Hack Attack: Biopharma Cyber Chiefs Fight Back

The threat of cyberattacks on biopharma’s extensive information assets is moving to the top of the list of business risks confronting senior C-suite management. In Vivo’s roundtable panel of leading biopharma CISOs reviews what to do and what it will take to convince others in senior management to buy into a challenge that still remains largely below the surface.

• Cyberattacks have the potential to do real harm to both biopharma company competitiveness and the integrity of relationships with key stakeholders, ranging from key customers and suppliers to the patient.
• The role of the Chief Information Security Officer is transforming to meet the threat, but the relentless growth of new technologies requires industry to mount a better offense.
• So what? To better confront cyberattacks, CISOs want more information-sharing among companies, a broad initiative around cyber education and a willingness to apply unconventional tools and tactics to beat cyber criminals at their own game. Both necessitate a cultural shift in biopharma from treating all kinds of information as a closely held competitive asset.

As an information-rich industry, biopharma faces a growing threat to the integrity of the data it holds on patients, products and research. The threat stems from a disruptive new wave of tech-inspired cyberattacks originating from unfriendly governments; organized crime syndicates; opportunistic, networked groups and individuals, sometimes from within the company itself; and anti-business “hacktivists” with political or policy grievances. Last month’s WannaCry ransomed malware attack on major businesses and public institutions in 150 countries – including the UK National Health Service – demonstrates the growing technological sophistication and geographic reach of this emerging, still murky community of cyber rogues. (Also see "WannaCry Cybersecurity Alert Shows Medtech Software Must Look Beyond Quick Fixes" - In Vivo, 18 May, 2017.)

WannaCry and other, less publicized breaches of industry data defenses have focused attention on a relatively new member of the biopharma C-suite: the Chief Information Security Officer (CISO). Long a mainstay in historically vulnerable sectors like banking and finance, the CISO post in biopharma is evolving from a technical, “check the box” compliance-oriented function to one that is strategic and integrated, managing sensitive data issues across the commercial base to support business performance and deliver value to shareholders. More important, the biopharma CISO is leading the transition to an enterprise-wide approach to evaluating and controlling exposure to risk.

On May 11, in conjunction with the NH-ISAC 2017 Spring Summit in Orlando, FL, a meeting of cyber security professionals, In Vivo convened a Roundtable discussion to explore the strategic, operational and policy issues involved in this area with CISOs from four companies in the health and biopharma industries, as well as experts from the professional services and industry association fields. The group sheds some useful light on key unresolved challenges facing today’s CISO:

1. The need for more collaboration among companies and government to confront cyber criminals on their own turf, applying unconventional tactics to match the invaders’ element of surprise;
2. Addressing a significant talent shortage of cyber professionals;
3. Shrinking the exposed “attack surface” in health care, which is arguably the largest of any industry;
4. Getting ahead of the biggest looming threat of all – the explosive growth in the Internet of Things (IoT).

From a few fad gadgets less than a decade ago, the IoT is predicted by 2020 to encompass 25 billion connected devices vital to every aspect of the modern industrialized economy, and for which today there is no guaranteed defense against theft, manipulation or diversion by criminal cyber networks. For the CISO, it’s the closest thing to permanent job security.

In Vivo Roundtable Participants

Cyber Scenes: What’s Top Of Mind?

William Looney: What is your mandate and role in the organization? As a scene setter, what is the one question that comes up most frequently in your day-to-day interactions with C-suite colleagues and stakeholders outside the organization?

Denise Anderson: ISACs were established in response to Presidential Decision Directive 63 of 1998, which asked private-sector industries to build communities to share information on cyber threats. ISACs focus on those sectors that play a critical role in the safety, security and economic vitality of the state and society. Our group, NH-ISAC [National Health Information Sharing and Analysis Center], was founded in 2010 when cyber and health care were not necessarily part of the same sentence. Today, cybersecurity is something a health care delivery organization must take seriously. It’s a global problem. Exchanging information on threats, incidents, vulnerabilities, best practices and mitigation strategies is imperative. What to share, how to share – and when – is a question we address daily.

Val Mukherjee: The Foundation is a non-profit membership organization based in Texas. It’s an adjunct to my role as executive director in the EY cybersecurity advisory practice. Our goal is to create a trusted platform for collaboration in the cyber space with various public, private and academic stakeholders in the global community. Our members help identify and focus on hard, macro-level problems and use the Foundation’s super connector platform to work together to solve them. For the current year, we have chosen to focus on expanding the cyber workforce through a standardized training curriculum designed to make cyber education relevant and accessible, be it the traditional undergraduate course for IT students or hands-on executive education at the C-suite and board level.

