Terrorism in Pharma Industry

 

Comprehensive security solutions to mitigate terrorism risks in pharmaceuticals.

 

 

Prevention of Chemical and Biological Terrorism

 

The current international framework is ill equipped to proactively handle the growing threat terror organizations play on the international pharmaceutical industry.
Globally, there lacks a true enforcement mechanism that can both proactively thwart these offenses, but also retroactively prosecute the offenders.

 

Our typical image of terrorism is a group of masked men opening fire on a crowded area or detonating improvised explosive devices to harm hundreds or thousands of innocent civilians.
But what if terrorists became so advanced that they were able to harm millions, without their targets ever knowing?

 

Imagine taking over-the-counter pain medication to relieve your horrible sinus pressure, but unbeknownst to you, that medicine had been tainted with Cyanide.
While that example is horribly graphic, it is a real example of what many call a chilling display of domestic terrorism.
Similarly, what if that generic Viagra being sold was secretly produced by Hizballah and used to finance its ongoing terror operations globally.
Experts have warned the pharmaceutical industry that they are vulnerable to terror threats, little has pragmatically been done.

A new International Task Force is proposed, which will have both the authority to seek out these offenders, use force, if needed, to take down these groups,
a database to organize this information, and finally, a Treaty establishing counterfeit medicine as a crime.
The US commission studying the September 11, 2001, Al Qaeda attack on New York and Washington concluded that America's vulnerability resulted from
a "failure of imagination", specifically, a failure to envision the improbable but possible use of hijacked airlines as weapons of mass destruction.

 

To date, no pharmaceutical company's scientists or technology have been traced to a domestic or international act of terrorism.
Yet despite the absence of any documented attempt to exploit gaps in current pharma security via direct or cyber-based subterfuge,
we have analysed the risks and are prepared to caution the industry against at least three other "failures of imagination" even if they appear unlikely today.

These are:

 

- The potential for terrorists to steal via cyber-theft confidential proprietary technology or materials directly, or through contracted surrogates.
 

- The potential for a disgruntled or blackmailed employee, or a new employee who has been inadequately screened,
  to exploit opportunities from within a company to introduce toxic contaminants into the final production stages or packaging of medicines or vaccines.

 

-The potential for terrorists to gain access to pharmaceutical and biologic technology and apply it in such a manner as to inflict chemical or bioterrorism indiscriminately,
  placing thousands, even millions, of people at risk.

 

For decades, the production and sale of fake drugs were largely confined to the third world; the danger was mostly to solid dosage forms.
Recently, fake solid and injectable brand drugs have penetrated the industrialized economies, exposing both the industry and its customers to more risks than might meet the eye.

 

Chronic shortages of generic injectable drugs have driven grey market prices up by thousands of percent, making them, for the first time, candidates for potential counterfeiting.

Counterfeiters today may feel they have even greater latitude in picking from a whole panel of short supply injectables,
due to the shortages of many very basic drugs and their less complex generic labels and packaging.

 

The potential "market" for fakes of generic injectable drugs extends to thousands of hospitals and clinics, covering even more territory than the
brand injectable drugs they've counterfeited to date.

 

- The FDA has discovered fake injectable brand drugs in United States & European hospitals and clinics.
  Some of these fakes originate with domestic criminals; others with as-yet unidentified foreign manufacturers.

 

- Beyond the fake erectile-dysfunction and narcotic drugs sold on the Internet, investigators have found in US pharmacies near-perfect truly counterfeit tablets,
  packaged along with diverted overseas-manufactured tablets of the genuine drug, assembled in counterfeit dose packs.

 

- Tragic experience with long-trusted Chinese suppliers demonstrated the vulnerability of both brand and generic companies to overtly criminal economically motivated adulteration
  by overseas vendors in their raw materials supply chain.

 

These criminal exploitations of gaps in the US & European drug system have been noted by terrorist groups and rogue states.
A "failure of imagination" could result from companies failing to consider how committed criminal, political, and terrorist groups might seek to exploit gaps in their employment screening,
computer networks, or supply chains to insert fake versions, even toxic fakes, into their distribution channels.

 

- The global pharmaceutical industry has been specifically targeted by the leftist international hacking organization "Anonymous," whose sympathies appear
  closely allied with those of violent animal rights groups that have targeted pharma in the past, and with terrorist organizations known to finance their activities
  through the sale of counterfeit amphetamine Captagon and fake Western drugs.

 

- Hackers of unknown origin or intent have successfully penetrated the computer networks of well-known pharmaceutical main companies.
  Those penetrations may have lasted a month or more until discovered.

 

Criminals hacked into the computers of America's largest security company, ADT, obtaining vital security data from companies which was then used to break in
and steal from their warehouses and trucks.

One of their targets was a drug supply warehouse for Eli Lilly, from which they stole $75 million in inventory covering a wide range of drugs.
Other companies whose drugs were stolen and then resold include Glaxo SmithKline and Novo Nordisk, as thieves targeted both warehouses and long-distance trucks.

