direct costs and lost output — including more than 10,000 canceled appointments.

For Perakslis, looking back, the coincidental timing was almost eerie. But having first called on the healthcare industry to take cyber threats seriously in 2014, Perakslis had already warned others something like this could happen.

“I wasn’t surprised at all,” he told Endpoints News. “It’s not validation. It’s just like … I hate to be right.”

Five years and a pandemic later, as the whole world got a crash course on battling a highly contagious virus, the issue of defending oneself against malicious, insidious cyberthreats appears to have quietly taken root in biopharma. It came largely thanks to a confluence of factors, from the new reality of remote work to realizations about how dangerous it could be when, say, the rollout of a lifesaving vaccine is compromised.

Even as some warn industry is woefully unprepared for coordinated attacks, in many ways, drug developers are heeding the call to pay serious attention.

“I actually think that most of the pharmas are getting there,” said Perakslis, who’s since moved to the chief science and digital officer role at Duke Clinical Research Institute. “Do I think they’re meeting the threat? No. But I think they’re doing a good job trying to get there.”

Multiple biopharma companies declined to comment, citing the fear of becoming a target. But experts offered advice on how to navigate the ever-evolving threats of cybersecurity, which can ripple well into the future, in an industry where security is tough in a connected ecosystem of universities, research centers, labs, patient groups and hospitals.

“We need to focus on really defining and explaining what we need to protect,” said Kathryn Millett, a researcher at the UK-based NGO Biosecu.re.

War, crime and others

In 2017, Merck fell victim to NotPetya, an attack instigated by the Russian government that affected multiple big companies. But the aftermath of the attack continued to generate new headlines in 2022.

A court ruled earlier this year in the pharma giant’s favor, deciding that it should be awarded $1.4 billion in insurance payout for the damages it suffered when the malware wiped out years of research, disrupted sales operations and crippled Gardasil 9 production facilities, forcing the company to dip into the US national stockpile.

Bob Maley, chief security officer at the cyber risk monitoring service firm Black Kite, describes it as a “watershed moment.”

It was useful not just in illuminating what could happen when a drugmaker gets swept up in a large-scale cyberattack, but in helping define what people mean when they talk about cyberthreats in the biopharma space. For one, NotPetya illustrated the difference between cybercrime, where the ultimate goal often is to extort money, and cyberwar, which is always meant to be destructive.

“Those things do happen, but I think that for most business purposes, that kind of event — there’s not much we can do about that,” Maley said, referring to NotPetya. “If those state actors decided they’re going to do something in a cyber warfare, they’re going to do it.”

Other, more mundane kinds of attacks, though, can be just as devastating. The potential consequences vary widely, as do the points or modes of attacks, straddling the precarious line between the corporeal and the digital.

Jean Peccoud

The sheer range of possibilities for cyberattacks in life sciences led a group of researchers to propose the term “cyberbiosecurity” in 2017 “as a formal new enterprise which encompasses cybersecurity, cyber-physical security and biosecurity as applied to biological and biomedical-based systems.” Although that was credited by some for kicking off the conversation, Jean Peccoud, a synthetic biology researcher and professor at Colorado State University who co-authored that paper, noted it’s still a broad definition.

“This is a loosely defined field,” Peccoud said in an email to Endpoints.

Depending on who you are and what you are working on, the concerns could be vastly different. Peccoud himself, for instance, believes what’s unique to life science is the “dual representation of DNA sequence”: They exist as both molecules and as computer records, and translating or even transcending the two is increasingly convenient. That’s why for him, the scariest thing that could happen would be a biosecurity incident caused by an engineered organism, possibly with malicious DNA sequences designed in software, which could affect people’s health.

Some may be most worried about confidential data getting leaked; others may fear getting brought to a standstill when hackers lock down operations, demanding a ransom. For many, the nightmare scenario happens when attackers are lurking within company data, and no one knows about it — giving bad actors free reign to tamper with, to take an extreme example, the formula or quality control tests for a drug and thereby endangering patients.

“The state of play as it stands is that the problem of cyberbiosecurity itself is so large and nebulous that we cannot yet provide any clear messaging, guidance or solutions,” Millett of Biosecu.re said.

