Study Reveals Extent of Cybersecurity Vulnerabilities at Major Pharmaceutical Firms

Reposify, a provider of an external attack surface management platform, has published the findings of a study of security vulnerabilities at pharmaceutical firms which shows the vast majority of pharma firms have unresolved vulnerabilities that are putting sensitive data and internal systems at risk of compromise.

The study was conducted to assess the prevalence of exposures of services, sensitive platforms, unpatched CVEs and other security issues. Data analyzed for the Pharmaceutical Industry: 2021: The State of the External Attack Surface Report were collected over a two-week period in March 2021 and covered 18 of the leading pharmaceutical companies worldwide and more than 900 of their subsidiaries.

Pharmaceutical companies hold vast amounts of sensitive personal data and extremely valuable drug and vaccine research data. That has made them an attractive target for cybercriminals. During the COVID-19 pandemic, nation state hackers targeted pharma and biotech firms to gain access to sensitive COVID-19 research and vaccine development data.

According to the 2020 Cost of a Data Breach Report from IBM Security/Ponemon Institute, pharma and biotech firms had a high rate of security incidents in 2020, with 53% of them resulting from malicious activity. The average cost of a pharma data breach in 2020 was $5.06 million and the average time to identify and contain a breach was 257 days.

“With the pandemic causing a rush to scale and digitize, pharmaceutical companies’ digital footprints have further expanded creating many new blind spots where attackers could and did easily break in to access confidential, highly sensitive data,” explained Reposify.

In 2020 there were hundreds of mergers and acquisitions, with larger pharmaceutical firms buying up smaller companies in the sector. These smaller firms were typically focused on fast innovation and agility, which often meant insufficient resources were put into cybersecurity. M&A transactions therefore had significant potential to introduce major security risks.

Reposify researchers analyzed 2020 M&A transactions and found in 70% of cases, the newly acquired subsidiary had a negative impact on the security posture of the parent company. The vulnerabilities introduced were often considerable, “adding tens, or in some cases, hundreds of sensitive exposed and unpatched services.”

The researchers analyzed the prevalence of key risks which are visible externally and could potentially be exploited by cyber threat actors, including misconfigured databases and cloud services and unpatched software vulnerabilities. The median number of high severity security issues per company was 269, with a median of 125 critical severity issues per company.

Key findings from the report include:

  • 92% of pharmaceutical companies had at least one exposed database which was potentially leaking data.
  • 76% had an exposed RDP service.
  • 69% of exposed services discovered were classified as being a part of the unofficial network perimeter.
  • 50% of pharma firms had an exposed FTP with anonymous authentication.
  • 46% of pharma firms had an exposed SMB service.

“Pharmaceutical companies must harden their security and make it more difficult for attackers to gain a foothold in their systems”, said Reposify. “This effort must begin with gaining a clear view of their external attack surface and continuous monitoring and elimination of risky attack vectors.” The report also highlighted the importance of performing pre-acquisition cybersecurity due diligence, including mapping and analysis of the acquisition target’s external attack surface.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.