(Tight 6–8 minute read, with source links for deeper exploration.)

Research conducted and compiled with Perplexity and Claude AI.

Welcome back. This week, four threads converged that every life sciences IT leader should be tracking: the ransomware threat against life sciences organizations became more precisely defined — with two groups now specifically targeting the sector — and independent data from Health-ISAC and Trellix confirmed 2025 was a record year; the FDA-EMA joint AI principles moved from policy statement to practical implementation pressure via analysis from RAPS and pharma-specific trade publications; boards of directors are now formally demanding AI governance accountability from CIOs; and the regulatory clock ran out on one compliance item today — with a new enforcement authority activating alongside it.

FDA-EMA Joint AI Principles Get Legal Teeth

The January 14 joint release of the Guiding Principles of Good AI Practice in Drug Development by FDA and EMA has now been analyzed by the regulatory affairs community — with RAPS and Applied Clinical Trials providing the most substantive breakdowns for pharma and clinical research teams. The consensus: while not yet binding, these principles will directly shape inspection questions, pre-submission expectations, and submission standards on both sides of the Atlantic. Regulators will specifically ask how your AI systems document data provenance, how models are validated and re-evaluated over time, and how human oversight is maintained. Pharmaceutical Technology notes the principles explicitly address the "shadow use" problem — analysts already using LLMs for daily work while leadership looks the other way — and mandate that data scientists be integrated with clinical leads throughout the drug development lifecycle.

The guidance covers the full AI lifecycle — from early R&D and clinical trials through manufacturing and post-market surveillance — and applies not just to sponsors but to CROs, CMOs, software vendors, and any partner that designs, deploys, or relies on AI in regulated work. For CIOs, the practical implication is clear: if your AI governance framework doesn't yet address data lineage, model transparency, cybersecurity controls, and documented human oversight, this week's legal guidance has raised the urgency. Early alignment is now described as a strategic advantage for regulatory interactions, not just a compliance exercise.

Moves to consider: Commission a gap assessment of your current AI governance framework against the 10 FDA-EMA principles — specifically on data provenance documentation, model lifecycle management, and GxP alignment. Identify which vendors and CRO/CMO partners need updated agreements to reflect these expectations before they harden into formal guidance.

Deloitte Quantifies the Agentic AI Divide — And the Gap Is Widening

A new Deloitte report published February 10–11, based on surveys of 100 health care technology executives and focus groups with 35 agentic AI leaders, identifies a clear and accelerating divide between organizations acting on agentic AI and those watching from the sidelines. Key findings: 85% of leaders plan to increase agentic AI investment over the next 2–3 years; 61% are already building or implementing initiatives; 98% expect at least 10% cost savings. The more important number: only 37% expect savings above 20% — suggesting most organizations are still capturing efficiency gains rather than the deeper operating model transformation that drives competitive advantage.

The report identifies what Deloitte calls the "watcher paradox": large organizations (over $5B revenue) are leading as early adopters prioritizing multi-agent solutions (82%), while smaller organizations strongly prefer point solutions (92%) and anticipate lower ROI. For life sciences CIOs — many of whom sit at mid-sized biotechs and emerging companies — this is a strategic warning. The performance gap between early adopters and watchers is not closing. It is widening.

Moves to consider: Honestly assess whether your organization is an early adopter or a watcher. If you're running point solutions with no multi-agent strategy, use this data to frame the conversation with leadership. The window to close the gap is narrowing, and the organizations pulling ahead are doing so on governance and operating model design — not just technology procurement.

February 16 Is Here: NPP Deadline and What Comes Next

Today is the compliance deadline for updated Notices of Privacy Practices under the 2024 HIPAA Part 2 Final Rule. If your organization creates, receives, maintains, or transmits substance use disorder records, your NPP must be updated as of today — covering patient rights, SUD-specific use and disclosure limitations, and single-patient consent options. Critically, today also marks the date OCR's enforcement authority over Part 2 SUD records goes live: as of February 16, individuals can file complaints directly with OCR, breach notification requirements apply, and civil monetary penalties are now available. As the HIPAA Journal notes, HHS has not yet published updated model NPP templates — meaning organizations that waited for guidance are already behind. The signal today is not the deadline itself but whether your team executed, and whether your privacy officer is prepared for the new enforcement environment.

Looking ahead, the larger regulatory event on the horizon is the HIPAA Security Rule overhaul, expected to be finalized in May 2026. The proposed changes are significant: elimination of the "addressable vs. required" distinction (making all safeguards mandatory), mandatory MFA across all system access points, encryption of ePHI at rest and in transit, annual compliance audits, biannual vulnerability scans, penetration testing, 72-hour system restoration requirements, and 24-hour breach reporting for business associates. One additional development this week: Colorado's AI law, which would have classified certain healthcare AI systems as high-risk and subject to governance and disclosure requirements, was postponed from February 1 to June 30, 2026, providing a brief window for organizations operating in that state.