With bigger data…

While the threats of cyberattack are ubiquitous, security researchers, advocates and vendors have long warned that biopharma was a much greater target than other sectors.

“These industries offer an attractive target for cyberattacks because of their substantial investment in research and development, valuable intellectual property, connected IT and operational networks, and sensitive stores of data,” an MIT group wrote in 2018.

Emil Hewage

Emil Hewage is co-founder and CEO of BIOS Health, a Y Combinator-backed startup striving to personalize neural medicine through real time reading of patients’ neural code.

“In the discovery ecosystem we generate every week more data than that has been generated by public research efforts,” he said. “So we’re talking about many terabytes of brand new data sets per week.”

BIOS is but one player riding on a tidal wave of new discovery technologies generating data at unprecedented scale, which is often accompanied by the requisite analysis tools to interpret them. At the same time, research, development and manufacturing operations are all turning to more sophisticated technologies and data systems to measure and monitor performance on an ever-growing list of indicators.

Kelvin Lee

“The growing emphasis on cybersecurity is occurring at the same time that the industry is arguably changing to one driven by data,” said Kelvin Lee, director of the Manufacturing USA National Institute for Innovation in Manufacturing Biopharmaceuticals (NIIMBL), in an email.

Biopharma companies are also somewhat unique in how they are entangled in a complex ecosystem of universities, research centers, labs, patient groups, hospitals and more. That’s not to mention regulators, who impose an additional layer of compliance requirements.

“It’s not just a matter of number of systems, but also number of integrations between those systems,” said Adin Stein, head of engineering operations, IT and cybersecurity at cell therapy developer Lyell.

Then there are more ways for hackers to target companies. Businesses in general have been using more devices and connecting them, exponentially expanding the number of what security folks call “attack surfaces.”

“This is more data to lose or more subtle ways for that to be extracted and exhibited privily now,” Hewage said.

Perakslis and Peccoud also both point to a concept in the cyber space known as asymmetry: For any corporation, cybersecurity is a cost that executives try to minimize. Hackers, on the other hand, stand to gain immensely from an attack, and one person can theoretically take down an entire company (even though they usually work in groups these days).

The good thing about general problems is that general solutions exist, such as employee training and cyber hygiene.

At Black Kite, Maley said his team has gone through a long list of recommended cyber practices to try and predict which companies are most at risk of becoming victims of ransomware.

“What we found was that the bad actors, out of all those hundreds of things that could be exploited, they were only exploiting a very small subset,” he said. “What’s shocking to me is so few things that a company could do to reduce their likelihood of being a victim, for some reason, they just don’t do.”

They include patching the systems on old servers to get rid of vulnerabilities, configuring emails so that it’s harder for hackers to send phishing emails, mandating multi-factor authentication and asking employees not to use the same passwords for everything — lest their login information end up on the dark web and become easy keys for hackers in attacks dubbed credential stuffing.

“Basic, basic, basic kind of things,” Perakslis said. “It doesn’t protect you from the really hard stuff. But again, it’s like driving without a seat belt, you know. Seat belts are not going to keep you out of an accident. But it’s dumb if you get into an accident, you didn’t have one on.”

Building defense

When Kathryn Millett at Biosecu.re first conducted a pilot survey of biotech and cybersecurity leaders, all respondents agreed that cyberbiosecurity risks posed a “real and current threat.” In a follow-up survey that’s still ongoing, she’s heartened to find that the awareness has “trickled down to lab practitioner level.”

“I think there’s been enough sort of news out there, you know, and enough big stories that biotech is really taking notice, and recognizing that there’s a lot at stake and they don’t want to be part of that story,” Stein, the Lyell exec, observed.

Even if biopharma companies don’t go around boasting about it, plenty of signs point to a greater emphasis on cybersecurity. Big Pharma is increasingly bringing chief information officers into the executive suite when in the past they might have reported to the CFO. By Perakslis’ count, budgets are also increasing.

