May 12, 2020

Covid-19 makes pharma a target for insider threats

The pharmaceutical industry has become the highest target for data breaches and unfortunately, it is taking nearly a year to detect and contain breaches.




The pharmaceutical industry has become the highest target for data breaches and unfortunately, it is taking nearly a year to detect and contain breaches. The cost of a data breach for Pharma is among the highest for any industry vertical: IBM’s 2018 Cost of a Data Breach report shows that post-breach notification costs alone, after the event, at an average of $740,000.The pharmaceutical industry currently has potentially the most valuable intellectual property. The race for drugs and vaccines related to COVID-19 is making data related to these efforts one of the most attractive targets within a pharmaceutical company.

Pharma faces multi-tiered problems with breaches. Often, exfiltrated data includes trade secrets and clinical trial data. While the former is a hit to the trade secrets of the company, the latter is a privacy and compliance risk because it may contain PHI, so HIPAA, CCPA, and GDPR come into effect.

Complicating matters is that securing pharmaceutical data is not just about keeping it inside the company, it is often about secure collaboration with third parties. Many pharmaceutical companies are now collaborating more than before due to COVID-19. Securing PHI data pertaining to clinical trials is a constant challenge. Companies need to ensure that only authorized employees have access to PHI data and its derivatives. While initially the data can be imported into the company into an AWS S3 bucket or Amazon Redshift where RBAC can be used to secure and audit access, the challenge becomes how to deal with securing all the derivatives of this data once it leaves the cloud data warehouse and starts proliferating inside the company.


One challenge is that in the pharma industry, most employees appear as dedicated employees, dedicated to their areas of specialty and with longer tenure at a single company than in other sectors. Unfortunately, this makes insiders much more difficult to detect. Some dangerous employees will continuously gather potential useful IP. Others may be leaking smaller but more frequent packets of data and varying intervals for long periods of time. But now with the value of pharma data at an all time high, most insiders are likely to be active and leave a data trail. Detecting such scenarios requires constant careful monitoring.


However, monitoring is easier said than done because pharma IP is hard to track and classify. Pattern matching is pretty much out of the question. In theory, one could ask employees to enforce classification and then one could track that classification, but the employee remains the weakest link. Moreover, being able to enforce the classification on derivatives of data is often not possible due to the various data formats involved and the applications processing this data. Classification would require an understanding of critical applications that are associated with the data. This is particularly important with unstructured data, which often ends up being uploaded to internal collaboration platforms which provide insiders an opportunity to exfiltrate it without being detected.


Identifying suspicious behavior for a set of users that have access to sensitive data, and deploying traditional UEBA, may yield some results in this scenario. But it is still pretty hard to interpret UEBA results. How do you configure what an anomaly is? How do you define each role for each individual that accesses particular types of data? How do you deal with anomalies now that more people are working from home? And how do you understand the behavior of each user on data derivatives? How do you figure out that an employee pasting a text snippet on WhatsApp or copying some files to a USB stick are exfiltrations if you cannot tell if this data is derived from sensitive data? Right now more than ever, there is no normal, so security teams struggle to establish baselines for what is normal employee behavior.


These are important questions to ask from any program or solution that is deployed that claims to help with the challenge of getting back in control of the most sensitive data. Here are some suggestions on where to start:


The activity that will yield the highest ROI is to track the entire data lifecycle. Identify where the critical data (e.g., research related to the COVID-19 vaccine) is initially stored and track any derivatives of that data. Ideally, there is some way to differentiate which data must remain inside the company or only shared with a few 3rd party healthcare companies involved in clinical trials.

Consider a data monitoring and security program dedicated to this data and put in place quick measures to focus on that data, track who is accessing it, and make sure that you are in full control of where this data is sent out of the company. A new approach is necessary. UEBA focussed on the user. More and more it is imperative that organizations focus on the data. Cyberhaven’s customers Motorola and DARPA have seen results in protecting sensitive data with data-centric UEBA – Data Behavior Analysis (DaBA). By following the data and tracking the data lifecycle, risky user behaviors that put data at risk are much easier to identify.


Focus on insider threats for high-value datasets. Looking at all the datasets inside the company is overwhelming and will send you on a wild goose chase (such as monitoring actual cat pictures uploaded to facebook). Focus on identifying the high-value datasets and then prioritize monitoring each of them. Be prepared to configure alerting policies for each high-risk data set, not all datasets will have the same risk profile, for instance some could be uploaded to AWS S3 for legitimate reasons, others absolutely not.


Monitor how sensitive data is getting to removable media like USB media. To this date, this remains one of the most effective ways to exfiltrate data. You would be surprised how many companies do not block removable media under the guise of trusting employees. But if you do not block removable media, you should be monitoring what type of data is being placed on removable media, by whom and for what reason.


Implement third-party risk assessments often. An unbiased eye looking at the high-value data will likely reveal surprises. Moreover, demand this from all the third parties that are handling your sensitive data and make sure that the third party does provide an audit trace. I really mean does and not can, it is important to demand proof of compliance and not allow the third party to just check the box through paperwork.


It’s not sufficient to measure risk to sensitive data once per year or even per quarter. I’d argue that this needs to be a continuous activity and the ability to react to risk indicators weekly or even daily is very important for being able to quickly react to incidents.


Isolate IP from public-facing systems as much as possible. Very often, mass exfiltration of sensitive data is the result of a misconfigured database left wide open for everyone on the Internet and configured with weak or even default credentials.

For more information on how to protect against insider threats, I recommend an insightful webinar on best practices for building an insider threat program with the CISO of Blue Cross and Blue Shield of Kansas City and the former CISO of Mailchimp.

Start tracing your data