Moves to consider: If you haven't started a gap assessment against the proposed HIPAA Security Rule requirements, the May finalization window — and likely 6-month compliance period — makes now the right time to begin. Prioritize MFA coverage, encryption at rest, and BAA updates requiring vendor verification of technical safeguards. Don't wait for the final rule.

2025 Healthcare Ransomware Was a Record Year — And Life Sciences Is a Named Target

Two independent industry reports released in the first two weeks of February put the life sciences ransomware threat in sharp relief. Health-ISAC's 2026 Global Health Sector Threat Landscape report — the sector's own information sharing organization, with no vendor bias — documents 190 ransomware attacks against health sector organizations in Q4 2025 alone, the highest quarterly total of the year, with health-sector-specific incidents rising 21% year over year. Total cyber incidents across all sectors surged 55% in 2025, and ransomware ranked as the number one threat to healthcare organizations by security professionals surveyed.

The Trellix Healthcare Cybersecurity Threat Intelligence Report, based on 54.7 million actual detections in healthcare environments in 2025, adds critical depth. The defining trend of 2025 was what Trellix calls the "cascading effect" — disruptions to administrative or non-clinical systems triggering chain reactions that paralyze operations across entire organizations. Phishing remained the primary initial access vector (89% of incidents), with attackers increasingly using AI transformation and regulatory compliance themes to target IT administrators. Most directly relevant for biotech and biopharma CIOs: Trellix identified Sinobi as an emerging ransomware group in 2025 specifically targeting biotechnology firms and specialized life sciences companies. And a 300% increase since 2023 in extortion-only attacks — bypassing corporate insurance and legal teams by demanding $50–$500 directly from individual patients — signals a threat model shift that clinical data custodians need to understand. For broader context, BlackFog's 2025 State of Ransomware report estimates that approximately 86% of ransomware attacks are never publicly reported, putting the actual dark web victim count at 7,079 in 2025 — nearly six times higher than disclosed figures.

Moves to consider: Use the Health-ISAC and Trellix data to reframe your board threat briefing — public incident counts dramatically understate actual sector exposure. If you operate in or partner with biotech research organizations, treat Sinobi as a named threat to brief your security team on specifically. Audit your third-party risk program for vendors with access to clinical, manufacturing, or regulatory data, and assess phishing simulation programs against AI-themed and compliance-themed lure scenarios.

NightSpire and Sinobi: Two Ransomware Groups Now Specifically Targeting Life Sciences

The Trellix report and current threat intelligence converge on a pattern that should concern life sciences CIOs directly: ransomware groups are increasingly specializing by sector. Two groups warrant specific attention this month. Sinobi, identified by Trellix as an emerging 2025 threat actor, is specifically targeting biotechnology firms and specialized life sciences companies — making it one of the few ransomware groups with a defined focus on the sector rather than opportunistic targeting.

NightSpire, active since March 2025, is the other group to brief your security team on. According to SOCRadar's threat intelligence profile, the group has been actively exploiting CVE-2024-55591, a critical FortiOS zero-day, as its primary initial access vector — gaining super-admin privileges on internet-facing Fortinet VPN and firewall appliances. NightSpire's operational model combines double extortion (encryption plus threatened data release) with aggressive 2-day payment deadlines designed to prevent organizations from engaging legal counsel or insurers before the pressure escalates. The group has claimed victims across healthcare, manufacturing, and professional services in the U.S. and internationally. For life sciences organizations, the risk is compounded by the fact that CROs, CDMOs, and research partners — which hold some of the most sensitive clinical and IP data in your ecosystem — frequently run smaller security teams with less mature patch cadences than their sponsor clients.

Moves to consider: Verify immediately that all FortiGate appliances in your environment — and in your critical vendors' environments — are patched against CVE-2024-55591. If your threat intelligence program doesn't include named group tracking for Sinobi and NightSpire, add them now. Review your CRO and CDMO contracts for cybersecurity incident notification timelines and data recovery obligations. If your TPRM program relies on annual questionnaires, current threat activity is the case to accelerate continuous monitoring.

Ready to go beyond the headlines?

The Life Sciences CIO Community is where IT leaders come together for real conversations about the challenges behind the news. Connect with trusted peers who understand the unique balancing act you face — driving innovation while navigating regulatory guardrails and protecting your organization.

Join us for regular community sessions where we dig into the developments that matter most, share what's actually working, and support each other through the rapid pace of change.

Learn more and join the community →

This digest is an interpretive summary of publicly available information and does not constitute legal, regulatory, cybersecurity, or investment advice. Developments in AI, cybersecurity, and regulatory policy evolve rapidly; consult qualified legal, compliance, and security professionals before making decisions based on information contained herein.

Until next week,
Joe Miller
Founder, Leadership Inklings