life sciences cybersecurity FDA OT security biopharma breach clinical trial data medical manufacturing GxP

Two Biopharma Breaches in Two Months, and the FDA Warning Behind Them

West Pharmaceutical and Novo Nordisk were breached months apart. Here's the FDA warning behind the pattern, and what life sciences leaders should do now.

centrexIT Team
5 min read

Two Breaches, Two Months, One Pattern

In May 2026, West Pharmaceutical Services disclosed a material ransomware attack in a filing with the Securities and Exchange Commission. Attackers stole data and encrypted systems at a company that makes components used in a large share of the world’s injectable medicines, forcing a global shutdown of manufacturing and shipping while the company recovered. Weeks later, in June, Novo Nordisk reported a security breach that exposed a limited amount of clinical trial information, with certain data copied externally without authorization.

Two of the most recognizable names in biopharmaceuticals, breached two months apart. The specifics differ, but the message does not. This sector is being targeted directly, and the pattern is no longer occasional.

Get the FDA OT Security Guide for Life Sciences

centrexIT has protected regulated and growth-stage organizations across California, Nevada, Arizona, Washington, and Oregon since 2002. We turned the FDA’s operational technology white paper into a practical guide for life sciences leaders.

Download the guide: https://centrexit.com/guides/fda-ot-cybersecurity

Why Life Sciences Sits in the Crosshairs

Attackers follow value, and few sectors hold more of it than life sciences. Clinical trial data, intellectual property, and the manufacturing processes behind a product are exactly the assets that make an organization valuable, and exactly the assets a breach can compromise. The cost reflects it. Pharmaceutical data breaches carry among the highest average costs of any industry, roughly 4.6 million dollars per incident according to IBM’s 2025 report.

The target has also shifted. Manufacturing has become the most attacked critical-infrastructure sector, and ransomware activity climbed sharply through 2025. For a life sciences company, that means the factory floor is now part of the same risk picture as the research lab and the data center.

The Warning the FDA Sent a Year Early

None of this should have been a surprise. In June 2025, the FDA released a white paper titled Securing Technology and Equipment (Operational Technology) Used for Medical Product Manufacturing. It is worth reading for what it is: not a regulation and not a mandate, but a clear signal of where the agency’s attention is heading.

That signal filled a gap. The FDA had spent years setting expectations for the cybersecurity of medical devices themselves. This white paper addressed the missing middle, the environment where those products are made. Its core point is uncomfortable and correct. The operational technology on a manufacturing floor, the programmable controllers, connected systems, and smart equipment, was engineered to keep running, not to defend itself. Much of it does not meet recognized cybersecurity standards by default. You can design a secure device and still put patients at risk if it is produced in a compromised facility.

What the FDA Actually Asks For

The white paper organizes its recommendations into three areas, and each translates into something practical.

  • Technical information exchange. Know what you have. Build a complete inventory of every connected system on the plant floor, including modules embedded inside other equipment, and request a software bill of materials from your vendors so you can trace each component’s security profile.
  • Security standards and compliance. Map your controls to recognized frameworks rather than inventing your own, using NIST, FIPS 140-2/3, and CISA best practices as the shared language between your quality, IT, and OT teams.
  • Security by design. Build protection in. Segment operational technology from IT and from the internet, enforce least-privilege access with strong authentication, and monitor continuously for unusual behavior.

There is a hard part the paper does not shy away from. In a GxP environment, the obvious security move, patch quickly, collides with a real obligation, because changes to validated systems require change control and revalidation. Attackers know regulated manufacturers have a low tolerance for downtime, and they use it. The answer is a risk-based approach: prioritize by exposure, lean on compensating controls like segmentation and monitoring where a patch cannot be applied quickly, and document everything through your existing change process so security work strengthens your quality record instead of threatening it.

What Life Sciences Leaders Can Do This Quarter

You do not need an enterprise budget to respond to this. You need the fundamentals done consistently, and you need to start with visibility, because you cannot protect an attack surface you cannot see. Knowing what is connected, what runs unsupported software, and who can reach critical systems is the foundation for every other step.

From there, the priorities are the ones the FDA named: shrink what is exposed, segment the manufacturing environment, tighten access, and build a patching plan that respects validation. This is where our approach lives. People-First. AI-Amplified. People who understand your GxP obligations make the decisions, and AI gives them the speed and reach to inventory assets, watch OT traffic, and respond faster than an attacker can move.

Get the FDA OT Security Guide for Life Sciences

Our guide covers what the FDA white paper asks for, the patching-versus-validation tension in detail, and a first-90-days plan you can act on. centrexIT is a Biocom California endorsed partner and has served life sciences organizations since 2002. People-First. AI-Amplified.

Download the guide: https://centrexit.com/guides/fda-ot-cybersecurity

Or take the 2-minute cybersecurity assessment: https://centrexit.com/cyber-security-readiness-assessment/

Sources

Found this helpful? Share it with your network.
Written by
centrexIT Team

The centrexIT team brings decades of combined IT expertise, helping San Diego businesses thrive with secure, reliable technology solutions.

Meet Our Team