 

- The stolen Novo Nordisk cargo was insulin, which other criminals then sold to small distributors who resold it to the giant Kroger pharmacy chain,
  which inadvertently bought it even after an FDA warning.

 

The Fortune magazine claimed one patient in Ohio who took the insulin went into convulsions; another, in Texas, saw his blood sugar spike.

 

- Other products, manufactured in the Middle East penetrated both European and United States grey-market distribution,
  and were discovered being administered to patients, after passing through the lawless conflict-zone in Syria.

 

Middle East terrorist factions of Hezbollah and HAMAS have been cited by the US Drug Enforcement Agency as manufacturing millions of dollars annually
in counterfeit prescription drugs and amphetamines and selling them through criminal networks, both in the Middle East and Latin America.
Hezbollah operatives in Michigan who ordinarily specialized in dealing in untaxed cigarettes, were indicted in 2006 by a Federal grand jury for trafficking
as many as 50,000 counterfeit Viagra tablets into the United States from Canada and transmitting proceeds from their operations to Hezbollah.

 

Four years earlier, the DEA discovered a similar operation smuggling large quantities of pseudoephedrine from Canada,
destined for methamphetamine manufacturing in the Midwest and Mexico, with profits going to Hezbollah.

 

- Hezbollah, HAMAS, and Iran have developed their own hacking teams, with evidence that they operate both alone and with the assistance of Russian criminal gangs.
  Hezbollah took responsibility for having hacked into the networks of the US banking giant Wells Fargo. Bank of America and Citibank have also been hacked.

 

Pharma's HR department: A potential gap in corporate security

 

The 2001 "Ameri Thrax" anthrax letter attack uncovered gaps in Défense Department screening of scientists with access to dangerous substances,
and management's inadequate monitoring of changes in employee personality due to potential triggers.
The anthrax-containing letters sent to the Senate were traced to lone-wolf defence scientist Bruce Ivins at the Army's Fort Detrick research labs.
Ivins is believed to have begun mailing his letters because of his anger at loss of funding for a research project.
So respected was Ivins that he was assigned by the Department of Défense to assist the FBI in seeking the anthrax-letter terrorist,
and for months, sent investigators in wrong directions.
What should trouble pharma HR is that Ivins' credentials and experience would have made him a candidate for a top research position
at just about any global drug company where he might have applied for employment.
Ivins' managers failed to take note of personality traits that might have tipped them off that something was wrong,
especially after his anthrax vaccine was placed on a development back burner.

 

Management might have detected issues brought to the attention of the FBI by a former university colleague that he had persistently harassed for years.
In fact, Ivins had performed poorly on psychiatric tests, but the results weren't followed up.

 

Unchecked CVs

 

Equally troubling to pharma HR should be the multiple mistruths in CV’s.
When researching, uncovered multiple academic degrees and honours could be found that persons never received.
All these claims should have been verified before given access to some of the virulent organism stores.
What should not be missed by pharma HR is that someone with a profoundly falsified CV will gain access to laboratories where his incompetence could have endangered co-workers,
company and the nation.
Resumes for those with such potential access must be rigorously examined, and all claimed degrees, published papers, and experience validated.

 

- Dangers for support staff.

 

- Armed thieves disguised as police broke through the perimeter fence of the Brussels airport and stole more than $50 million in gems from the cargo hold of an airliner about to take off.
  The security gaps that enabled such a precise theft appear to have been guided by inside information by airport personnel.
  Following the Brussels theft, an airline security specialist made observations about airport security that may merit considerations for possible parallels for pharmaceutical companies:

 

Ground crews are largely unseen by the public.

 

But in much the same way as flight crews, they have intimate knowledge about their work environment.
They also have unrestricted access to the exterior and interior of aircraft.
Despite this access, these employees are not subject to the same security screenings as passengers and most flight crews.
The Brussels incident suggests the industry needs to consider tighter screening of all who enter their facilities,
including those who clean premises, both offices and labs.
Many such functions are outsourced to companies paying minimum wage, and, despite blanket assurances and signed commitments.

Minimally checking immigration status.
Unsecured computers left logged on, passwords and codes for copying machines taped to inside desk drawers, loose documents on desks,
notebooks beside experiments left running at night, all represent potential security risks.

 

Cyber-attacks reveal every industry's vulnerability.

 

Until recently, an international competitor or a terrorist group wishing to obtain and capitalize on a pharma company's confidential technology
would have had to recruit multiple scientists and manufacturing engineers or insert operatives as employees capable of stealing lethal organisms or chemicals.
Today, however, criminal, political, and terrorist groups might use teams of dedicated hackers to steal the same information an intruding terrorist masquerading
as a scientist might try to obtain.
And evidence suggests they are doing just that.