A report by cybersecurity solution provider Fortinet last year found that 98% of pharmaceutical companies surveyed “experienced at least one intrusion,” and around half of them saw between three and five intrusions. But importantly, business-critical data or intellectual property were among the least impacted.

Troy Ament

“With the uptick of these intrusions in general, companies have likely gotten better about protecting business-critical data, but that’s not to say cyberattacks targeting these pharmaceutical organizations are not serious, but it is possible that data is better segmented to prevent cascading impact if an intrusion happens,” said Troy Ament, Fortinet’s chief information security officer.

Lee, the NIIMBL director and University of Delaware professor, noted that while the leading pharma companies are sophisticated in the space, performance is also uneven.

“Smaller companies in the field that have just a few years of experience usually do not have strong cybersecurity protocols or the funding to invest in third-party analysis and compliance services,” Alex Zhavoronkov, co-CEO of the AI drug discovery company Insilico, wrote to Endpoints. “This sometimes worries me a lot.”

At companies that do allocate enough resources, cybersecurity often consists of three pillars: cutting-edge technology that cements every system update patching vulnerabilities; outside experts who provide intelligence and an assessment of risk levels; and a framework to integrate the handling of cyberattacks into the rest of the risk management system.

“One of the best cybersecurity strategies starts with assuming you’ve already been hacked because what happens when you’re hacked, you’re going to look for data that’s leaving,” Perakslis said, and he noted companies are getting better about using real time threat surveillance data to identify and jump on issues.

Alex Zhavoronkov

Biopharma could also learn from other industries, Maley said, learning from case studies such as the breach experienced by Colonial Pipeline, where a mix of exposed remote access ports and credential stuffing led to catastrophe.

For smaller players, Hewage noted, it’s best to start thinking about cybersecurity before they lay their hands on sensitive data. Alternatively, Zhavoronkov noted Insilico decided to lower the risk by minimizing the amount of patient data its platform relies on — while carefully following compliance protocols demanded by Big Pharma partners and engaging providers to perform stress tests.

“I think as you think about particularly emerging biotech, one of the key lessons that I’ve picked up on through the community is the idea of security by design,” Stein said. “It is easier to put a security program in place and develop a culture of security than it is to go back and retrofit.”

Still, no defense is permanent.

“While the industry has certainly taken notice, being on alert never ends,” Ament said.

Culture of secrecy

After a cyberattack, biopharma companies are reluctant to share what happened with other drugmakers, losing what could be teaching moments. Maley said what to disclose has been an issue even going back to a 2006 cybersecurity conference that he attended.

“We’re still talking about it 16 years later,” he said.

To this day, Merck has kept public statements about the NotPetya attack to a minimum. And while others, from Dr. Reddy’s to Roche to Bayer to more recently Novartis, have reported cyber intrusions, they often don’t offer any details beyond whether any sensitive data were compromised.

There are legitimate reasons for staying mum, Perakslis said: “One of the important reasons is that you would never give an adversary your playbook.”

There are also few laws requiring disclosure, while board members do have a fiduciary responsibility to shareholders — which often means to limit bad press.

“I think most companies when they experience these things, one of the first questions that management asks is, well, who do we have to tell? Not who should we tell,” Maley said.

But conversations do happen, Stein said, where specifics are kept confidential and lessons are shared, whether through speaking engagements at conferences, consulting vendors or contributing to the creation of industry standards.

“I wouldn’t assume that if you’re not hearing from a particular organization, they’re not contributing very heavily to quite complex discourse,” said BIOS CEO Hewage. “And in some senses, it’s best to trust really heavily peer reviewed and vetted, industry wide conversation.”

Government agencies can sometimes play that middleman role. The US Department of Homeland Security, for instance, has established Information Sharing and Analysis Centers for early information sharing; the Department of Health and Human Services set up the Health Sector Cybersecurity Coordination Center to do something similar and alert stakeholders to threats; and the UK is also reviewing its biosecurity strategy.

That said, it is nearly impossible to truly tell how prepared a certain company is against cyberattacks — and even with options for sharing, companies tend to be selective about what they say. As a pharma insider told Endpoints, “There’s no prize for naiveté.”

