23 March 2021
Cybersecurity expert Praveen Madhavankutty looks at the risks providers face as they try to keep pace with the swift rollout of the COVID-19 vaccine.
In his inauguration speech on January 20, President Joe Biden promised to “get at least 100 million [COVID-19] vaccinations into the arms of the American people in the first 100 days.” Recent evidence indicates he is on track to reach that ambitious goal.
The rollout of the vaccine in the United States, and elsewhere for that matter, is a ray of light in the darkness of a pandemic stretching beyond its second year. But the sprint to jab American arms comes with some potentially nasty side effects for businesses: It opens the door wider to long-standing cybersecurity risks.
Whether the goal is identity theft, malware infection, or ransomware attack, malicious actors are seizing the moment to probe vulnerable networks as new and established vaccine providers come online and a flood of customers engage with them. In the rush to meet demand, not to mention the President’s goal, cybersecurity standards may be getting short shrift.
Targets are everywhere. Temporary vaccine centers, for instance, as well as pharmacies in retail stores, rely on WiFi-enabled devices to monitor the temperature of vaccine storage units to comply with Center for Disease Control (CDC) guidelines. Connecting those devices to a WiFi network without proper planning of cybersecurity concerns is an open invitation to hackers.
Retail pharmacies, new to the COVID-19 vaccine program, are also in play. With the need to create an appointment system for customers, do these providers develop bespoke systems, or do they buy a third-party vendor’s product right off the shelf? And if they do buy third-party, how secure is that system? Is the vendor compliant with federal patient privacy regulations (known as “HIPAA”)?
Those millions of new customers introduce variables as well. An appointment app installed on a smartphone may help them manage their visits, but what happens if the app is hacked? And what if a customer happens to open a phishing email on his or her personal account that results in identity theft — and by extension unlocks the pharmacy’s network?
Targeting is not just limited to the healthcare space, either. Data storage companies, cloud services, and other businesses that participate in vaccine tracking, also present easy access points to actors with bad intent.
Due Diligence
Clearly, maintaining the pace of the rollout is crucial to turning the page on the pandemic as soon as possible. As more providers set up shop, however, it’s crucial that they take action to secure their networks — and by extension, really, our national infrastructure — prior to coming online.
One starting place is to have a cybersecurity expert review the provider’s systems for compliance and vulnerabilities, and recommend updates, if needed. A provider may already have an IT department or manager on hand, but outside expertise in this fast-moving environment can help with the bigger picture. Understanding the requirements of the CDC, for instance, or HIPAA regulations, while blueprinting the cybersecurity plan, can go a long way to mitigating issues now, with bonus benefits once the pandemic is over and business returns to normal.
Additional cybersecurity support can also relieve weary IT staffs stretched thin.
Due diligence is a must. Looking into the historical performance of a third-party vendor for compliance issues, as well as reviewing liability clauses in a proposed contract, cuts problems off before they develop. Questions include: Does the vendor have cybersecurity insurance? How do they handle customer data? Where are the cybersecurity soft spots?
Stay Focused
From the start of vaccine development efforts in 2020 to the arrival of vials full of medicine beginning last December, bad actors have targeted the vaccine supply chain throughout. As late as February 16 of this year, South Korea’s intelligence agency stated that North Korea allegedly attempted to steal vaccine information by hacking into pharmaceutical company Pfizer Inc.’s network.
Providers would be well advised to keep events like that in mind as they do their part to end the pandemic. Like all of us, they may be in a rush to get to the light at the end of the tunnel, but when it comes to a brighter future and safeguarding our identities, haste makes waste.
For further information, please contact:
Praveen Madhavankutty, Managing Director, FTI Consulting
praveen.madhavankutty@fticonsulting.com