Terry Rice: I have been CISO for Merck for nearly nine years. During that time, my function has evolved from a predominantly technical one to a business strategy remit centered on finding new ways to seamlessly manage our IT, cybersecurity and risk assessment practices. The big question relates to the balance between responding to the many variables that drive the health care market while keeping pace with changes in technology. Another pressing concern is handling a proliferation of laws and regulations in the cyber sphere. Almost every government is developing its own privacy and security legislation. Most industrialized countries have already deployed successive iterations of these laws. It requires any company doing business across geographies to be aware and to respond proactively, or face sanctions.

I spend an increasing amount of time on human capital – people. CISOs face a dearth of IT talent around the world. It’s getting harder in this industry to attract, develop and retain people who can handle a growing portfolio of challenges around data theft, signature fraud and other internal security infractions. The capability gap is acute in smaller health care businesses like start-up biotech or physician group practices. This is also where our industry is most vulnerable to attack.

Mollie Shields-Uehling: We are a non-profit industry collaboration started a decade ago by leading biopharmaceutical companies. The goal is to build a digital identity and signature standard that facilitates the transition of business and regulatory processes, from paper to electronic. The consequences when identity trust does not exist can be dire: in health care, two out of every three cybersecurity breaches are caused by weak identity trust, including hijacked user names and passwords. What our SAFE (Signatures and Authentication For Everyone) standard does is prove that you are who you say you are. If you make a digital signature, our standard ensures that identity is uniquely linked to the digital template for verification. The tool allows every person to express as a single identity – an Internet passport, so to speak, that is trusted and verified across the global IT ecosystem. It is also invaluable in reducing the complexity of online transactions. In the online space, it’s still the 20th century when it comes to identity verification. It’s a tower of Babel – with multiple identities registered within the same company. Our aim is to end this.

Greg Barnes: I’ve been CISO for about six months, but the position itself has been in place for at least five years. As far as the issues I face, people factors always rank near the top. I have a critical requirement to ensure we’ve instilled cyber risk management in all corners of the global organization. It’s often the least experienced people in the field who end up in front of tough risk decisions and the potential for a cyber disaster. Hence it’s critical we build awareness and help our colleagues at all levels understand the degree of risk they’re facing on a daily basis.

Another urgent issue is how to maintain the pace of product innovation, keeping cybersecurity uppermost in mind, but without crippling legitimate business operations. As we put in new IT applications, each with its own control and risk profile, we need to make sure we’re also allowing our R&D operations to continue to exchange legitimate and necessary information to extend and improve the health of our patients – that work has to happen.

A third concern is figuring how to positively authenticate people in a global cyber environment where, in many cases, individual identities may have already been compromised, multiple times, in other contexts. Finally, the CISO must recognize that IT security strategy is required to adjust to and enable the norms of business, not the other way around. It is our responsibility to find ways to fight potential security breaches while upholding that mandate. To support the business.

"The CISO must recognize that IT security strategy is required to adjust to and enable the norms of business, not the other way around." – Greg Barnes, Amgen

Krishnan Chellakarai: The CISO portfolio has come into its own at Gilead only in the last three years, so much of my work has been building the foundation for company-wide engagement in the cyber space world. At the moment, my focus is on being proactive in responding to a changing landscape of cyber threats. The slogan “what I don’t know is what I don’t know” comes to mind. I am challenged by the capacity to be able to detect, contain or eliminate a threat before it becomes reality. The goal is to limit the spread of contagion to the entire Gilead IT network. I have found that managing this challenge requires a strong commitment to sharing information, not only within the company, but with the entire industry as well as other sectors. We need the platforms that will permit such exchanges to proceed in real time, and with maximum trust.

Finally, I agree with the others about the importance of the people factor. It’s good to focus on talent recruitment but equally vital is motivating the talent you already have. In IT, boredom at the staff level can be a factor, so it’s important to ensure our people have fresh opportunities to learn and grow in place. Motivating colleagues is a topic I encounter in the office nearly every day.

James Routh: This is my fourth position as a Chief Information Security Officer (CISO). My previous roles were in financial services, at American Express and JP Morgan Chase. I joined Aetna four years ago and manage both physical and cybersecurity in a converged operation. I also serve as current chair of NH-ISAC.

