Can Healthcare Mitigate Risks to the COVID-19 Vaccine Supply Chain?

February 05, 2021 - As the world races to vaccinate its citizens, providers, hospitals, and research teams have rapidly deployed technologies to support the COVID-19 response. In turn, cybercriminals are preying on the thinly stretched supply chain with swaths of cyberattacks and fraud schemes to steal valuable data and make a massive profit.

The US and other countries have already seen the damage these attackers can cause, from modifying data to manipulating appointment scheduling. The World Health Organization, several COVID-19-related research firms, and even the EU Medicines Agency (EMA) have already been targeted.

The successful attack on EMA led to the exfiltration, leak, and modification of vaccine data from Pfizer and BioNTech. It’s perhaps the clearest example of just how far cybercriminals will go to impair public trust and reap financial rewards.

The threat landscape appears bleak but becoming a victim of these crimes does not need to be inevitable for healthcare providers.

“As the COVID-19 vaccine rollout continues, there is a need for organizations to step up to take increasingly proactive measures to protect the security of the vaccine,” said Kevin Self, senior vice president of strategy, business development, and government relations at Schneider Electric.

“Technology and data play a significant role: maintaining stable environmental conditions and providing backup power for critical applications, for instance, is key,” he added.

To get a sense of what’s at stake and what can be done, HealthITSecurity spoke with Self, Synopsys Software Integrity Group’s senior security engineer Boris Cipot, , co-founder and CTO of Reblaze Tzury Bar Yochay, and CEO of SecZetta David Pignolet too address a range of supply chain risks.

The Risk of Rapid Deployment

COVID-19 has spurred the rapid adoption of technologies needed to support the global response, from telehealth to communication platforms used in temporary care sites. The vaccine rollout has only furthered the stretch of non-traditional technologies to ensure quick adoption, as time is of the essence.

The Department of Health and Human Services has issued a number of enforcement discretions for these care sites, telehealth, and nontraditional technologies not covered by HIPAA. While important for speed, using these platforms can pose significant risks to patient data.

“These platforms were implemented in haste, given the need for rapid response,” Pignolet said. “During normal deployment, security is the cornerstone. It hasn’t been put aside in the current rollout, but they’re using a lot of outside resources to execute the function of these apps.”

“It’s an overwhelming process with patients and patient care,” he continued. “It’s a rush-job. With all of these outside resources, it’s likely that many did not do their due diligence. Yes, security is in mind, but it’s more important to get the tests and vaccines out.”

But many of these rapidly deployed technologies contain protected health information, billing details, and insurance data. Pignolet explained that with the current threat landscape, this data is highly desirable.

“There’s no way you can’t afford security. It’s an effective piece of the system.”

To Yochay, the phenomenal volume of vaccines has led to many of these entities thinking outside the box in terms of the best tech to use -- and not always for the better. For example, some providers are leveraging sites like EventBrite to ease appointment scheduling.

While the sites can support the urgency and necessity involved with the vaccine rollout, these technologies are not designed for this type of sensitive information.

“Aside from the honest mistakes and not enough resources to comply, these circumstances are creating all sorts of fraud-related incidents,” Yochay explained. “The organizations should not use ad-hoc technologies, facilities, and platforms they haven’t used before.”

“Putting together a platform to create vaccine queues shouldn’t be that big of a deal tech-wise,” he continued. “Jumping online and seeing what’s already available [for scheduling purposes], without thinking hard about the consequences, should be avoided.”

It’s hard to put together a secure system, but it’s better to use a secure system than one that is simply easy to use, he explained. Entities should be more conservative in the tech they use, as it’s “better to be safe, than cool.”

Cyber Risk Mitigation

Throughout the global pandemic, hackers modified their attack methods to prey on coronavirus fears through scams, phishing, and other schemes. With the vaccine rollout, attacks on healthcare web apps have increased by 51 percent.

Overall, cyberattacks on healthcare have increased 45 percent since the start of vaccinations, according to Check Point data. Many of these attacks are led by nation-state actors, while everyday hackers are continuing to leverage phishing campaigns and ransomware to take advantage of a weakened system.

To Cipot, the global vaccine shortages and rollout delays have amplified the opportunities for cyberattacks. The most common attack strategies employ phishing scams through email and text, as these campaigns are easy to carry out and hackers can target many potential victims at once.

Social engineering attacks, including malicious phone calls, are also on the rise, with hackers attempting to steal personal information under the guise of scheduling vaccination appointments.

Cipot added there’s also a large number of fake vaccine registration sites, which are designed to steal personal data from unsuspecting victims.

“It’s a good sign to see major efforts globally notifying the public to be on alert for such threats,” Cipot said. “It’s important for individuals to remain alert and only coordinate vaccine appointments with legitimate governmental or medical institutions.”

“The biggest concern with these scams is that they’re opportunistic by nature,” he added. “Cyberattackers exploit the fear and urgency that the public is feeling currently, appealing to target victims under the guise of wanting to help them. In the case of COVID-19, the awareness and concern is worldwide; thus, giving cyber-attackers massive potential to achieve a level of statistical success.”

While these threats are similar to those seen in the past, the sheer volume of attacks and persistence of attackers must be taken into account and entities cannot allow known vulnerabilities to remain unaddressed.

