Cybersecurity challenges and solutions in the pharma industry

Augmedix is an American medical documentation company. Its product uses augmented reality (AR) devices to record conversations between doctors and patients, and from the recordings creates medical notes and enables other services.  

Since Augmedix’s offering involves the recording, transcription, storage, and distribution of personal medical information, security is critical. The company had some measures in place but wanted the ability to monitor its systems and respond to incidents in real-time. Trustwave provided a large team and frequent meetings for onboarding Augmedix onto the Trustwave’s Managed Detection & Response (MDR) product. After onboarding, monthly meetings continued in which Augmedix’s security status was reviewed and any appropriate action discussed.

DeepMind Technologies is a UK-based AI company that applies neural networks and AI to sectors such as video gaming and healthcare. The company made headlines in 2016 after its AlphaGo program beat the human Go world champion. The health branch of the company has begun to apply AI to improve healthcare, from developing prognostic tools for diseases that lead to blindness to developing the application Streams, which provides nurses and doctors with alerts and information regarding patients’ medical records in real-time.  

DeepMind’s technology has been attributed to alerting clinicians to acute kidney injury sooner, potentially reducing costs for the NHS (savings estimated to average GBP2,000 [$2,574] per patient) and saving time for clinicians (reported to save two hours a day). Clearly, this type of technology applied to healthcare provides a wealth of opportunities to improve outcomes and save resources.  

As part of Google’s ever-increasing move into the health space, Google acquired DeepMind Technologies in 2014, with the healthcare arm of the company and the Streams app remaining independent. However, in November 2018, Google announced that it was to absorb the healthcare arm of DeepMind, sparking patient data privacy concerns and worries that patient data could be leveraged by Google for financial gain.  

Patient data privacy concerns began in 2016 when the Royal Free London NHS Foundation Trust was found to be providing DeepMind with data on its patients without appropriate consent during the development of Streams, with the Information Commissioner’s Office (ICO) deeming this deal to have broken the Data Protection Act, triggering a public outcry. In response, DeepMind’s co-founder Mustafa Suleyman pledged that “at no stage will patient data ever be linked or associated with Google accounts, products or services” and continued to make deals with various NHS Trusts for the Streams application.  

In attempts to gain trust, DeepMind began publishing contracts with NHS trusts, in a bid to provide some transparency on how patient data were being used. In addition, DeepMind established an independent review panel of academic and data governance experts who were responsible for monitoring medical data use.  

Blame fell on the NHS’s cybersecurity awareness when it was found that, though the data was supposed to be anonymised, many doctor and patient information was left in the files.  

However, after taking over, Google has disbanded this review panel and has not followed suit in publishing details of the contracts that it has renewed with various NHS Trusts for the use of Streams. The takeover also seems to directly contradict previous statements from Suleyman, leading to privacy advocates such as Julia Powles deeming the takeover as “trust demolition.” In addition, the coordinator of healthcare privacy advocacy group MedConfidential has suggested that if any NHS bodies sign contracts to share large amounts of patient medical history, the patients and public need to know that any data use is “fully consensual, safe, and transparent.”  

However, patient consent was not sought in 2016 when DeepMind first acquired patient data from Royal Free, nor has it been received or considered in this latest takeover, with contracts and patient data being transferred to Google after the takeover.  

This case study illustrates the current controversy around patient medical data and how it will be used as big tech companies increasingly enter the healthcare sector. Technology can undoubtedly improve patient care (hence the success of the Streams app), but with improving technology comes greater privacy risks. How data are used and how they are protected will remain an issue in the future, while there is much to be desired regarding patient consent, transparency, and safety.  

In May 2022 it was revealed that Google and DeepMind will face a class-action lawsuit for using the confidential data of 1.6 million patients unlawfully. The suit very closely resembles another filed against Google and the University of Chicago Medical Centre, accusing them of sharing and using confidential, identifiable patient and employee information, in violation of the HIPAA.

TriMedx provides clinical asset management solutions for healthcare providers.  

In July 2020, TriMedx and Medigate joined forces to provide real-time visibility into connected medical devices and to provide a service capable of managing the full lifecycle of a health system’s clinical assets. Medigate’s platform constantly reviews network activity and quickly identifies anomalies that are escalated for review, using a proprietary algorithm. In turn, a dedicated team of TriMedx clinical engineering cyber specialists proactively searches for known vulnerabilities, monitors supplier responses to known risks, and applies approved patches. This managed security service for connected medical devices represents a fundamental shift from a manual process of capturing data, to automatic, real-time cybersecurity monitoring of connected devices across clinical networks.  