Although the CISO position is not new – in financial services, it extends back two decades – the role has evolved in a different direction. The CISO today is not simply the administrator of controls linked to a framework of risk. Being effective as a security professional means looking outward and leveraging the experience of internal and external experts motivated to share information freely. There is no intra-industry competition for dominance in cybersecurity – we all must work together. Another big difference is a gradual move away from a standard “one size fits all” security control vector.

Today, the CISO measures success by the embrace of unconventional control strategies that respond to an erratic, unpredictable landscape of cyber threats. Threat actors are changing their tactics, so a resilient enterprise must maintain a control framework that is constantly adapting. In fact, where resiliency was once measured by adherence to a standard protocol of controls, the big success factor today is being able to change that protocol on the spot, as the situation demands. A company must be able to disrupt the tactics of these actors to create friction and to apply more innovation in controls design. It tips the scales in favor of the enterprise over the threat actor who has the advantage of only needing to find one invasive exploit that works.

That’s another reason why information sharing and reaching out to all potential allies is now so important – indeed, the best way to find which companies are doing the best work in cybersecurity is to observe how much information they share with others. Enterprises with the most mature programs share information on threats, tactics, techniques, control practices and tech solutions. The idea that security information is proprietary and must be held close is a relic of a different era.

Industry’s Weak Points

It’s been said that the health care sector is particularly vulnerable to cyber threats due to the sheer diversity of entry points for hackers and other illicit players. Where is that “soft underbelly” located in health care? Is it also correct to say there are few protections in place to control the proliferation of bad actors?

Rice: We are highly exposed. It's estimated that three-quarters of health care delivery is provided by practices with less than 10 physicians. They lack the resources to invest in the systems and devices necessary to protect confidential data, especially since any small practice can serve as an entry point for cyber criminals to bring down entire networks. There are also all those biotech-start-ups with sensitive IP data, who face the same issue over a lack of scale and resources commensurate to the threat.

"It's estimated that three-quarters of health care delivery is provided by practices with less than 10 physicians. They lack the resources to invest in the systems and devices necessary to protect confidential data." – Terry Rice, Merck & Co.

Shields-Uehling: With reference to fighting the bad actors, prevention and control standards have been carefully drawn up through SAFE-BioPharma, NH-ISAC and other venues. However, while the standards are good, implementing them in the field is slow. The issue is not the lack of standards; it’s the collective will to execute around them that is absent. You need a commitment to change management from all the players that Terry Rice just mentioned as well as a willingness to address the issue of legacy systems in IT. A lot of money and investment is at stake. We shouldn’t forget it took 20 years to realize the full potential of the Internet.

Barnes: I’d like to underscore the critical necessity to broaden the reach of our information-sharing efforts against cyber threats. You can’t out-flank an adversary without cooperation from an ally. Sharing must be an ingrained defensive practice – it’s key to our role. (See sidebar, Industry's Policy Watchdog.")

More Than A Privacy Issue

How would you characterize the current cyber threat landscape in health care?

Routh: Our industry is extremely vulnerable, due to the size of the attack surface. This means the number of entry points that enable a bad actor to penetrate and compromise a data system. The size of the attack surface is exponentially greater in health care compared to financial services, the other sector with a history of exposure to the cyber challenge. Health care is highly decentralized; there are thousands of small organizations with few resources to mount a cyber capability against the bad actors. In 2016, three billion credentials – including passwords, user IDs and email addresses – were harvested by cyber criminals in the US alone.

The latest technique used by these criminals is called “credential stuffing,” whereby if a criminal has illicitly acquired credentials (i.e., log-in and passwords) he/she can apply this information using a tool called Sentry MBA that automates authentication and log-in attempts to any website, achieving a takeover rate of about 2% of online accounts linked to the site. If the criminal can add the website company name as a prefix in the password, the percentage takeover rate doubles to 4%. At this point, it's obsolete to think that a single factor of binary authentication – like a password – will keep an information asset impregnable. We must get ahead of the game on identity and authentication controls if the industry is to stay resilient in the face of these threats. This means moving from single factor credentialing like the signature passport to multi-factor and then ultimately to a risk-driven, behavioral approach.

Rice: The 240 companies that participate in the NH-ISAC are a small percentage of the roughly 6,000 US enterprises active in this business. The financial sector is far more plugged in, even though health care has far more exposure in that we regularly exchange very sensitive information on clinical trials, prescription drug benefits, insurance coverage and medical payments, all of which is shared across multiple legal entities. It’s a complex network where we are only as strong as our weakest link.

