Ramped-up vaccine rollouts present new security risks
In an effort to get COVID-19 vaccines to as many people as possible, many municipalities and community groups have set up outreach events in nontraditional settings, such as churches, warehouses and parking lots.
While this is a good way to bring the vaccines to those who may have trouble getting them otherwise, some security experts warn that the approach may carry its own risks.
"It's almost not necessarily to do with the mobility" of the vaccinations, "so much as it has to do with the immaturity of the program," said Nicko van Someren, chief technology officer at Absolute Software.
In December, IBM reported that hackers had been taking aim at the "cold chain" needed for the distribution of several vaccines.
And a recently released report from Palo Alto Networks found that vaccine-related phishing attacks rose more than 500% between December 2020 and February 2021.
The push, van Someren said, can make it hard to differentiate between legitimate websites and scammers – especially given the information required to register.
"Name, date of birth, address, sometimes Social Security Number: classic information that an identity thief would find valuable," he said. "And you're being asked to put it into a website that didn't exist two months ago.
"We've gotten all these brand new websites, and they're asking exactly what phishing websites would ask," he continued.
That trove of information that some providers are requiring to track who's vaccinated also presents a juicy target for bad actors targeting mobile clinics, van Someren said.
"If a system has a leak, then there's a lot of dangerous stuff on there," he said. "It's not the end of the world; this isn't going to take down sewer and water systems.
"But it's classic personal information," he continued. "It's classic phishing material."
One issue, van Someren said, has to do with resources.
"I think that historically a lot of medical providers have not gotten a lot of experience with rapidly setting up a satellite location out of the blue, rather than it being a big rollout project," he said.
"If we're just trying to put together a bunch of vans with a freezer, a WiFi hotspot and an uplink, did they go out and buy a whole new firewall setup? Or did they say, 'OK, we're going to open up a set of IP addresses for communication?'" he said.
"Are they using a hastily put-together website or an app that's on an iPad, or are they using some sort of tools that have been through the necessary validation? It comes down to how we go about encrypting and authenticating data transmission, both users and devices."
Van Someren recognizes that these kinds of concerns may not be top of mind for people trying to get shots in arms as quickly as possible.
"I don't want to say, 'Tools down, guys, you can't go out and vaccinate people until you've been through a third-party audit,' because we need to get it out there," he said.
At the same time, the consequences of identity theft could loom large – and be particularly damaging in communities that have already faced economic hardship.
"If I have your email, physical address and date of birth, I can make a fake ID," said van Someren. "Then I can walk into a phone store and do a SIM swap on you, and if you're using SMS-based multifactor authentication, then I can just log into your bank."
Or, there's the potential for healthcare provider fraud, he noted. "If [a bad actor] gets your insurance card details as well as your date of birth, contact details and address, then there's people who will go and get a prescription for 50 Percocet. The long-term consequences can be ongoing."
With that in mind, van Someren advised taking a number of steps – not connecting to a network chief among them.
"If I'm going to run 500 doses out of my church hall, and then the same two people are going to run 500 doses out of a sprinter van, that doesn't need to be network connected," he said.
Instead, administrators can track who received the vaccine on an encrypted device and then upload the information later on a secured network.
"It's not foolproof," van Someren said. "But if that machine is encrypted and has a strong password and has some good standard sanitary security on it, and the data is encrypted, then you've closed off a big chunk of the attack surface."
If people do want to build something at a larger scale, he suggests bringing in the experts.
"There are whole lists of best practices about how to do these sorts of data protection," said van Someren. "There are well-known techniques and toolkits out there for data tokenization and how to build access controls."
Remote tools are also helpful.
"One of the biggest problems with these sorts of scenarios is … if the problem occurs out in the field, then your IT team isn't out there to patch it," he explained.
And other security experts could also step up, in the same way developers around the country have created custom websites to assist with vaccine availability.
"I would love to see the same response from the IT security community that we've seen from the other parts of the community trying to roll out these vaccines," said van Someren.