Network Security, Risk Assessments/Management

Most pharma companies actively expose data via databases, remote access points

A new report raises some serious security concerns for the pharmaceutical sector, with most exposing data through vulnerable databases and access points. (Credit: Eyad Elbayoumi is licensed with CC BY 2.0. To view a copy of this license, visit )

The vast majority of global pharmaceutical companies are inadvertently exposing information through a number of vulnerabilities, including remote access platforms, unsecured databases, and even the network perimeter, highlighting the risks posed by the accelerated digitization of the pharma sector, according to a recent report form Reposify.

Nearly all (92%) of pharma entities had at least one exposed database that could potentially be leaking data, while a whopping 99% of these entities had at least one remote access platform exposed to the internet.

Another 77% were operating with an exposed remote desktop protocol (RDP) service and 46% were employing an exposed Server Message Block (SMB) service. And more than half (69%) of the exposed services discovered by researchers were classified as part of the unofficial network perimeter.

Exposed SMB services have led to some of the more notorious attacks, including WannaCry, NotPetya, and a host of others. To prevent successful exploits, access to SMBs from outside the enterprise network must be prohibited.

Much like the health care sector, the national pandemic response led to many swift deployments of technologies designed to support providers, clinicians, and other entities with COVID-19 treatments, vaccines, and overall patient care. The “rush to scale and digitize” further expanded the pharma sector’s digital footprints, thus creating “new blind spots where attackers could and did easily break in to access confidential, highly sensitive data.”

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency warned early in the response that threat actors were leveraging password spraying campaigns tied to the coronavirus, specifically targeting pharma companies, research firms, and other health care entities involved in the COVID-19 response.

A number of pharma and research firms reported falling victim to attackers last year, including the European Medicines Agency, which led to a breach of Pfizer and BioNtech COVID-19 vaccine data. In total, data show 53% of pharmaceuticals or biotech companies experienced a high rate of security incidents during the last year.

To assess the impact of these rapid deployments and the rise in attacks, Reposify analyzed data gathered from its external attack surface management platform during a two-week period in March 2021.

Researchers aimed to determine the cyber posture of the pharmaceutical sector, including common exposures of popular services and platforms and other security issues across 18 leading pharma companies and over 900 connected subsidiaries.

The results for many of the examined pharmaceutical companies were alarming. Of all the exposed remote services in the pharma sector, OpenSSH was found to be the least secured with 99% of these companies leveraging the tool with unpatched vulnerabilities.

Notably, MySQL was found to be the least secured in the pharma sector with 92% of these services vulnerable to attack. RDP was the second most vulnerable with 77% found to be exposed, followed by Postgre SQL at 69%.

The concern is that ransomware threat actors have historically targeted vulnerable RDP in their attacks. Reposify researchers reminded entities that RDPs should always be used behind a secured virtual private network (VPN).

In addition to the majority of these entities exposing data through remote services, 92% of pharmaceutical back offices and 92% databases were exposed. Other exposures included 62% of network assets, 54% of audio and video systems, 54% of dev tools, and 54% of storage and backups.

The most commonly exposed storage and backup platform was found to be File Transfer Protocol (FTP) with 50% of pharma companies leveraging vulnerable FTPs that were either not place behind a VPN or were set up incorrectly and lacked a requirement for credential verification.

Further, as development tools may contain sensitive data like source code, unprotected advance programming interface (API) endpoints, and business analytics, it’s critical for entities to ensure these endpoints have been properly configured.

“When left exposed to the internet, not only can this information easily leak, but hackers can leverage these exposures as an entry point into companies’ internal networks,” researchers warned. “The exposure of development tools also increases the probability of a supply chain attack, as malicious code can be added to an otherwise legitimate application, such as SolarWinds.”

Another 54% had at least one misconfigured development tool and 46% had at least one content management system (CMS) exposed to the internet.

Reposify also examined overall awareness in terms of these exposures and found 46% of the vulnerable network assets discovered by the researchers were located under unofficial IP addresses.

Content delivery network (CDN) vulnerabilities were most likely to fall under the radar with 86% found in the unofficial network perimeter, which means less likely to be known to the security team and represent Shadow IT. Almost half (46%) of network assets were found in the unofficial perimeter, and 40% of dev tools.

Fortunately, of all security issues discovered, 72% were considered low risk. But 15% were classified as critical, 7% were high-risk, and 6% were medium risk. The median number of high-severity risks for each company was 269, while the median of critical vulnerabilities per company was 125. These risks were tied to vulnerable software (38%), improper access controls (33%), and potential DDoS (23%), among others.

As the average cost of a data breach in the pharma sector was $5.06 million in 2020, closing these security gaps will be critical moving forward. To accomplish this, entities must obtain a clear view of all assets, access points, and communication flows within their environment, as well as mapping and a risk analysis of the external attack service to reveal the weakest points, potential exposures, and any vulnerabilities.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.