Finding a balance

Even those who are most steeped in cyberbiosecurity advocacy tend to acknowledge that cybersecurity cannot, and should not, be the sole focus of biopharma companies. Their stated mission, after all, is to develop new vaccines and treatments for diseases.

With all the other projects, plans and needs vying for attention, Perakslis said it’s all a matter of prioritization and resource allocation — thinking through how much money to spend on things that are likely but low impact, versus those that are unlikely but high impact.

Understanding the risks and impact thoroughly, then, becomes key.

Finding reference in other areas, Peccoud noted that the aviation industry has an incident reporting system that’s essential to develop its safety culture. Voluntary reporting is shielded from prosecution, which, along with the National Transportation Safety Board, provides material that can be discussed in training or to develop regulation.

“Without transparency the bad guys will always have the edge,” he said.

Read More

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Spread & Containment

Las Vegas Strip Gets a Brand New Technology

It’s not just Caesars and MGM innovating on the Strip. A number of other companies are trying big idea.

Published

on

It's not just Caesars and MGM innovating on the Strip. A number of other companies are trying big idea.

Las Vegas has quietly become a hotbed for innovation. Some of that has been driven by the major casino operators -- Caesars Entertainment (CZR) - Get Caesars Entertainment Inc. Report, MGM Resorts International (MGM) - Get MGM Resorts International Report, Resorts World Las Vegas, and Wynn Resorts (WYNN) - Get Wynn Resorts Limited Report -- trying to outdo each other to win over customers.

Some innovations are ostentatious and hard to miss, like the MSG (MSGE) - Get Madison Square Garden Entertainment Corp. Class A Report Sphere being built at the Venetian. That first-of-its-kind concert venue looks as if it dropped to Earth from a technologically advanced civilization, and it has raised the bar for performance venues.

Many innovations, however, aren't as obvious. Caesars, for example, uses an artificial intelligence text-based concierge that's surprisingly effective. "Ivy," as it goes by, can answer questions, help with mundane tasks like getting clean towels delivered, or advance your issue to a human where needed.

Innovations big and small are happening up, down, and under the Las Vegas Strip. Elon Musk's Boring Co. has been building a network of tunnels under the city that will eventually use driverless Tesla  (TSLA) - Get Tesla Inc. Report electric vehicles to ferry people all over the city. 

That's a revolutionary idea -- but now a rival has emerged.  

Image source: Daniel Kline/TheStreet

Musk Goes Low, Lyft Goes High?

Musk's Boring Co. has a bold plan for more than 50 stations connecting the Las Vegas Strip to the airport, the Convention Center, Allegiant Stadium, and Fremont Street using driverless Teslas. 

Currently, only a small portion of that network has been built -- a section connecting the two halves of the Las Vegas Convention Center (and one connecting Resorts World Las Vegas to that same location.

For Musk and Boring Co., it's all about taking traffic off the city's busy streets and bringing it underground.

"During typical peak hours, driving from the Las Vegas Convention Center to Mandalay Bay, for example, can take up to 30 minutes. The same trip on Vegas Loop will take approximately 3 minutes," the company says on its website.

If Musk's plan is fully built, it'll effectively give Las Vegas a modern subway, helping alleviate road congestion. It will not, however, stop tourists from using ride-share and taxi cabs.

Now, ride-share company Lyft  (LYFT) - Get Lyft Inc. Report has brought a solution to Sin City that may ultimately help it solve another problem: a shortage of taxi and ride-share drivers. 

Lyft Brings Driverless Cars (Sort of) to Las Vegas

Labor in Las Vegas has been in short supply since the pandemic hit. Some people left the city and others found work outside the service-industry jobs that fuel the Las Vegas economy. At times, that has made the wait for a cab, or a ride-share from Uber (UBER) - Get Uber Technologies Inc. Report and Lyft, longer than usual.

Lyft plans to fix that by partnering with Motional to bring Motional's "Ioniq-5-based robotaxi, an autonomous vehicle designed for fully driverless ride-hail operation, to the Lyft network in Las Vegas," the ride-share company shared in a news release.

