The cyberattack on another leading Indian pharmaceutical, Lupin within two weeks of a ransomware attack on Dr Reddy’s Laboratories came as a sharp reminder for pharmaceutical companies to strengthen its digital infrastructure and tighten cybersecurity control measures.
Drugmaker Lupin has confirmed an information security incident that has affected its IT systems. The incident comes barely after days after Dr Reddy’s Laboratories reported a cyber-attack, and isolated its data center services.
Dr. Reddy’s faced a major data breach in October which triggered a shutdown of its key facilities. The company experienced data breaches in servers in the UK, the US, India, Brazil, and Russia.
Afterward, the company released a statement that said that in the wake of a detected cyberattack, it had isolated all data center services to implement preventative measures. Dr. Reddy’s anticipates all services to be up within 24 hours, and does not expect any major impact on operations due to the cyberattack.
Today, most of the Indian pharma manufacturers are increasingly focused on digitization and the hackers are trying to breach the firewalls of the healthcare industry. Pharmaceutical companies are prime targets for cyber attacks given the significance and prevalence of their intellectual property.
The consequences of a successful breach could be grave, ranging from stolen IP, repeating clinical trials, contaminated drugs, physical damage and downtime, litigation, and lost revenue.
With increasing digitization, data breaches and cyberattacks are commonplace, pharmaceuticals industry being one of the most impacted, after healthcare, energy, and finance as per a study by Ponemon Institute (a Michigan-based research institute dedicated to data privacy, protection, and information security policy), and IBM Security.
In June 2020, the CEO of Hackrew, Sai Krishna Kothapalli was able to view, edit, and delete classified personal information of lakhs of patients all over India.
He explained it further than how this data could be exploited by attackers for various purposes like publishing individual names and images to the detriment of a person’s reputation; connecting the data with other Darknet sources to make phishing attacks and social engineering even more effective.
‘In image-driven fields like politics or entertainment, knowledge about certain ailments faced by people from these fields could deal a huge blow to their image’, he added.
The healthcare industry also takes the longest amount of time to detect a breach and then contain the attack. IBM pegs the average time to around 329 days — that’s nearly a full year of data being exposed.
For example, Merck faced a major cyberattack in June 2017 that led to the disruption of its worldwide operations and sales losses of $260 million due to the nonfulfillment of orders, and it incurred incremental costs (incl. remediation costs) of $285 million in 2017.
Thus, pharma manufacturers need to invest further and strengthen cybersecurity systems to avoid or minimize operational disruptions, high costs of control, and to contain damages and any potential lawsuits or regulatory penalties.