Life Sciences organizations rely heavily on technology and data to drive their research, development, and operations. In the last few years, the Life Sciences industry has increasingly adopted Internet of Things (IoT) devices because they enable better research, development, and manufacturing monitoring and management. Across the industry, IoT devices offer various benefits for patients and organizations, including:

• Monitoring drug manufacturing processes
• Improving medical adherence
• Enhancing quality control 
• Optimizing supply chain logistics

As Life Sciences organizations continue to digitally transform their operations, they will add even more IoT devices to their technology stacks. According to estimates, the industry is expected to increase its data analytics expenditures by 27% CAGR by 2030, which can include IoT devices gathering the raw data. Further, according to company filings, data show that mentions of IoT increased by 8% in Q4 2023. As the industry continues to drive forward, the use of IoT will become critical to maintaining a competitive edge. 

The Life Sciences industry includes companies involved in pharmaceuticals, biologics, biotech, medical devices, and food processing. They manage critical sensitive data, including patient information, customer details, and intellectual property. As the industry increasingly digitizes processes, threat actors turn their attention to it. In 2021, Johnson & Johnson’s CISO explained that the company experienced 15.5 billion potential cyberattacks daily. While an organization may be able to thwart some attackers, the sheer number of attempts increases the likelihood that at least one will be successful – and expensive. According to IBM’s 2023 Cost of a Data Breach Report, the pharmaceutical vertical spends an average of $4.82 million on a data breach.

Cybercriminals Are Targeting the Life Sciences Industry

Whether seeking to steal intellectual property as part of corporate espionage or consumer data for financial gain, attackers want to find an organization’s weakest security link. They want to gain unauthorized access to their target as quickly as possible without being detected. The most notable breaches in the Life Sciences industry highlight the ease with which they can target connected systems to achieve their objectives. 

June 2022: Novartis

Although reports of the attack surfaced in June 2022, the data being sold by cybercriminal group Industrial Spy on its dark web extortion marketplace had timestamps with February of that year. The group claimed that the data was related to RNA and DNA-based drug technology and tests stolen from a manufacturing plant’s lab environment. While Novartis confirmed the breach, it stated that no sensitive data had been compromised.

February 2023: Merck

In 2017, Merck was part of the global NotPetya cyberattack that infected more than 40,000 computers in its global network. According to the company, the attack cost $1.4 billion. However, when the organization attempted to invoke its insurance policy, the insurer denied coverage arguing that NotPetya fell under the policy’s war exclusion since the Russian nation-state attackers were targeting Merck’s Ukrainian third-party accounting software vendor. 

In response to the denial, Merck filed a coverage litigation which lasted over five years. In May 2023, a New Jersey appellate court ruled in favor of Merck regarding $700 million of coverage. In January 2024, Merck finally ended its years-long and likely costly litigation by settling with the eight insurers for an undisclosed amount. 

Notably, the lawsuit sparked changes across the insurance industry that include changes to policy language specifically excluding coverage for state-sponsored cyberattacks and additional reviews of policyholder cybersecurity measures. 

March 2023: PharMerica

PharMerica operates over 2500 facilities and over 3100 pharmacy and healthcare programs across the United States. In March 2023, the ransomware group Money Message gained unauthorized access to sensitive patient information stored on systems owned by PharMerica and its parent company, BrightSpring Health Services. The compromised data included:

• Names
• Addresses
• Birth dates
• Social Security numbers
• Medical information, like diagnoses and medication
• Health insurance information

On June 9, 2023, plaintiffs filed a class action suit against PharMerica and BrightSpring. According to the allegations, “Money Message uploaded screencaps show[ing] part of patient-related tables with name, SSN, date of birth, Medicare number and Medicare number.” In short, the data stolen connected real-world people to their data, rather than simply providing a random, disorganized dataset. 

The lawsuit requests a trial by jury and requests various financial and legal outcomes, including actual damages, statutory damages, punitive damages, and reasonable attorneys’ fees, costs, and expenses. 

May 2023: Enzo Biochem

In May 2023, Enzo Biochem filed an 8-K report disclosing its April 6, 2023 ransomware attack. According to the filing, the company became aware that cybercriminals had gained unauthorized access to and/or stolen personally identifiable information (PII) that included:

• Names
• Test information
• Social Security numbers

Further, the filing explains that the clinical test information of over 2.4 million people was impacted and that 60,000 of those individuals also may have had their Social Security numbers impacted. 

On June 12, 2023, plaintiffs filed a class action lawsuit alleging that Enzo Biochem not only failed to protect information but it also failed to offer any remedial assistance such as free credit monitoring. The complaint additionally requests that Enzo Biochem:

• Pay actual and statutory damages
• Provide equitable relief, restitution, disgorgement, and statutory costs
• Purchase or provide funds for lifetime credit monitoring and identity theft insurance
• Pay class notification costs
• Pay reasonable attorney fees, costs, and expenses

November 2023: Postmeds DBA Truepill

On October 30, 2023, digital health startup, Postmeds, began mailing letters to people impacted by a cybersecurity incident that occurred between August 30, 2023 and September 1, 2023. The cybercriminals gained unauthorized access to a subset of tiles that the company used for pharmacy management and fulfillment services, containing PHI like:

• Patient names
• Medication type
• Demographic information
• Prescribing physician name

On November 7, plaintiffs filed a class action lawsuit in the US District Court for the Northern District of California. According to the complaint, the plaintiffs ask the court to require Postmeds to:

• Engage in third-party audits
• Segment data using, at minimum, firewalls and access controls
• Implement, maintain, regularly review, and review a threat management program. 
• Conduct SOC 2 Type 2 audits for 10 years
• Pay actual, compensatory, statutory, and punitive damages
• Pay statutory fines
• Pay attorneys’ fees, costs, and expert witness fees

How Asimily Helps Life Sciences Companies Mitigate Data Breach Costs

Although data breaches are a moment-in-time incident, they can have long-term reputations and financial outcomes. At a minimum, the organization needs to pay to recover from the incident and notify impacted parties. However, as filing class action lawsuits against breached companies becomes the norm, Life Sciences organizations need to consider everything from defense attorney fees to potential damages to long-term identity theft monitoring costs. Further, they should consider the increased scrutiny that insurance companies place on their security posture. Even with cyber liability policies, an organization can find that the insurer denies coverage due to negligent security practices. 

Asimily’s platform is designed to streamline IoT security. As organizations within the Life Sciences industry adopt more smart technologies and IoT devices, locking down traffic and being able to determine traffic sources or any unusual connections can be very powerful. 

Organizations within the Life Sciences industry can use Asimily’s Risk Simulation to assess options for mitigating the risk from a given vulnerability on a device. Simulating a fix before doing it can help you determine criticality and whether the weakness is even of interest to attackers before doing the work. That’s critical information when you’re deciding how to improve your security posture. For instance, you may find that certain devices or access controls are inadequate.

Asimily provides holistic context into an organization’s IoT environment when calculating impact- and likelihood-based risk scoring for devices. Our vulnerability scoring considers the compensating controls so you can more appropriately prioritize remediation activities for the riskiest devices.

Asimily customers efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that regularly cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.

Asimily customers are 10x more efficient because the engine can pinpoint and prioritize the top 2% of problem devices that are High-Risk (High Likelihood of exploitation and High Impact if compromised). Unlike many offerings that don’t take into account the effort needed to handle identified issues, Asimily’s recommendations are as easy to execute as possible, from shutting down an unnecessary service to network enforcement solutions.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.