Mukherjee: Sources of cyber threat are proliferating. The bad actors consist primarily of three groups: nation states, which tend to focus on industrial espionage and institutional destabilization; organized crime, which is effectively transnational and motivated by profit; and the opportunist criminals, whose objectives vary and are thus particularly hard to monitor and control. Put together, these actors have a formidable offensive edge because they can set the rules of the game in terms of the threat, vulnerability and consequences. They only need to find one way in to collapse our defenses, while industry must protect literally thousands of entry points in a single information network. Health care companies have only recently begun to prepare for this.

Barnes: The threat is asymmetrical. Once weaponized, company vulnerabilities can be quickly monetized and then scaled. For example, a cyber criminal introduces a phishing attack by impersonating the United Parcel Service (UPS) invoicing system and convinces a few people to click on a link or to reveal sensitive information. It’s incumbent on us to react quickly and interrupt the criminal’s ability to bring that attack to scale, force him to adapt, and increase the cost of achieving his objective. We do that by sharing the cyber criminal’s observed techniques with all those enterprises that have yet to face them firsthand.

"The Internet has grown up as an open bazaar. The irreversible move to the cloud has raised the stakes in terms of potential business risk." – Mollie Shields-Uehling, SAFE-BioPharma

Shields-Uehling: Weak identity trust is one of the leading vulnerabilities in conducting business via the Internet. The Internet has grown up as an open bazaar. The irreversible move to the cloud has raised the stakes in terms of potential business risk. At the same time this transition has created opportunities for the bad actors, as witnessed by the volume of data breaches caused by weak identity trust. As a result, we are seeing progress in getting biopharma and health care companies to understand that identity trust is a make-or-break commercial issue that requires the C-suite’s undivided attention.

What are the actual consequences of recent cyberattacks on industry? Although such attacks are widely reported, there is rarely any assessment of the seriousness of a data breach – it’s business as usual the next day.

Rice: Reporting on cyberattacks tend to be characterized as a privacy and confidentiality of information issue. But the impacts are far wider. Consider the effect of manipulating health records or a product manufacturing line – giving a sick patient the wrong prescription, or changing production software to 50 cc of an API instead of 5 cc, causing patients to overdose. We’ve seen ransomware shutting down entire hospitals because of the scrambling of patient records. This issue – patient safety – is the big differentiator when it comes to health care versus other business sectors. Security researchers have demonstrated that it is possible to hack defibrillators, insulin pumps and other medical devices. We are only scratching the surface of the potential implications for patients.

Barnes: We have not yet seen the types of impacts that all CISOs know are possible today. The attack against state-owned Saudi Aramco offers some insight. In less than four hours, more than 35,000 networked systems controlled by Aramco were turned into bricks. It appears to have been little more than a demonstration of the cyber criminals’ capabilities but the attack dwarfed anything we had seen to date. Nevertheless, the incident was largely ignored by the media and the public. Imagine, however, taking that capability and putting it to scale against the health care environment, especially for medical devices and the intricate software these instruments rely on. The entire health care delivery chain would be disrupted, the safety and integrity of which could take weeks or months to restore.

Anderson: A big driver in understanding the importance of information sharing came at the time of the cyberattacks by a rogue nation state [author’s note: media reports at the time attributed the attack to Iran) on several US finance and banking institutions in 2012–2013. The attacks received wide attention in the press, from CEOs and at the White House. As a result, cybersecurity suddenly became a board-level issue within finance. While recent ransomware attacks have raised the level of interest in the life science and health care delivery sector, I don’t think we are seeing yet the same level of C-suite attention or support as is the case in finance.

Rice: The Anthem EMR breach in 2015 was another turning point for us in biopharma. That year, one-third of all US citizens had some of their health care data exposed. Later that year, Congress took action to legislate an inter-agency strategy on cybersecurity in the health care industry. The results of that work as a task force were published in June in the "Report on Improving Cybersecurity in the Health Care Industry."

How is the senior C-suite, including your CEOs, responding to the escalation of the cybersecurity threat?

Routh: The duty of a CISO is to provide clear strategic direction with options for the C-suite. My team synthesizes the issues for them, in what I call the “three Ts” of cybersecurity. The first is talent – the human capital with the skills and capabilities to confront the criminal actors and defeat them. The second is tools, which consists of the physical resources like software and hardware needed to keep pace with technological change and deflect the inventiveness of those who would disrupt our business. The third is technique, which is how clever you are with the human and physical assets that, together, will determine just how well you engage the enemy. Technique is the most important of these three. Technique does more to disrupt threat actor tactics and improve enterprise resiliency. Today, our techniques are moving away from rigid protocols toward innovative and unconventional control standards and procedures.

