Latest News

Europe’s top 10 pharma manufacturers all have vulnerable web applications

Outpost24, an innovator in identifying and managing cybersecurity exposure, today announced the results of its 2021 Web Application Security for Healthcare report for the top 10 European pharmaceutical organisations, as ranked by Drugs Discovery and Development based on annual revenue, R&D spend, employee numbers, leadership and more.

Using Outpost24’s external attack surface management tool, the study evaluates the digital footprint of the Top 10 pharmaceutical organisations in the EU by discovering their internet facing web services and scoring the security exposure identified. Nearly 80% of organisations studied were over what Outpost24 considers as ‘critically exposed’ – above 30, indicating a high susceptibility to having security vulnerabilities presented externally for potential exploits. The findings revealed that the top EU pharmaceutical organizations run an exceptionally large amount of web applications compared to other industries, with 3% of them considered suspicious (e.g., test environments that should’ve been removed), and a further 18% using outdated components containing known vulnerabilities.

In the wake of the pandemic, the pharmaceutical and healthcare industry have become “big game” targets for cybercriminals, with by far the highest cost of data breach and prime examples including: COVID-19 vaccine producer, Pfizer/BioNTech, where thousands of sensitive information was leaked, recent targeting of ExecuPharm in March 2020 by nation state TA505 using Clop ransomware and the devastating impact on patients in the Springhill Medical Centre IT system attack.

Outpost24’s latest report examined the unique attack surface of pharmaceutical applications, highlighting how the pandemic has exacerbated cyber risk and presenting practical recommendations for mitigation.

Key Findings:

  • Within the Top EU pharmaceutical organisations, 18% are running on old components containing known vulnerabilities
  • EU pharma organisations run a staggering 20,394 web applications over 9,216 domains which is the region’s largest digital footprint across RetailCredit Unions, and Insurance companies, with 3.3% considered to be suspect.
  • Amongst the 7 most targeted attack vectors in web applications, Degree of Distribution (78.96), Page Creation Method (73.8), and Active Content (72.7) are the top 3 attack vectors identified
  • More than 200 EU pharmaceutical applications have unencrypted login forms putting clients and patients at risk of data exposure.

The report also highlights several other security and compliance issues including basic SSL, cookie settings, and privacy policy defects. Many of the attack vectors identified are easily fixable and could make a significant difference in reducing the risk of cyber-attacks and protecting critical patient information, intellectual property for new drugs and vaccines.

“As the attack surface and trade secrets that pharmaceutical organisations process become more pertinent, it will give threat actors more reasons and motivations to step up malicious attacks for profit and put public health at risk.” Nicolas Renard, Security Researcher at Outpost24.

“This research highlights the complexity of modern-day pharmaceutical and healthcare applications and the vast volume exposed on the Internet,” said Stephane Konarkowski, Security Consultant at Outpost24. “These results demonstrate how crucial it is for the industry to review their external footprint and vulnerability exposure to improve security hygiene in the face of the ransomware pandemic.”

To view the research and a full breakdown of the most prolific vulnerabilities reported within European pharmaceutical organisations, visit here.