Is There Also Attention to Security in the Biomedical Sector?

By Floris Baauw & Steven Debets

In January of this year, documents related to the Pfizer/BioNTech vaccine were published by hackers. These documents were obtained from the European Medicines Agency (EMA) while it was in the process of approving the Pfizer/BioNTech vaccine for the European market. Various media outlets subsequently claimed that a state actor was behind the hack. Whether it was a state actor, a hacking collective, or a lone wolf, it is interesting to note that hackers are increasingly targeting the medical sector.

placeholder

Currently, a significant portion of hacks can be attributed to opportunism. There is a pandemic, and where there is panic, there is money to be made for hackers. Just look at the example we highlighted earlier this year of hospitals becoming targets of focused hacker attacks.

These examples reveal a larger existing problem in the medical and, specifically, the biomedical sector: there is insufficient focus on cybersecurity in the sector, which is problematic because data breaches can have significant consequences.

Cyberbiosecurity

Due to the interests present in the medical sector and the increasing frequency of attacks on this sector, a new security concept has been introduced recently: Cyberbiosecurity. What is it exactly?

Cyberbiosecurity is defined as:

"gaining insight into the vulnerability to unwanted access, intrusion, and malicious and harmful activities that may occur within or at the interfaces of interconnected systems of the biological sciences and the medical biological sciences, supply chain, and infrastructure systems. Cyberbiosecurity also focuses on developing and implementing measures to prevent, protect against, limit, investigate, and attribute such threats to safety, competitiveness, and resilience."

Targets of Opportunistic Hackers

Due to the current pandemic, attacks on the medical sector are more frequently covered by the media, but the medical sector has been a target of hackers for a long time. From a security, privacy, and financial perspective, it is crucial for the medical sector to protect its intellectual property and patient medical data.

Losing clinical research data on new drugs, for example, could lead to a competitor taking your drug and losing tens of millions in investments. On a more personal level, imagine personal medical data being stolen. What a hacker can potentially do with that is almost terrifying, such as identity theft or extortion.

An even scarier but not unthinkable scenario is when changes are inadvertently or intentionally made during the development process of synthetic DNA (e.g., medicines). This can alter the DNA code, with far-reaching consequences. It can render a drug ineffective or even harmful to those who receive it. It could also lead to the creation of a new (lethal) virus.

Lack of Urgency

Thus, Cyberbiosecurity seems even more critical than cybersecurity in other sectors. When things go wrong, it can have directly fatal consequences. However, many pharmaceutical companies do not fully invest in securing their sensitive data. Smaller drug developers, in particular, prefer to achieve results as quickly as possible to make money and often "forget" to secure their sensitive data.

Furthermore, legislation is largely lacking, even though legislation could compel organizations to take certain precautions in this area. Existing guidelines focus on the safe drug development process but do not do so from a cybersecurity perspective.

What's Next?

Legislation and guidelines could help improve cyberbiosecurity in the medical sector. As a first step, we believe that there should be public-private organized discussions between biologists and cybersecurity specialists to determine what can be done better and how.

Related Insights

divider