Can you explain or give an example of an “unconventional” control on cybersecurity?

Routh: Phishing is the number one vector used by the bad actors. They like it because it works. Their aim is to convince people to voluntarily give up information. It’s social engineering at scale, with email as the abetting vehicle. The conventional approach to fighting phishing is educating the end user to recognize the tactics of the enemy and resist opening an email addressed to you. The tactic the criminals use is called domain spoofing, which makes it look like an email is coming directly from an enterprise domain, even though it’s originating from another domain. The unconventional control against phishing is a new tool that we supported, DMARC (Domain Message Authentication and Reporting Conformance), which authenticates the email delivered to the Internet Service Provider (ISP). The policy enforced by the ISP is to drop all other emails that are not authenticated. The end user or consumer never sees the fraudulent email, adding trust back into the email chain.

This is an example of an unconventional control, meaning it is not part of any existing risk framework. The email actually originates from an enterprise domain, raising the level of trust among our members but also reducing costs because there is no illicit takeover of an account. Some 90 US health care companies are today putting the DMARC standard in place; my company, Aetna, installed the control three years ago. We send out around 2 billion emails to our members every year. DMARC, the unconventional control, provides us with greater security in communicating to our members.

Rise Of The “Hactivist”

Of the cadres of bad actors in cybersecurity, which one is causing the biggest problems in health care companies?

Anderson: It depends. Nation states that coordinate attacks on IP or trade secrets tend to focus on pharmaceuticals, while opportunistic criminals using ransomware and credential theft are motivated by money – they show the most interest in smaller hospitals and clinics, which are easiest to enter and lack the defense capabilities that will raise the costs of penetration to the invader. The opportunist is very sensitive to anything that costs him more to get what he seeks; when there is a strong response from the attacked, the opportunist will just move on to another, weaker target. (See sidebar, China: Elephant In The Room.")

A trend we have not mentioned is the rise of the “hacktivist” – individuals motivated by a cause or an issue, who use disruption to bring attention to their grievances. This cadre is growing and is particularly worrisome to biopharma due to the industry’s poor public image. To date, hacktivist targets have been unpredictable. For example, the hacktivist group Anonymous conducted a cyberattack on a Flint, Michigan hospital to protest the high lead count in the city water supply. The hospital was hit even though it had nothing to do with the lead problem. I see hacktivists as wild cards – very hard to control.

Rice: The world has changed. In the past, anti-industry activists might picket or demonstrate at an annual shareholders meeting. Now some of these actors are using the cyber space to go online and disrupt, deface or gain access to information that might cause harm to the company’s business or relationships with critical stakeholders.

Is there an “insider” threat within the health care industry, or should the main security focus of the CISO stay squarely on challenges from outside the business?

Mukherjee: Most big companies today operate in a “virtual” environment in which day-to-day human interaction is declining. People move around a lot, and the millennial generation is particularly restless in terms of job tenure. Company affiliation and identity is thus not as strong, which provides an opening to cyber threats coming from within the organization. It’s a company culture issue at base. There is a window of heightened risk during periods of difficult organizational change when gross negligence or outright stealing of sensitive company data can take place.

Barnes: The company insider is just one in a list of adversaries. Another critical task for a new CISO today is to foster cultural change that builds security into the core competencies of the organization. It’s the only way to ensure that protection against cyberattacks becomes pervasive at all levels of management. The CISO must also address the issue of technology debt, which is what accrues when management opts to defer patching or puts off necessary lifecycle investments in cybersecurity systems. Recognizing the debt will be paid, one way or another, we’d prefer to pay it by upgrading and patching in a timely manner. But know this: there is always the potential to be paid in the form of an expensive data breach enabled by outdated infrastructure or applications. (See sidebar, "CISO Core Competencies.")

Roundtable Recommendations: What To Do?

Can the group recommend a specific business or policy change that would support the mandate of the CISO function and/or make the health care sector safer against cyberattacks?

Routh: For Aetna, a key “want” is limiting use of the individual social security number as a unique identifier in data systems. It's pervasive throughout health care and, in some cases, is even mandated by the federal government. All this does is increase the potential attack surface for cyber criminals, who regard the social security i.d. as a highly marketable asset, especially on the darknet.

