Securing Your Life Sciences Business: Mitigating Risks From Third-Party Services, MSPs, and SaaS

Life sciences businesses exist in a unique landscape, fraught with small IT teams, vast data storage needs, intricate compliance mandates, and a myriad of users. The appeal of Software as a Service (SaaS) platforms, Managed Service Providers (MSPs), and third-party vendors is evident—they offer an economically savvy, user-friendly solution to these complex challenges. However, convenience comes at a cost, prompting us to ask, "Is this secure?" While compliance with regulations like 21 CFR Part 11 provides a regulatory cushion, it's crucial to dispel the myth that compliance equates to security. The chilling wake-up call from the recent MGM and Caesars cyber incidents emphasizes the imperative of securing your digital assets, especially when using third-party services.

A Spotlight on the MGM and Caesars Breaches

The cyberattacks on MGM Resorts and Caesars Entertainment have ignited public and regulatory scrutiny. At MGM, system outages created chaos, affecting everything from keycards to ATMs and slot machines. Caesars faced a devastating data breach, involving the loss of sensitive customer data like Social Security numbers. To limit the fallout, the Wall Street Journal reported that Caesars paid an exorbitant $15 million, roughly half the amount the attackers demanded to keep the data confidential. According to Lesley Carhart, Director of Incident Response at Dragos, while casino heists are sensational, life-impacting attacks on sectors like healthcare and critical infrastructure often go unreported.

A Russia-based gang known as Alphv, or BlackCat, claimed responsibility for MGM's woes. This group has previously targeted critical institutions like healthcare organizations, underscoring the point that your industry is not immune. It’s essential to note that MGM had also suffered a breach in 2019, affecting more than 10.6 million customers—highlighting that even giants in the industry can falter when it comes to security measures.

MSPs: Risk Beyond Your Internal Perimeter

Internally, awareness training, role-based access, strong passwords, and Multi-factor Authentication (MFA) are staple measures. But third-party vendors introduce another layer of risk. Here’s how to fortify your defense:

  • Ensure that third-party personnel receive adequate security training.
  • Establish boundaries for vendor operations within your infrastructure.
  • Verify that vendors conduct regular penetration tests and provide proof of compliance.
  • Proactively identify vulnerabilities by simulating third-party connections.

Demystifying SaaS Security

While SaaS platforms may reduce the risks associated with vendor staff, they still come with their own set of security concerns:

  • What measures are in place to safeguard your APIs and data channels?
  • Are your team members employing strong passwords and multi-factor authentication (MFA)?

Choosing vendors that conform to Open Web Application Security Project (OWASP) standards and consistently conduct penetration testing is crucial for ensuring a secure SaaS environment.

The Path to Better Security: Proactively Identifying and Mitigating Risks

The MGM and Caesars incidents should serve as an eye-opener. While ransomware attacks may recede from the headlines, they continue to cause widespread disruption, hitting sectors you might think are impervious to such threats. In this digital age, full-scope penetration testing is not an option—it's a requirement. At NetWorks Group, we're often asked if vulnerabilities in third-party services such as SaaS and MSPs are testable. The answer is unequivocally yes.

The NWG Advantage: Comprehensive, Uncompromising Security

We excel in delivering comprehensive penetration tests that cover a complete range of threat avenues—external, internal, wireless, and even social engineering and physical risks. Our approach is continually updated to integrate attack strategies akin to those that led to the security breaches at MGM and Caesars. To learn how NetWorks Group can help secure your life sciences organization, get started here.

#biotech #biotechsecurity #SaaSSecurity #lifescciencessecurity #biotechSaaS

Published By: Chris Neuwirth, Senior Penetration Tester and Scot Armstrong, Account Manager

Publish Date: October 11, 2023

Subscribe to get new content! Never miss a security update from the team.

Security news, tips, webinars, and more straight to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.