Cybersecurity Challenges and Data Protection Strategies for Life Sciences and Tech Companies

Cybersecurity Challenges and Data Protection Strategies for Life Sciences and Other Tech Companies

“Data is the new oil,” a phrase coined by big data pioneer Clive Humby in 2006, rings truer today than ever. 

As generative AI rapidly becomes the backbone of industries like life sciences and other technology, the value of data has soared. Unfortunately, so have the risks associated with it.

Biotechnology and healthcare companies have become a hunting ground for hackers because of the vast amount of information these companies store and process. Take the case of the recent Change Healthcare attack, which American lawmakers described as “the most significant and consequential incident of its kind against the U.S. healthcare system in history.” Another example is the Censora security breach, which affected eleven other major healthcare and pharma companies.

As cyberattacks intensify, it’s critical for life sciences and healthcare companies to rethink their cybersecurity practices. In this blog, we’ll explore how to protect your company in this evolving threat landscape.

The Current Cybersecurity Threat Landscape

Here’s a quick overview of the current cybersecurity landscape, according to Cybersecurity Ventures: 

• If measured as a country, cybercrime would be the world’s third-largest economy after the U.S. and China. 
• Cybercrime costs are expected to grow by 15% per year for the next five years, reaching $10.5 trillion by 2025.
• The majority of Americans should expect their data to have been stolen and posted on the dark web.
• The dark web is estimated to be 5,000 times larger than the surface internet.

Below are the most common forms of cyberattacks you should be aware of:

Social Engineering

Generative AI has made it easier for cybercriminals to carry out social engineering attacks, with 98% of threat actors using these techniques. Social engineering relies on manipulating victims psychologically to extract sensitive information. Here are quick facts about social engineering attacks in 2024: 

• On average, American companies face more than 700 attacks annually. 
• The average cost of a social engineering attack is more than $4 million.
• 90% of these attacks rely on the human element to gain illegal access to sensitive information. 

A shocking example occurred in May 2024 when a deepfake scam targeted the CEO of WPP Group, the world’s largest advertising company. Hackers used AI-generated deepfakes to impersonate key executives, ultimately tricking the CEO into disclosing critical information. You can learn more about this elaborate scam here.

Ransomware Attacks

Ransomware attacks have also gained significant notoriety in the past year. In these attacks, cybercriminals gain unauthorized access to a company’s computer systems or deploy malware that locks users out. They then demand a ransom to restore access. Here is how this cyber attack typically unfolds: 

• Infection: The hacker uses multiple methods like phishing, malicious downloads or vulnerabilities in the system to install ransomware on the victim’s system. 
• Encryption: The ransomware encrypts files and data on the infected system, making the device inoperable. 
• Ransom demand: The victim then sees a message on the screen demanding payment (usually in cryptocurrency) in exchange for the decryption key to unlock the files. 
• Deadline: The attacker sets a deadline, threatening to increase the ransom or delete the files if the victim does not pay.
• Payment or recovery: The victim may pay the ransom, which still doesn’t guarantee access to the files or try to restore the system using backups or decryption tools.

According to a Chainalysis report, ransomware payments worldwide exceeded the $1 billion mark in 2023, despite a decline in 2022. A notable example is the February 2024 attack on Change Healthcare, a subsidiary of UnitedHealthGroup. Hackers reportedly demanded $22 million to prevent the release of sensitive health data, impacting millions of Americans.

Data Breaches

A data breach occurs when hackers gain unauthorized access to sensitive information, such as personal or financial data, which is often sold on the dark web. In March 2024, AT&T disclosed a massive data breach that exposed millions of records. This data appeared on the dark web in early 2024, adding AT&T to the growing list of U.S. companies affected by serious data breaches.

Protecting Sensitive Data for Technology and Life Sciences Companies

So, how can technology and life science companies protect data from the evolving cyber threats landscape? Keep reading to find out:

Securing Data Consent

The first step to protecting data is getting explicit consent to collect personal details from consumers. This includes:

• Clinical trial data
• Consumer health information
• Insurance information
• Prescription information

These types of data require careful handling to ensure consumer privacy and security.

It’s not just about getting permission but also about ensuring compliance with data protection regulations in the United States and the European Union. A lack of valid user consent granting data access can lead to lawsuits and penalties from these authorities.

Establish a Robust Data Management System

Life sciences and other technology companies collect and store personal information pertaining to critical activities like R&D research, clinical trials and more. It’s essential for these companies to establish a secure and efficient data management system to track and analyze important data.

Regulatory Compliance Obligations

With companies increasingly turning to cloud storage, there’s a need to comply with State, Federal and international privacy laws when collecting and storing sensitive data. Some of the regulations you should be aware of include:

• Health Insurance Portability and Accountability Act (“HIPAA”)
• Children’s Online Privacy Protection Act (“COPPA”)
• General Data Protection Regulation (“GDPR”)

It’s also important to note that data protection is subject to State-level regulations, such as the California Consumer Privacy Act (“CCPA”), which may vary as States move to ensure data security with the growing trend of cyberattacks against American healthcare companies.

Stay Informed

The cybersecurity landscape is ever-evolving. With the AI revolution in full force, cybercriminals are finding new ways to gain illegal access to company computing systems and steal whatever data is valuable, whether biometric data or other private records.

As such, the definition of data protection is changing; it’s no longer about relying on age-old practices. Today, savvy companies must keep up with evolving threats such as the rise of deepfake technology, which has taken social engineering attacks to the next level. By staying up to date, companies can devise modern practices to counter contemporary cyber security risks.

The Risk of Third-Party Exposure

Third-party vendors in the healthcare industry were responsible for ten of the biggest data security breaches in 2022. Recognizing that companies in this space often depend on a complex supply chain with third-party providers to render their services, it is important to extend rigorous data protection mechanisms to ensure data shared through these channels is secure.

The Importance of Legal Counsel for Data Protection

Data protection is essential to the growth and survival of any life science or technology company. Our attorneys at Crowley Law LLC help founders and business owners in this space devise strategies to increase data security and privacy. Contact Crowley Law LLC for strategic advice on ensuring compliant and efficient data protection for your life science and technology company. 

FAQ

How Has Generative AI Increased Cybersecurity Risks?

• Advanced phishing attacks: Generative AI enables cybercriminals to create compelling phishing content like emails, messages, deepfake audio and videos.
• Malware and ransomware: Generative AI can create highly sophisticated malware that can evade detection mechanisms. 
• Data breaches: Attackers can extract proprietary information stored within AI systems through sophisticated prompts.

Why Do Cybercriminals Particularly Target Life Sciences and Other Technology Companies?

• High-value data: Life science companies process sensitive information, including patient data, trade secrets as well as research and development data. 
• Technology vulnerabilities: As more life sciences and other technology companies rely on AI and other digital technologies, they become exposed to cybersecurity threats. 
• Financial gain: Cybercriminals launch attacks against life science and biotech companies to extort money from these organizations. 
• Supply chain vulnerability: Because these companies rely on a complex interconnected supply chain, compromising a single vendor can open access to a broader network of vulnerabilities.

What Are the Most Common Cyber Threats Facing Life Sciences and Other Technology Companies Today?

• Ransomware
• Phishing attacks
• Intellectual property (“IP”) Theft
• Insider threats
• Supply chain attacks
• Data breaches
• Advanced Persistent Threats (“APTs”)
• Distributed Denial of Service (“DDoS”) Attacks
• Social engineering.