Aetna is very committed to this goal. In the last two years, we have eliminated seven billion social security numbers from our core data processing system and we are doubling our efforts to persuade our plan sponsors to do the same. In 2019, Medicare will abandon reliance on social security numbers as a unique identifier or derivative – good news. This will considerably reduce the attack surface for cyber criminals.

Shields-Uehling: We would like to see US government agencies implement their own trust standards for identity authentication with external parties. Agencies have extensive and varied interactions with the private sector that are sensitive and thus vulnerable to cyberattack. Yet they fail to apply trusted identities as foundational to these interactions, even though SAFE-BioPharma and others have invested heavily in creating a uniform standard that is now widely accepted throughout the health care industry and is interoperable with and certified by the US government. The federal government would do well to recognize and apply its own standard uniformly, rather than continuing to follow the current disconnected approach.

Rice: Companies have to move decisively from debating whether cybersecurity is a priority issue, to taking action, preferably in coordination with others. Most CEOs today understand there are big issues in cybersecurity that have to tackled. But are the business units and the cybersecurity folks in our companies ready to sit down and outline the specifics of what must be done – and to confront the trade-offs that accompany tough decisions in any large organization? We will not solve the growing vulnerabilities from cyber criminals unless everyone pulls their weight across the company. Information sharing across companies is vital, but let’s not forget the importance of maintaining that internal dialogue as well.

Mukherjee: Commitment to cyber education has to be accelerated. Educating across all tiers of the organization and ultimately with customers and the general public is necessary. My group is devoting particular attention to cultivating leaders from different walks of life beyond IT, who will extend the knowledge base and skills required for effective cybersecurity management.

Anderson: I would like to see a repositioning of cybersecurity away from treating it as a compliance problem. It’s much bigger than that, with enormous strategic consequences for how health care is delivered and paid for. The sector needs to shift from the reactive mind-set of compliance to a focus on enterprise risk management, a more proactive approach.

Routh: I’d like to see a clearer differentiation between privacy and security. The former is a compliance-driven program, while cybersecurity is all about risk. You will find in the health care sector this distinction is blurred, which tends to create a lot of mixed signals that limits consensus. Health care practitioners see the issue entirely within the construct of the HIPAA statute: how do we comply with the law and its regulations? But this is a totally different problem than confronting those bad actors who carry the potential to disrupt the established routines of business and steal vast sums of money.

Chellakarai: Another change that’s necessary is considering how to coordinate with the outside vendors who manage large parts of the industry supply chain. One option is to establish a register for vendors along with performance standards, where cyber threats can be assessed and resolved. Coordination with vendors provides the opportunity for expanded information sharing too.

Routh: We will be inviting major vendors in health care to join us at the next NH-ISAC summit in November. Next to government, supply and service vendors are our most critical partners. We can’t face down the cyber challenge if vendors don’t have the essential knowledge, tools or capabilities to support us.

The Looming Threat Is … IoT

Finally, can we identify a disruptive trend or change that will shape the health care industry’s capacity to manage cybersecurity down the road, for good or bad?

Barnes: The Internet of things (IoT) stands out. The risk surface for our industry is fluid and increasing exponentially, outpacing the ability to match it with security controls.

Mukherjee: There is a proliferation of valuable information from robotics and a host of new interconnected devices, interruptions of which could lead to broad systemic breakdowns and bring normal life to a full stop. In a IoT world, the integrity of the health and biopharma supply chain is an obvious target.

Routh: A good example is a recent highly successful denial of service attack by a group that took over millions of cable boxes and DVR devices in homes and through that was able to obtain easily guessable passwords for both the customer and even the passwords for the factories where the cable modems were built. The criminals used this vast volume of data to attack and totally disable the information network capabilities of a major business. At the time it was a novel attack, but we expect it to become routine as the IoT spreads to many other essential functions of the home and business, from lighting to refrigerators, air conditioners and microwaves.

Shields-Uehling: The future of cybersecurity is not entirely dark. While the challenges are real, the industry response is robust. The CISO function is evolving with the times, and the willingness of companies to share information is taking root. It’s a major sea change in the competitive landscape of biopharma that requires time to adjust, but the direction is clear. The CISO has embraced the mind-set of continuous learning to counter what ultimately must be seen as an assault on society: and it’s not just about data, but on what’s human about health care – the living patient.

[Editor's note: This article was published in In Vivo June 25.]