According to a 2011 report, international hackers have already penetrated the networks of top pharma companies,
at least one medical device company and even US banks.
The hackers, likely Chinese from their IP addresses, appear to have broken into the computer systems of the hotel Internet services provider,
used by traveling executives around the world.
In addition to being able to view both unencrypted and encrypted e-mails, security authorities believe the hackers may have inserted malware to the laptops of those executives,
enabling them to capture passwords typed by the executives.

 

What happens when pharma fails to monitor ex-employees.

 

Every landlord knows to change the locks after a tenant leaves, but at least one pharmaceutical company didn't similarly change the internal passwords after an IT worker
left and suffered the consequences.
A former IT specialist of a Japanese pharmaceutical company, resigned just ahead of a major cutback that made redundant a former supervisor and close friend.
In revenge for his friend's termination, he gained unauthorized access to the computer network using a "back door" he'd installed before his resignation.
The former IT specialist then used the secretly installed software program to delete the contents of each of 15 "virtual hosts" on the pharmaceutical company’s computer network.
These 15 virtual hosts (subdivisions on a computer designed to make it function like several computers) housed the equivalent of 88 different computer servers.
The IT specialist used his familiarity with company’s network to identify each of these virtual hosts by name or by its corresponding Internet Protocol address.
The deleted servers housed most of computer infrastructure, including the company's e-mail and Blackberry servers,
its order tracking system, and its financial management software.

 

The attack effectively froze the company’s operations for a few days, leaving company employees unable to ship product, cut checks, or communicate by e-mail.
The IT Specialist was eventually traced to the IP address of a McDonald's restaurant in Georgia where he'd charged a meal with a credit card
at the time the company’s systems had been hacked. He was sentenced to 41 months in prison and required to pay $812,567 in restitution.

The pharmaceutical company experience demonstrates just a small fraction of the risk of improperly secured computer systems,
and failure to consider the possibility of criminal or terrorist acts by former employees who leave with valued information.
The risk of cyber-access for pharma goes far beyond vandalizing a company's systems,
it potentially spans criminal interest in a company's secret manufacturing and security technology,
as well as providing the gist for political attacks designed to embarrass or damage the pharmaceutical industry.

 

Suppose, for example, a former pharma company IT specialist sells his access information to criminals with economic or political clients:

 

- The access information could be sold to international customers interested in mining the company's R&D computers for unpatented technology or secret manufacturing technology.
  It could steal the company's unpublished adverse reactions reports, tests using laboratory animals, or information on the status of contract negotiations.

 

- The same information could be used to access a company's HR records, where terrorists could find employees with internationally vulnerable families,
  employees who could be blackmailed to steal biologicals or toxins with terror potential, or to reveal technology such as how to produce the three-micron particles
  needed to weaponize agents like anthrax.

 

- Counterfeiters might value knowing the source and composition of proprietary coatings and packaging materials,
  so they can more easily produce fakes capable of escaping detection by the closest visual examination.

 

- Criminals in the raw materials supply chain may wish to exploit knowledge of incoming assay tests so they can subvert those tests by substituting cheap adulterated additives.

 

- Other criminals in the supply chain may wish to learn how to penetrate track-and-trace security, or even the schedule of truck shipments to distant warehouses or wholesalers.

 

The Japanese terror group Aum Shinrikyo, responsible for a 1995 sarin gas attack on the Tokyo subway system,
tried to manufacture anthrax and botulinum toxin from common non-pathologic strains.
They didn't order pathologic forms from lab supply houses because of traceability after an attack.
Today, a terrorist group might use its digital expertise to exploit gaps in a pharmaceutical company's computerized purchase-authorization process
to generate orders for dangerous biologicals, and to intercept those orders in transit,
thus obtaining vastly more potent organisms than the ones the Japanese cult tried to culture and scale up almost 30 years ago.

 

The cyber threat to pharma from terrorist groups are especially troubling, because members have morphed into a software company specializing in security software.
Inadvertent collaboration with terrorist-background individuals might gain valuable information on how major companies and the government protect their secrets.

 

Conclusion: act pre-emptively to prevent.

 

For managers dealing with day-to-day business challenges, the security issues and risks raised here may seem too remote to merit in-depth consideration
and development of action plans.
Since 1982 pharmaceutical industry been even considered as potential vector through which a terrorist group or lone wolf might
inflict death or illness on the general population.
Since that episode, the pharma, cosmetics and food industries have all taken steps to protect their products against field tampering.
However, the industry faces a changed world with different political threats, and new technologies by which terrorists might exploit security gaps.

 

Whether manufacturing brand or generics, solid dosage forms or injectables, every pharmaceutical company should re-evaluate its procedures
to prevent the entry of criminals and others through their HR departments, supply chains, warehouses,
transportation systems, purchasing departments and computer networks.

 

Only formal security Standard Operating Procedures (SOPs) as rigorous as those for quality assurance and GMP,
and which are routinely reconsidered and tested, can reduce the risk of involvement in a potentially fatal imagination failure.