Cybersecurity in Biotech: Why It’s a Must for Every Company

In the first quarter of 2024, weekly cyberattacks against U.S. companies rose to an all-time high of 1,308—a 28% increase from the last quarter of 2023. The healthcare industry is among the most highly affected, with companies falling victim to more than 1,605 cyberattacks every week.

In particular, biotech companies have become profitable hunting grounds for hackers because they hold valuable data, including:

• Intellectual property
• Patient information 
• Personally identifiable information 
• Protected health information 
• Genomic data
• Confidential business data

A notable example is the ransomware attack against Enzo Biochem, a New York-based biosciences and diagnostic company, in April 2023. The data breach exposed the clinical test data of nearly 2.5 million people to an unnamed hacking group, forcing the company to disconnect its systems from the internet and hire cybersecurity experts to control the situation.

But Enzo Biochem is not an isolated case.

In February 2024, The global pharmaceutical giant Cencora also fell victim to a massive data breach. In a regulatory filing, the company reported hackers had stolen valuable patient data, including names, postal addresses, dates of birth and health diagnoses.

Following these and many more incidents, industry leaders are pushing biotech companies to adopt firm cybersecurity measures.

Today’s blog will explore the world of cybersecurity for biotech organizations. By reading, you’ll understand: 

• Why criminals target these companies: Criminals often seek the high-value data that biotech companies need to operate, like personally identifiable information (“PII”), health insurance data and more. 
• Common threats biotech companies face: An explanation of the different types of cyberattacks against startups in the biotech space. 
• The consequences of cyberattacks: A rundown of the financial ramifications of cyber attacks against these organizations.

Why Criminals Target Biotech Companies

It all comes down to one thing—data. Every major breakthrough has relied heavily on data to drive innovation. Some key examples include:

• Cellular modeling: Uses data to simulate the behavior of biological cells.
• Disease therapeutics: Developing new treatments from datasets from clinical trials and genome research.
• Improved diagnostic tests: Leveraging medical data to amplify the accuracy of diagnostic tests.
• mRNA discoveries: Using data to accelerate vaccine development.

Below is a rundown of the information biotech firms house and why criminals hunt for it:

Health Insurance Information

Biotech companies collaborate with pharmaceutical firms to conduct clinical trials around the world. For example, Pfizer collaborated with the German biotechnology firm BioNTech to develop the COVID-19 vaccine.

When enrolling participants, these biotech companies must collect their healthcare insurance information to verify individual eligibility and manage participant reimbursement. Collected insurance records typically include the following:

1. Insurance provider data 
2. Participant policy numbers
3. Coverage details 
4. Authorization and pre-approval information
5. Patient payment data
6. Billing and coding details 

That being said, without robust cybersecurity strategies, such information could quickly fall into the wrong hands through data breaches, as was the case with Enzo Biochem.

Why?

Hackers perceive health insurance data to be more valuable than credit card information because it is “long-lasting.”

Once cybercriminals get access to patients’ insurance details, there is little the victim can do, as most hospitals and insurers lack clear strategies for helping victims exposed to such scams.

Personally Identifiable Information

Biotech companies are champions of personalized medicine, a modern approach poised to transform the healthcare system. It uses personally identifiable information (“PII”) to tailor medical treatment and prevention strategies to individuals’ characteristics, including their genes, lifestyle and environment. 

For context, PII is any data used to identify an individual. It includes: 

• Names

• Social security numbers
• Addresses
• Dates of birth
• Digital information like IP addresses. 

Such data is as important for biotech companies as it is for criminals, who can use it to commit identity theft, social engineering and account takeover, among other crimes.

Intellectual Property

It’s no secret that Intellectual property (“IP”), protected by robust patents, is integral to the success of biotech companies. Without it, these entities would have no means to shield their inventions from potential “copycat” competition. Below are the different types of intellectual property: 

• Patents
• Trademarks 
• Copyrights
• Trade secrets 

This critical information is often targeted for its high financial value. Such was the case when AbbVie, a multi-billion-dollar biopharmaceutical company, sued a former employee for stealing sensitive trade secrets after bypassing its security mechanisms to help his new employer, Alvotech, enter the U.S. market.

The lawsuit alleges that the security systems flagged the former employee three times when he attempted to send sensitive proprietary information to his personal Google email. It was only when he changed the subject line from “Useful Information” to “Keep in touch (AbbVie)” that he was able to sidestep the security protocols. 

The fact that AbbVie’s security system blocked outgoing email content by subject line but not content, which could include sensitive attachments, is a lesson for biotech companies to implement robust security protocols to protect IP. 

Common Cybersecurity Threats Against the Biotech Industry

Below is a rundown of the most common cybersecurity risks biotech companies of the modern age face:

Phishing Attacks

Phishing is a somewhat simple but extremely potent social engineering technique in which a hacker deceives a victim into giving out sensitive information through fraudulent emails and text messages. Here’s how a phishing attack typically unfolds: 

1. A fake message: The perpetrator sends an email or text message purported to be from a source you trust, like your boss, employee or bank. 
2. Urgent request: The message urges you to click a link or provide sensitive company info like passwords or financial data.
3. Fake website: Once you click on the link, you are taken to a duplicate, malicious website that looks like the real one. You’ll likely be asked to enter sensitive info. 
4. Stolen data: The hackers gain access to sensitive information to be used for fraud or identity theft.

