Ryuk Incident Shines Spotlight on Medical Supply Chain Threats
Ransomware forced eResearchTechnology, a vendor of software used in vaccine clinical trials, to take its systems offline.
A recent ransomware attack on a provider of software used by firms involved with COVID-19 vaccine development and other drug clinical trials illustrates the increasing cyberthreats facing medical industry supply chain partners.
Philadelphia-based eResearchTechnology, which provides clinical trial oversight software to drug makers and testing firms, was recently hit by a variant of the Ryuk ransomware, the company confirmed to Information Security Media Group on Tuesday.
“On Sept. 20, ERT discovered a ransomware cyberattack,” ERT vice president of marketing strategy Drew Bustos tells ISMG. “As a precautionary measure, we took our systems offline as part of our standard response. ERT hired world-class, independent cybersecurity investigators to minimize risks, protect our customers’ data and remediate our systems. Based on our investigative findings to date, we have no reason to believe that any clinical source data was impacted.”
The company’s forensic investigation is continuing, Bustos says, declining to comment on any questions related to ransoms.
“We advised our customers to implement contingency measures while we experienced the systems off-line status,” he says.
One of eResearch Technology’s customers – Danbury, Connecticut-based IQVIA, a global provider of advanced analytics and research services to the life sciences industry, including companies involved in COVID-19 vaccine development – tells ISMG that the ransomware incident “has had limited impact on our clinical trials operations.”
“Due to confidentiality obligations surrounding our clinical trial activities, we cannot disclose any specifics,” IQVIA states. “However, we can say that we implemented backup protocols immediately to ensure the continuity and integrity of several ongoing trials that use ERT, and we notified affected sponsors accordingly.
“The current technical issues affecting ERT have not infiltrated any IQVIA systems. At this point in the investigation, we are not aware of any confidential data or patient information related to our clinical trial activities that has been removed, compromised or stolen. IQVIA is not experiencing any similar cyber actions or issues related to any of its operations at this time.”
Among IQVIA’s clinical trial activities is a collaboration with AstraZeneca in the pharmaceutical company’s development of a potential coronavirus vaccine.
ERT’s technology and services have been used in 50% of all therapies approved by the Food and Drug Administration since 2013, the company notes on its website.
Other Ransomware Attacks
The ERT incident is one of many ransomware attacks that have hitting healthcare organizations as well as vendors that serve them.
Blackbaud acknowleges it paid a ransom in exchange for hackers promising to destroy copies of stolen data. The incident has resulted in more than three dozen healthcare organizations reporting breaches affecting a combined total of nearly 10 million individuals.
“In recent weeks, there have been attacks on a mask manufacturer, a ventilator manufacturer, logistics and shipping companies as well as multiple other companies that play a direct or indirect role in the healthcare supply chain,” says Brett Callow, a threat analyst at security firm Emisoft.
For instance, in August, ventilator maker Boyce Technologies Inc. was targeted by the DoppelPaymer ransomware gang.
Several hospitals and other healthcare providers, including Universal Health Services, have also been targeted.
And last month, a ransomware attack on a German hospital reportedly resulted in the death of an emergency patient who needed to be transported to another facility, which delayed treatment (see Ransomware Attack at Hospital Leads to Patient Death).
“This is an extremely serious problem which, as demonstrated by the recent case in Germany, can put lives at risk,” Callow says.
Supply Chain Worries
Ransomware or any data breach of a software supplier or other vendor “are both bad things that could result in the vendor facing compromised proprietary source code or a compromise of any of its support venues to the end consumer,” says Joseph Neumann, a director at security consultancy Coalfire.
“Attacks like these are common, but there has been an uptick in the medical world during COVID-19 due to companies’ willingness to pay out a ransom immediately,” he notes. “Even with ransoms paid, it is impossible to know whether the intruders are still inside the companies’ networks. These are criminals so their word is not exactly gospel.”
Ransomware attacks are a growing threat to both HIPAA covered entities and their business associates, says Roger Severino, director of the Department of Health and Human Services’ Office for Civil Rights.
“Hackers are getting much more sophisticated, and health information is a prime target for hacking. … And healthcare systems are willing to pay money to hackers to get their data back if it is victim to ransomware,” he told ISMG in a recent interview. “Providers really need to take these threats seriously.”
Bolstering security in the healthcare supply chain is critical, “but achieving that would probably require something similar to the Office of the Under Secretary of Defense for Acquisition and Sustainment Cybersecurity Maturity Model Certification program for the Defense Industrial Base sector,” Callow says. “Absent that, vendors have limited options to address risk within their supply chains and can only try to avoid putting all their eggs in one basket.”
A Continuing Problem
Meanwhile, the ransomware problem shows no signs of abating.
“In 2018, demands averaged $5,000 and the targets were mainly small businesses, Callow says. “Today, demands average $200,000, with hospitals, governments and multinationals frequently being targeted. And the threat actors are better resourced and more motivated than ever.
Some ransomware attacks are primarily designed to cause disruption.
“Hackers in many such incidents … are maniacal in the sense that they’re not doing it for money, but out of spite or for some political reason,” says retired FBI agent Jason G. Weiss, an attorney at Faegre Drinker, Biddle and Reath.
Organizations must take precautions to protect their own systems and data as well as help safeguard their supply chain clients who depend upon their products and services.
All organizations need to practice important cyber measures, including “proper patching, configuration hardening, backups and penetration testing to examine defenses and holes in various systems,” Neumann says.
“Making sure you are patched and your EDR and .def files are current is a no-brainer,” says Carrie Whysall, director of managed security services at privacy and security consultancy CynergisTek.
“The piece of this puzzle that we often overlook is: What state is your cyber incident response in? When was the last table top or full test? … Do you have a forensic team or a vendor on retainer so they are ready to assist you should you need them?”
Before hiring a vendor, organizations must take critical steps, says Travis Sexson, senior security consultant at Pondurance.
“Risk-based assessments should be conducted during the onboarding stage and continue throughout the course of the vendor relationship,” he says. “Assessments should validate the vendor’s ongoing certification to applicable compliance standards, such as HIPAA, for securing protected health information. In addition, vendors with a mature security posture will typically have third-party vulnerability assessment and penetration testing reports readily available for its customers.”
If vendors have direct access to the organization’s network or sensitive data, vendor contracts should “clearly define acceptable use guidelines to accurately apportion liability in the event of a breach,” he adds.
“Also, security controls should be put in place that limit access and provide for the continuous monitoring and auditing of vendor activity. Multifactor authentication should be enforced for all network access or services accessed by the vendor.”