Vaccine distribution pipeline faces serious cybersecurity risks
The looming rollout of COVID-19 vaccines has sparked hope among frontline workers, at-risk patients and members of the public.
But the numerous steps involved with the distribution process and the heightened urgency around that process have also presented a big target for bad actors.
"We have history in building drug supply chains, but this is going faster, going wider," said Nicko van Someren, chief technology officer at the Absolute Software endpoint defense platform.
"We're trying to get this out to [hundreds of millions of] people across the United States," van Someren explained. "Which means that people are going to be hasty. And haste is never a good thing."
Hackers have already begun taking aim at the vaccines' so-called cold chain – the organizations involved in their necessary sub-zero storage and transport.
As van Someren pointed out, the transport boxes for the vaccines have been equipped with GPS trackers, which could be vulnerable (especially if they've been spun up quickly).
"I have more confidence in the integrity of the vaccine approval process than I do in the security of the control systems used for the tracking," he said.
For that kind of system security, he said, "we need to engage the sorts of security experts who have been looking at industrial control systems, environmental monitoring systems. These sorts of broad IOT systems."
"People understand how to build these systems" in secure ways, he said, "But the question is: Have the people distributing vaccines engaged [those] people who know how?"
"If I [were] a foreign power, then destroying the vaccine by ensuring these freezers don't freeze properly would be an effective tool for damaging your enemies," he said.
"We track trends very carefully and have processes in place to identify threats to the legitimate supply chain," said a Pfizer representative via email in response to Healthcare IT News' questions about cybersecurity protocols.
"For our COVID-19 vaccine we have developed detailed logistical plans and tools to support effective vaccine transport, storage and continuous temperature monitoring. Patients should never try to secure a vaccine online – no legitimate vaccine is sold online – and only get vaccinated at certified vaccination centers or by certified healthcare providers," the representative continued.
Moderna did not return a request for comment by press time.
Once the vaccine actually gets into the hands of distributors, van Someren said, an additional issue arises: the security of devices that health systems may be using to track who's getting the vaccine.
Although distributors tapped by the federal government have largely kept mum about the specifics of any electronic health record integration – possibly because it's too soon to tell – van Someren flagged the importance of ensuring that clinicians who go into the community protect their edge devices.
"We're opening up a wider selection of connectivity, and it's all going to be remote, more than usual," he said. "We're not used to the fact that we're going to have to get this out to every rural community. We're trying to get this [distribution net] very, very wide."
"I have more confidence in the integrity of the vaccine approval process than I do in the security of the control systems used for the tracking."
Nicko van Someren, Absolute Software
Nigel Thorpe, technical director at the enterprise security firm SecureAge, said that he saw two potentially disastrous cybersecurity angles with regard to vaccine distribution: targeting by foreign actors and targeting by cybercriminals.
"Your cybercriminal is looking at a nice ransom opportunity: If they can come in with these reported spear phishing campaigns, once they're on the corporate network, they can release some form of malware and do some damage," said Thorpe.
Thorpe also alluded to the scope and speed of vaccine distribution as compelling elements for bad actors.
"Clearly all that information [about patient distribution] is going to be recorded," he said. "That data is going to be stored somewhere. And any piece of data, no matter how inconsequential it might be, is a useful thing for a cybercriminal."
As the IBM researchers who uncovered the spear phishing campaign targeting the vaccine cold chain noted, inside knowledge about vaccine transport plans could be of enormous value on the black market. And more advanced insights into the "purchase and movement of a vaccine that can impact life and the global economy is likely a high-value and high-priority nation-state target."
In terms of ransomware, knowing that billions of dollars have been poured into the supply chain might make potential marks seem more willing to fork over money in exchange for unlocking their systems, said Thorpe.
Earlier this year, UCSF paid hackers $1.14 million after a ransomware attack. Many surmised it was because the encrypted data was critical to ongoing vaccine development work.
"Cybercriminals will have an interest in putting a gun to your head and saying: 'You've got 960 doses sitting in freezer boxes, and you can't use any of those until you pay me some money,'" said van Someren.
In one worst-case scenario, he added, "We could essentially have a denial of service, where, if I put ransomware on your machine, you probably can't vaccinate people safely until I unlock your machine. I'm essentially holding your health ransom."
"Those sorts of attacks are things we should expect, anticipate and try to preempt," he continued.
As far as protection goes, experts say staff training is paramount.
"This is a great (and possibly tragic) example of how important it is for a company to ensure their supply chain partners have security training programs in place that educate their employees on how to spot suspicious emails and phishing attempts," said Brenda Ferraro, former Aetna Meritain CISO and current VP of third-party risk at Prevalent, via email.
"More important here would be to validate the presence and application of those controls by using continuous monitoring of cybersecurity activity such as the leaked credentials being posted on paste sites or one of these supply chain partners being talked about on dark web forums, etc.," she added.
Thorpe advised not allowing unauthorized processes to run and implementing zero-trust networks, and extending that zero trust into the data itself.
And van Someren said it's vital to actively maintain critical safety systems.
"For a lot of things, it's the up-to-date anti-malware; it's continuous assessment of your machine being in good shape; it's continuous patching of these devices," he said. "These are all the standard things that we want to do, we just have to make sure we can do them in a distributed disconnected environment."
Ultimately, "in the healthcare business, the financial sector, electricity or gas distribution business, we ought to be having smart security folks being engaged to put together lists of where the gaps might be," he said, "and what mitigations we should be taking so people have a systematic way to [understand] where they might have vulnerabilities."