In February 2020, TriMedx also partnered with the cybersecurity education and workforce development company CyberVista to launch a comprehensive cybersecurity training program, the CE Cyber Academy, specifically designed to address the ever-growing threat of cyberattacks on connected medical devices.  

The CE Cyber Academy is a next-generation training and certification program that enhances TriMedx’s 3,100+ nationwide associates with vital skills that many health systems struggle to source in the face of unprecedented demand for cybersecurity expertise. CyberVista aims to create a cyber-ready workforce through personalized training programs that provide organizations with the people, knowledge, and skills required to defend their most critical assets.

Fresenius is a German healthcare company that provides medical equipment globally and is Europe’s largest private hospital operator. It comprises four independent businesses: a major provider of dialysis products and services; a private hospital operator; a pharmaceutical drug and medical device provider; and a provider of healthcare project management services.  

On May 4, 2020, Fresenius suffered a cyberattack. Attackers used a new ransomware strain known as Snake, which was first detected in early 2020 and had been successfully used in attacks on several high-profile companies, including Honda and Enel Argentina. Snake heralded a new stage of ransomware; it stole the data before encrypting it so that it could threaten not only to erase but to publish the data should the ransom go unpaid. The attack reportedly affected every part of the company’s operations. Fresenius confirmed that patient data from some of its dialysis centers in Serbia had been leaked. Medical data and personally identifiable information including first and last names, gender, birth date, nationality, profession, postal address, phone number, and next of kin data were made available online.  

The Snake attack was not the first Fresenius suffered. According to Immuniweb, Fresenius had already paid a seven-digit ransom in the past to recover from a similar attack. It is possible that cybercriminals re-targeted Fresenius in the hope that they would pay the ransom as they reputedly had in the past. Capitulation to one ransom can encourage the next.

In 2017, a Russian malware attack disabled 30,000 of Merck & Co’s computers and stopped its operations for two weeks. Merck estimates the damages at $1.4b. NotPetya, the malware employed in the attack, penetrated Microsoft systems that had not installed a security patch. 

The damages included a loss of approximately $260m in global drug sales in 2017, as Merck was unable to fulfill orders for products in certain markets. Expenses related to manufacturing and remediation efforts totaled $285m in 2017. In addition, 2018 drug sales were negatively impacted by approximately $200m due to a residual backlog of drug orders.  

Additionally, Merck was unable to meet the demand for Gardasil 9, a vaccine against the human papilloma virus, due to the temporary production shutdown and borrowed Gardasil 9 from the US Center for Disease Control and Prevention’s (CDC’s) Pediatric Vaccine Stockpile. Merck replenished a portion of the borrowed doses in 2017, costing the company $125m.  

Merck’s cyberinsurer, Ace American, refused to cover the breach on the grounds that the attack was part of an ‘Act of War’ (the malware was created by the Russian Military in 2017 to target Ukraine.). Merck sued Ace American, and the New Jersey Superior Court ruled in Merck’s favor in December 2021. The company received a $1.4b payout. Many healthcare insurers have consequently updated their clauses around cyberattacks and acts of war.

The May 2017 WannaCry ransomware infected over 250,000 computers in 150 countries. The UK’s NHS was one of the highest-profile victims. About 1% of NHS activity was directly affected. 80 hospitals and 595 general practices in England and Scotland were compromised, and 19,000 appointments were cancelled.  

A report published by the government estimates that the cyberattack cost the NHS a total of GBP92m ($118.7m), including GBP19m($24.5m) in lost productivity, and GBP73m($94.2m) in IT costs such as restoring systems and data. The exploit by which the malware entered devices worked even on the latest version of the then still-supported Windows 7 operating system.  

The NHS’s lack of preparation for attacks worsened the damage; it was unknown who within the organisation was to lead the response or how they should do so. In a test nine months later, NHS digital revealed that none of the 200 NHS trusts examined passed a cybersecurity vulnerability test. The majority of the failures came from a lack of patching. However, no patient data was compromised during the attack.  

In a move to increase cybersecurity efforts in the wake of the WannaCry attack, NHS Digital announced the formation of the Security Operations Centre (SOC) in November 2017. This includes a monitoring service that analyses intelligence and shares guidance, advice, threat intelligence, on-site data security assessments to identify any potential weaknesses for NHS organisations, and support for any NHS organisation that may have been affected by a cybersecurity attack.