The Ioniq 5 is Hyundai's  (HYMTF)  prominent EV. Motional is the Boston joint venture between Hyundai and automotive-technology specialist Aptiv.  (APTV) - Get Aptiv PLC Report

"Launching Motional’s all-electric Ioniq 5 on Lyft’s network in Las Vegas represents tremendous progress in our vision to make an electric, autonomous, and shared future a reality for people everywhere," said  Lyft CEO Logan Green.

It's Self-Driving Lyfts, But...

There is, however, a pretty big catch.

"Each vehicle arrives with not one but two backup drivers standing by to take control of the car should anything go wrong" Casino.org's Corey Levitan reported.

Lyft has promised a truly driverless system at some point in 2023, but current laws and the state of driverless technology make the backups necessary.

Motional and Lyft have quietly been testing driverless vehicles in Las Vegas since 2018. In the news release, Lyft explained how the system works.

"This means riders are able to easily control their ride without assistance from a driver. The enhanced experience includes unlocking the doors through the Lyft app and starting the ride or contacting customer support from the new in-car Lyft AV app, an intuitive in-ride display tailored to autonomous ride-sharing," the company said.

Lyft and Boring Co. are not working together. But if Musk's plan takes vehicles off Las Vegas's streets, the new program makes the experience better for any that remain. 

Ride sharing and taxis will continue to cost significantly more than using Boring Co's subway-like system, so it's easy to see how the two options will work well together.   .

 

  

Read More

Continue Reading

Spread & Containment

Elon Musk’s Las Vegas Strip Plan Has Some Competition

It’s not just Caesars and MGM innovating on the Strip. Elon Musk has been tunneling under Las Vegas to solve a big problem, and now he has a rival.

Published

on

It's not just Caesars and MGM innovating on the Strip. Elon Musk has been tunneling under Las Vegas to solve a big problem, and now he has a rival.

Las Vegas has quietly become a hotbed for innovation. Some of that has been driven by the major casino operators -- Caesars Entertainment (CZR) - Get Caesars Entertainment Inc. Report, MGM Resorts International (MGM) - Get MGM Resorts International Report, Resorts World Las Vegas, and Wynn Resorts (WYNN) - Get Wynn Resorts Limited Report -- trying to outdo each other to win over customers.

Some innovations are ostentatious and hard to miss, like the MSG (MSGE) - Get Madison Square Garden Entertainment Corp. Class A Report Sphere being built at the Venetian. That first-of-its-kind concert venue looks as if it dropped to Earth from a technologically advanced civilization, and it has raised the bar for performance venues.

Many innovations, however, aren't as obvious. Caesars, for example, uses an artificial intelligence text-based concierge that's surprisingly effective. "Ivy," as it goes by, can answer questions, help with mundane tasks like getting clean towels delivered, or advance your issue to a human where needed.

Innovations big and small are happening up, down, and under the Las Vegas Strip. Elon Musk's Boring Co. has been building a network of tunnels under the city that will eventually use driverless Tesla  (TSLA) - Get Tesla Inc. Report electric vehicles to ferry people all over the city. 

That's a revolutionary idea -- but now a rival has emerged.  

Image source: Daniel Kline/TheStreet

Musk Goes Low, Lyft Goes High?

Musk's Boring Co. has a bold plan for more than 50 stations connecting the Las Vegas Strip to the airport, the Convention Center, Allegiant Stadium, and Fremont Street using driverless Teslas. 

Currently, only a small portion of that network has been built -- a section connecting the two halves of the Las Vegas Convention Center (and one connecting Resorts World Las Vegas to that same location.

For Musk and Boring Co., it's all about taking traffic off the city's busy streets and bringing it underground.

"During typical peak hours, driving from the Las Vegas Convention Center to Mandalay Bay, for example, can take up to 30 minutes. The same trip on Vegas Loop will take approximately 3 minutes," the company says on its website.

If Musk's plan is fully built, it'll effectively give Las Vegas a modern subway, helping alleviate road congestion. It will not, however, stop tourists from using ride-share and taxi cabs.

