The last post in our risk management series discussed the relationship between issues and risks—namely, that a quality issue can elevate an existing risk or serve as a harbinger of a new risk. When an issue occurs, it’s not enough to react to the problem – we also need to anticipate the ripple effects.
According to Caleb Barlow, CEO of CynergisTek, a cybersecurity consulting firm providing information assurance services for healthcare companies, the COVID-19 pandemic has actually increased the risk of a cyberattack for clinical trial sponsors and vendors. Barlow, who led the development of IBM’s X-Force Threat Intelligence organization prior to joining CynergisTek, described how cyberattacks have evolved over the last several years, and why we should be preparing for one.
Before 2019, Barlow said, cybercriminals mostly stole data in order to sell it. But in 2019, the business model changed: “They started realizing that they could get a lot more money if they were paid directly by their victims.” In other words, ransomware.
For a while, ransomware attacks, like the Eurofins incident in 2019, or the eRT attack a year later, were fairly predictable. The bad actors locked up the data, victims paid, data was unlocked –honor, even among thieves. But the coronavirus affected criminal and victim alike. “They needed to figure out how to work from home, just like we did. It’s not easy – they need to be really well-hidden, and that’s hard to do from your basement,” Barlow said. With economic contraction, “All their normal targets evaporated.” Their attention turned to healthcare, the industry literally critical to survival during the pandemic. Ransomware attacks on hospitals increased.
With the stakes high, both government and industry started to fight back. In advance of the US federal election, Microsoft obtained a court order to seize servers providing instructions to a large network of ransomware bots, known as Trickbot. At the same time, the US Treasury Department threatened ransom-paying victims with sanctions for violating international payment regulations.
The cybercriminals, as Barlow puts it, “took the gloves off.” On October 28, 2020, the UVM hospital system was hit with a ransomware attack. A month later, the New York Times reported that the organization was still struggling to restore parts of its network. This attack was more than an inconvenience – it had a “kinetic impact,” as Barlow says, delaying treatment and compromising care. Ransomware had evolved from a small-time grift to a sociopolitical weapon.
Barlow paints a frightening picture of cybercrime’s future. Predictably, criminals are drawn to COVID-19, with the vaccine supply chain being a particularly vulnerable area. Even a simple attack to lock up a dry ice manufacturer would be catastrophically disruptive. But the next frontier, he warns, is breaking trust in data. Imagine a hospital network breach, he posits; instead of stealing or locking up data, the criminals change it –altering a treatment regimen here, a blood type here, an allergy there--then demand a ransom to reveal what’s been changed. Even if the ransom were paid and the changes revealed, would you trust that data?
When asked whether clinical research was exposed to such an attack, Barlow said, “If you have an environment that is vulnerable, and data that is valuable, eventually someone will find it.” Consider a typical clinical trial: a half a dozen databases (clinical, safety, IRT, ePRO, central lab LIMS, and specialty labs); a dozen vendors (monitoring, data management, biostatistics, and labs); numerous data transfers; and another dozen data and document repositories, from validated Trial Master Files to shared drives without audit trails. “Any time you move the data from one environment to another, you’ve doubled the security risk,” Barlow cautioned. And COVID-19 has highlighted the value of clinical trial data to the world.
What should sponsors do in 2021 to mitigate the risk of a cyberattack?
The first step, Barlow says, is a security assessment of each party handling clinical trial data against a set of security standards. Such an assessment is similar to a qualification audit, but conducted by a cybersecurity expert, who then works with each party to remediate any weaknesses found.
A security validation is a more advanced method of assessment in which cybersecurity team drops a “series of inoculated attacks” into the clinical data ecosystem to test the responsiveness of various defenses. Once there is a “marquee breach,” Barlow expects that security validations will become standard for big pharma, who will rely on a select set of security-validated vendors to conduct business.
Another way to reduce risk is to reduce the volume of data by deleting obsolete data or archiving data that must be retained but is no longer used.
Sponsors should also reassess their business continuity plans—and their vendors’—from a cybersecurity perspective. Most organizations back up their data, and most business continuity plans bank on a48-hour window for restoration of a partial data loss, but how long would it take to restore five thousand machines from a backup solution if an entire network were locked? How would a sponsor process serious adverse events during this interval if its safety vendor were hit, or have PK samples analyzed if its specialty lab went down?
Ironically, the pandemic was the push that clinical research needed to relinquish its hold on paper records and manual processes. Now, our complete reliance on electronic solutions leaves us at the mercy of a cyberattack that would prevent their use. “Winter is coming,” Barlow said, quoting Game of Thrones. Now is the time to put “cyberattack” on the 2021 risk log and take proactive steps to protect our patients and our data.