ERT, a medical technology company that sells software used in clinical trials, was hit with a ransomware attack in September, raising concerns about attacks on COVID-19 vaccine development efforts.
Some cybersecurity experts said the attack on ERT appears to be more motivated by money than by disruption, but others said the incident illustrates the threat to vaccine makers. Reportedly among ERT’s customers are IQVIA, a contract research organization helping to manage AstraZeneca’s COVID-19 vaccine trial, and Bristol Myers Squibb, a pharmaceutical company working on a rapid test for the coronavirus.
So far, there’s no indication that the attack is related to COVID-19 vaccine trials, said Axel Wirth, chief security strategist at medical device cybersecurity firm MedCrypt. ERT is “involved in a spectrum of different trials,” making it unlikely that attackers were targeting COVID-19 trials, he told the Washington Examiner.
The healthcare industry is an attractive target for cybercriminals because of the perception that organizations have fewer defenses than some other sectors, he added. “The need to serve patients [or] meet clinical needs often means there is added pressure to restore operations, resulting in a willingness to pay the ransom and likely higher payouts,” he said.
Wirth noted, however, that the U.K. National Cyber Security Centre has accused Russian hacking groups of targeting COVID-19 vaccine trials, and U.S. agencies have accused Chinese hackers of the same thing.
ERT discovered the ransomware attack on Sept. 20. The company took its systems offline for a few days as a “precautionary measure,” said Drew Bustos, the company’s vice president for marketing strategy. ERT believes the attack was a standard ransomware scheme, he told the Washington Examiner.
“ERT hired world-class, independent cybersecurity investigators to minimize risks, protect our customers’ data, and remediate our systems,” he added. “Based on our investigative findings to date, we have no reason to believe that any clinical source data was impacted.”
Attacks on drug trials are a trend, but the bulk of those attacks aren’t ransomware, added Melody Kaufmann, a cybersecurity specialist at Saviynt, a provider of secure identity and access products. In most cases, the target is the personally identifiable information collected in the trials, she told the Washington Examiner.
Keeping that personal information “out of the hands of malicious actors is not only a mandate of the organization hosting the trial but an imperative for companies that want volunteers to keep signing up for future trials,” Kaufmann added.
Beyond protecting patient information, research organizations running drug trials need to back up their testing data frequently, she added. “Even if ERT paid the ransom, there is no guarantee the data would be returned,” she said. “Lost research data is not only painful in terms of financial impact but can stunt a research company’s long-term growth and give competitors an edge.”
With little public information about the recent attack, the attackers’ motivations may never be disclosed, said Greg Scott, a cybersecurity professional and senior technical account manager at Red Hat.
“The public may never know,” he told the Washington Examiner. “This is a shame because nobody learns when nobody shares information.”
But ransomware has become a standard attack, and “nobody should be surprised that a COVID-19 trial is a victim,” he added.
Drug trials have similar vulnerabilities as many other companies, Scott added. “There are plenty of things to watch out for in addition to ransomware,” he said. “Instead of scrambling information, attackers may try to steal it and resell it or use it for extortion. Or attackers might modify it to, say, change the results of experiments and invalidate the data. Only the attackers’ imaginations limit the possibilities.”
