Clinical Trial Software Company Hit by Massive Ransomware Attack
Last week, Universal Health Services (UHS) was hit by a massive ransomware attack, which is believed to be one of the largest cyberattacks on a medical institution in the U.S.
Now, Philadelphia-based software company eResearchTechnology (ERT), which offers software used in hundreds of clinical trials, has suffered a ransomware attack. The attack apparently began two weeks ago. Staffers at the company found they were locked out of their clinical trial data—data, in some cases, being gathered for COVID-19 vaccine trials.
A ransomware attack is where hackers take over a computer system and threaten to destroy the data on it or permanently prevent access until the owners pay a ransom. ERT indicates clinical trial patients were not at risk, but researchers who used the software indicated the attack forced them to track patients manually—with pen and paper.
Customers, in this case, included IQVIA, the contract research organization (CRO) that is assisting AstraZeneca’s COVID-19 vaccine trial, and Bristol Myers Squibb.
ERT has not specified how many clients and trials were affected, but the software is being used in clinical trials in North America, Asia and Europe. According to the company’s website, their software was used in about 75% of clinical trials that led to drug approvals by the U.S. Food and Drug Administration (FDA) in 2019.
Drew Bustos, ERT’s vice president of marketing, confirmed on Friday, October 2, that the ransomware attack occurred on September 20. In response, ERT took its systems offline that same day, notified the Federal Bureau of Investigation (FBI) and brought in outside cybersecurity experts.
“Nobody feels great about these experiences,” Bustos said, “but this has been contained.”
Bustos indicated the company began bringing its systems back online on October 2 and expected to continue over the next several days. At this time, no one is saying if they know who is behind the attack and Bustos declined to say if the company paid the extortionists.
In the case of the UHS attack, the hospital chain has more than 400 locations in the U.S. But over the last 18 months alone, there have been thousands of ransomware attacks on American cities, counties and hospitals. At least one report says more than 700 healthcare providers in the U.S. had cyberattacks in 2019 alone. One of the more famous was an attack called WannaCry, which hit tens of thousands of hospitals globally in 2017.
In a ransomware attack in Germany recently, Russian hackers took over 30 servers at University Hospital Dusseldorf, which crashed computer systems and forced the hospital to turn away emergency patients. In one case, a German patient died because of the attack, after she was re-routed to a different hospital almost 20 miles away. It is reportedly the first death linked to a cyberattack. Germany authorities are investigating the case as negligent homicide, according to The Hill.
One of the keys to withstanding a ransomware attack is to follow standard security procedures, including backing up data. IQVIA, for example, said they had relatively few problems because its data was backed up and Bristol Myers Squibb indicated the same thing.
IQVIA stated that the attack had “limited impact on our clinical trials operations,” adding, “We are not aware of any confidential data or patient information, related to our clinical trial activities, that have been removed, compromised or stolen.”
It does bring up the issue of whether biopharma companies are prepared to deal with cyberattacks, made all the more pressing by the urgency of clinical trials for COVID-19 vaccines and therapeutics.
“The ability for companies to quickly withstand this kind of attack is completely dependent on how good your IT is to begin with,” said Eric Perakslis, who is a Rubinstein Fellow at Duke University and previously acted as the FDA’s chief information officer and held senior IT positions at Johnson & Johnson and Takeda.
The ransoms can be considerable. This summer, the University of California San Francisco (UCSF) medical school paid a ransom of $1.14 million in Bitcoin, which is virtually untraceable.
ERT did not identify the cybersecurity experts they hired but did say ERT was taking steps to prevent another incident from happening.
“We’re following the advice of a world-class security firm, and adopting their best practices to augment our existing defenses," he said. "It’s something that’s unfortunate and nobody wants to be impacted by cybersecurity issues. But it is something that we feel that we are working towards remediation.”