Europe’s top 10 pharma companies all have vulnerable web applications, potentially putting sensitive medical and patient data at risk of being hacked, according to a new study by Outpost24.
The company used its external attack surface management tool to assess the security of Europe’s top pharma firms’ internet-facing web services. Worryingly, they gave 80% of these organizations a score of above 30 (out of 58.4), which indicates a high susceptibility to having security vulnerabilities presented externally for potential exploits.
However, the top 10 EU pharma firms had a significantly lower risk exposure score than their top 10 US counterparts (40.5).
Overall, the researchers noted that EU pharma companies run an exceptionally large number of web applications (20,394 web apps and 9,216 domains) compared to other industries. Nearly one in five (18%) use outdated components containing known vulnerabilities, while 3% were considered suspicious.
Additionally, over 200 EU pharmaceutical applications have unencrypted login forms, potentially putting clients' and patients’ data at risk of exposure.
The authors also observed a number of other security and compliance issues in EU pharma companies, including basic SSL, cookie settings and privacy policy defects.
Encouragingly, the report noted many of the vulnerabilities are easily fixable.
Stephane Konarkowski, security consultant at Outpost24, commented: “This research highlights the complexity of modern-day pharmaceutical and healthcare applications and the vast volume exposed on the Internet.
“These results demonstrate how crucial it is for the industry to review their external footprint and vulnerability exposure to improve security hygiene in the face of the ransomware pandemic.”
Nicolas Renard, security researcher at Outpost24, added: “As the attack surface and trade secrets that pharmaceutical organizations process become more pertinent, it will give threat actors more reasons and motivations to step up malicious attacks for profit and put public health at risk.”
Attacks on pharma and other healthcare organizations have ramped up in the past year, with data on COVID-19 vaccine development viewed as highly valuable to threat actors. This includes accusations nations like Russia, China and North Korea have attempted to sabotage or steal information on R&D efforts in this area.