One of the most recent reports of a phishing attack against a biotechnology organization involves an undisclosed biotech startup falling victim to a phishing campaign in the early stages of clinical trials.

The attackers sent deceptive emails containing malicious links to the firm’s staff. When they clicked on the links, the perpetrators gained access to the company’s research database, putting its IP and other data at risk.

Ransomware

Ransomware attack attempts against biotech companies have been rising over the last few years. In simple terms, ransomware is malware designed to steal or encrypt a biotech company’s data with the goal of demanding a ransom.

The ransomware attack against Enzo Biochem is a prime example of how cybercrime can damage a company’s reputation and cause colossal financial losses. As of this writing, Enzo Biochem is already facing a class-action lawsuit, Epstein vs. Enzo Clinical Labs, Inc. and Lab Corporation of America Holdings, alleging that the company failed to employ adequate data security measures, causing the April 2023 breach that affected millions of Americans.

Data Breaches

Given the value of biotech company data, hackers go to enormous lengths to gain illegal access through data breaches. Over the years, criminal groups have become more brazen in their attempts because of the high returns.

Cencora’s data breach of February 2024 is another example of the far-reaching consequences of such attacks. The $250+ billion firm, formerly known as AmerisourceBergen, has ties with some of the biggest names in biopharma, including:

• GlaxoSmithKline
• Novartis
• Bayer

Reports indicate that more than a dozen pharmaceutical companies, including the mentioned ones, had their data compromised in the breach.

Espionage Attacks

An espionage attack arises when an unauthorized party attempts to access sensitive company information, such as intellectual property, to gain a competitive advantage or financial benefit.

Biotech companies are also at risk of espionage cyberattacks, which skyrocketed during the COVID-19 pandemic. Specifically, several unnamed companies and research institutions involved in vaccine development were the targets of  State-sponsored espionage attacks in 2020.

The Consequences of Cybersecurity Breaches for Biotech Companies

According to IBM’s Cost of a Data Breach 2023 Report, the healthcare industry incurs the highest data breach costs across all industries. In fact, in the past three years alone, the average cost of a data breach in the healthcare industry has grown by more than 53%, from USD 7.13 million in 2020 to USD 10.93 million in 2023. 

Cyberattack risks can also damage a biotech company’s reputation. When brought to light, these events tend to attract a lot of media attention, damaging a biotech company’s public image leading to a loss of customer trust and a subsequent dip in business. To put this into perspective, loss of customer trust can lead to damages amounting to more than $1.52 million, according to a report from IBM Security.

The Way Forward: Data Security for Biotech Companies

Biotech companies must wake up to a new reality—a stringent cybersecurity program is not a luxury but a necessity. With the age of AI upon us, cyberattacks will only get more sophisticated. The future is now. Biotech companies must instill cybersecurity awareness among employees and foster a culture that values data security. 

Join us for our next blog, which will discuss techniques these companies can use to bolster their security. If you’re wondering about any of the issues discussed in this blog, contact us at (908) 540-6901 or [email protected]. We’re here to help. 

FAQ

What Are the First Steps a Biotech Company Can Take to Improve Its Cybersecurity Posture?

• Conduct a comprehensive risk assessment: Assess your assets to determine where the potential vulnerabilities lie. 
• Develop a strong incident response plan: Establish a comprehensive incident response plan that details the steps for identifying, containing and recovering from cyber-attacks. 
• Use multi-factor authentication: Enforce company-wide access control protocols to ensure that only authorized personnel get access to sensitive data and systems.
• Update software and systems: Ensure that all operating systems and applications are up to date with the latest security patches. 
• Encrypt sensitive information: Implement encryption protocols for data at rest and in transit to protect sensitive information from data breaches. 
• Train Employees on Cybersecurity Best Practices: Conduct regular training workshops to ensure your employees are informed of the latest cybersecurity trends, including AI-assisted phishing, social engineering and how to recognize suspicious activity. 
• Backup critical information: Maintain a regular data backup schedule, storing critical information in secure off-site locations. 

How Can Employees Be Trained to Identify and Avoid Phishing Attacks?

• Conduct regular workshops: Teach employees about the different types of phishing attacks, like email phishing, “vishing” (voice phishing) and “smishing” (SMS phishing). 
• Simulate phishing attacks: Conduct simulation campaigns mimicking real-world phishing attacks to give your employees hands-on experience identifying suspicious communications. 
• Promote a culture of double-checking: Encourage your workers to contact the sender directly using a secure method to ascertain any unusual request. 
• Foster a reporting culture: Make it easy for staff to report any suspected phishing attempts without fear of reprimand. 

What Regulations Are Relevant to Data Security in the Biotech Industry?

• Health Insurance Portability and Accountability Act (“HIPAA”):  HIPAA regulates the handling of PHI in the U.S. or companies involved in health care, life sciences and biotechnology. 
• General Data Protection Regulation (“GDPR”): GDPR is a comprehensive privacy and security regulation that applies to all companies handling the personal information of EU citizens regardless of the company’s location. 
• California Consumer Privacy Act (“CCPA”): CCPA governs the collection and processing of personal information of California residents. 
• Food and Drug Administration (“FDA”) 21 CFR Part 11: This FDA regulation governs electronic records and electronic signatures in the U.S. life science industry.