"Security is an expense many organizations are remiss to pay, but it’s like having insurance: an evil necessity. "

Unfortunately, social engineering calls, emails, and text messages can be incredibly difficult to identify by the general public, explained Cipot. And there’s no standardized way to fight these attacks, even with advanced spam filters.

Further, those entities tasked with the vaccine rollout cannot neglect open source components, which are often overlooked. Cipot stressed that neglecting these vulnerabilities can leave serious security gaps in software, which can easily be leveraged by attackers.

“The most effective way to fight such attacks is by educating and alerting the population of the legitimate process through which to get the vaccine,” he said. “Notifying the public about the correct processes and timelines limits cyber-attackers using uncertainty to their advantage.”

“As with every supply chain, attackers prey on the weakest link,” Cipot added. “The attackers will usually try to identify the technology their target is using, this includes hardware and software. As such, making sure that all devices are patched and up-to-date with the latest updates is crucial.”

To Yochay, entities should reaffirm that data collected for vaccines are being stored, processed, and analyzed in systems secured using industry standards. Bot management tech is also important, which can detect and prevent automated attacks used to harvest data from millions of patients.

Those using temporary care sites and other extensions of their clinics, must employ better security measures to prevent further incidents.

For example, use of the cloud and appropriate segmentation can ensure that communication ports are only open for whitelisted or authorized IP addresses, he explained.

Cleaning up neglected endpoints on rapidly adopted technologies will be a large undertaking, but it will be necessary to ensuring the security of these data troves. Pignolet explained entities should go back in and manage access controls and authorization data, which will be key in getting control of authentication risks.

Entities should assess the tools used for data collection and ensure its authentication means are effective in terms of onboarding new staff, vendors, and others interacting with patient data.

“If we have that authoritative data in a single, centralized source, entities can tie access back to its source. Account management can’t be an afterthought,” he noted. “There’s no way you can’t afford security. It’s an effective piece of the system.”

“Hospitals without security leaders are going to put the entire business at risk, including regulatory fines,” he added. “Security is an expense many organizations are remiss to pay, but it’s like having insurance: an evil necessity. But if you have a good security program, with an automated process, it can be a business enabler.”

Patient Communication

In the early days of phishing, sites like PayPal and Google would send notices to users about what to expect in terms of communication to support individuals in avoiding fraud attempts. Yochay noted that healthcare entities should get ahead of these threats in a similar fashion.

"Industrial IoT-connected devices enable predictive analytics that reduce delays and downtime."

Sending a protocol to patients on what to expect in terms of vaccines and testing can help in reducing the number of successful fraud attempts. Cipot explained that patients should be informed of the need to remain alert and to only coordinate vaccine appointments through legitimate government or medical facilities.

Messages sent to patients could include language such as, “if you’re contacted directly by those claiming to be vaccination officials, understand that they will not ask you for payment information, login credentials, or similar sensitive information over the phone or by email,” he said.

Further, “do not send them any copies of your ID or passport in order to validate your identity. If you have any doubt, ask to call them back — do so by gathering contact information from the credible website.” 

Patients should be similarly informed to “avoid fake webpages, do not click on links in emails, but rather open your browser and go to the web page of your vaccination center,” Cipot said.

Physical Threats to Vaccine Distribution Supply Chain

To understand how to defend healthcare’s vast supply chain, it’s imperative these entities understand both what’s at stake and how to prioritize securing the enterprise.

As Self noted, supply chain threats include both physical and cybersecurity.

“As we’ve seen in recent news, the seemingly simplest of errors are happening -- such as refrigerators losing power or becoming unplugged -- and they’re having detrimental effects on the rollout,” Self explained. “There have even been instances of direct tampering or interference from conspiracy theorists.”

“We’ve also seen time and time again that issues arise around logistics and transportation delays, which impact the vaccine’s shelf life,” he added. “At the center of the rollout is technology and during each of these instances the vaccine is vulnerable to attack.”

To prevent these issues, entities should pay attention to the physical space where vaccines are manufactured, transported, and administered, which is critical to operation continuity. Self added that the end destination for the vaccine is also an important factor. Health centers need to have the proper infrastructure to support storage and security.

These elements should include reliable power and building controls. Self explained that power distribution equipment will keep freezers, medical equipment, and IT infrastructure supplied with clean, reliable electricity, while building management systems can monitor environmental conditions and temperatures and send alerts when those set conditions deviate.

Access systems will aid in monitoring and controlling who is entering freezers and storage rooms, he added.

“As much as technology plays a huge role, there are also human elements that should be addressed and incorporated to further reduce the potential for risk,” said Self. “Clearly defined protocols for personnel, such as ensuring all handoffs are made appropriately and educating each person on the end to end required distribution process, could go a long way in ultimately protecting the vaccine and getting it more efficiently into more individuals.”

“Traceability and regulatory compliance is another important factor,” he added. “Public health authorities should look towards data management solutions to label and track batches across their distribution journey. Industrial IoT-connected devices enable predictive analytics that reduce delays and downtime.”

Healthcare entities should also review resources from NIST, Microsoft, Europol, and HHS to ensure they’ve employed the needed privacy and security measures to prevent joining the ever-expanding list of healthcare cybercrime victims.