Now, ride-share company Lyft  (LYFT) - Get Lyft Inc. Report has brought a solution to Sin City that may ultimately help it solve another problem: a shortage of taxi and ride-share drivers. 

Lyft Brings Driverless Cars (Sort of) to Las Vegas

Labor in Las Vegas has been in short supply since the pandemic hit. Some people left the city and others found work outside the service-industry jobs that fuel the Las Vegas economy. At times, that has made the wait for a cab, or a ride-share from Uber (UBER) - Get Uber Technologies Inc. Report and Lyft, longer than usual.

Lyft plans to fix that by partnering with Motional to bring Motional's "Ioniq-5-based robotaxi, an autonomous vehicle designed for fully driverless ride-hail operation, to the Lyft network in Las Vegas," the ride-share company shared in a news release.

The Ioniq 5 is Hyundai's  (HYMTF)  prominent EV. Motional is the Boston joint venture between Hyundai and automotive-technology specialist Aptiv.  (APTV) - Get Aptiv PLC Report

"Launching Motional’s all-electric Ioniq 5 on Lyft’s network in Las Vegas represents tremendous progress in our vision to make an electric, autonomous, and shared future a reality for people everywhere," said  Lyft CEO Logan Green.

An Important Caveat

There is, however, a pretty big catch.

"Each vehicle arrives with not one but two backup drivers standing by to take control of the car should anything go wrong" Casino.org's Corey Levitan reported.

Lyft has promised a truly driverless system at some point in 2023, but current laws and the state of driverless technology make the backups necessary.

Motional and Lyft have quietly been testing driverless vehicles in Las Vegas since 2018. In the news release, Lyft explained how the system works.

"This means riders are able to easily control their ride without assistance from a driver. The enhanced experience includes unlocking the doors through the Lyft app and starting the ride or contacting customer support from the new in-car Lyft AV app, an intuitive in-ride display tailored to autonomous ride-sharing," the company said.

Lyft and Boring Co. are not working together. But if Musk's plan takes vehicles off Las Vegas's streets, the new program makes the experience better for any that remain. 

Ride sharing and taxis will continue to cost significantly more than using Boring Co's subway-like system, so it's easy to see how the two options will work well together.   .

 

  

Read More

Continue Reading

Science

AEMD: Positive Results in a Range of Conditions, Including COVID-19 & Monkey Pox

By M. Marin
NASDAQ:AEMD
READ THE FULL AEMD RESEARCH REPORT
Expanding the Potential Indications for Hemopurifier Treatment
Aethlon Medical’s (NASDAQ: AEMD)…

Published

on

By M. Marin

NASDAQ:AEMD

READ THE FULL AEMD RESEARCH REPORT

Expanding the Potential Indications for Hemopurifier Treatment

Aethlon Medical's (NASDAQ: AEMD) clinical trials are moving forward and expanding, as AEMD continues to demonstrate the effectiveness of its lead product, the Aethlon Hemopurifier®, in a broad range of viruses and conditions in single patient emergency use cases and in in vitro analysis, including COVID-19 and various variants and Monkey Pox, among others. The Aethlon Hemopurifier® is being studied in a severe COVID-19 clinical trial under the company's open IDE (Investigational Device Exemption) for life-threatening viral infections.

The safety and feasibility of the Hemopurifier is being evaluated in an Early Feasibility Study (EFS) that will enroll up to 40 COVID-19 ICU patients. The first patient was enrolled in this study in June 2022 and has completed the Hemopurifier treatment. AEMD has nine fully activated hospitals that are actively screening patients for the trial.

In addition to this study, the Hemopurifier has demonstrated positive results in two severely ill patients under individual emergency use and in in vitro analysis. The Hemopurifier has produced positive results in binding seven variants of the SARS-CoV-2 (severe acute respiratory syndrome coronavirus 2) virus in vitro, as discussed in an article1  that AEMD's CEO Dr. Charles J. Fisher Jr. and the company's Chief Medical Officer Dr. Steven LaRosa contributed to.

The company is also conducting a study of the impact of the ...

Full story available on Benzinga.com

Read More

Continue Reading

Trending