Supply Chain Risks to the Vaccine Rollout

Former Israeli cyberintelligence instructor Ohad Zaidenberg is all too familiar with the myriad ways that foreign adversaries seize on uncertain times to undermine national security. 

In March 2020, worried that notoriously underprotected healthcare institutions would soon face significant cyberattacks as the world braced for a global pandemic, Zaidenberg co-founded the CTI League, for cyberthreat intelligence. Think of it as a global defense force, a nonprofit using volunteer cybersecurity experts to thwart attacks on healthcare facilities.

“I created the CTI League to take part in this global war against the pandemic and to make sure that nobody would die because of a cyberattack during this sensitive time,” says Zaidenberg. The league’s co-founders also include security leaders Marc Rogers of Okta and Christopher Mills and Nate Warfield at Microsoft.

When COVID-19 first emerged, the idea that anyone would take advantage of such a dire situation to disrupt healthcare might have seemed unfathomable. Yet around the same time, cybercriminal gangs began extorting vaccine test facilities. A significant ransomware attack disrupted operations and delayed surgeries at Brno University Hospital in the Czech Republic, another major COVID-19 testing facility. 

Since the pandemic began, the CTI League has helped numerous hospitals, pharmaceutical companies and suppliers cope with a spiraling security threat from malicious actors targeting the world’s population when it is at its weakest. The league’s message: Healthcare needs to batten down the hatches.

Ransomware rises

Ransomware attacks, which almost always begin with a phishing attempt, have hit the healthcare industry particularly hard with the spread of COVID-19. A 2021 Netwrix survey found that nearly 40% of healthcare organizations faced cloud-based ransomware attacks in 2020, and 32% needed days to discover accidental data leakage and supply chain compromises, leaving them dangerously exposed. Separately, VMware Carbon Black researchers found 239.4 million attempted attacks targeting healthcare organizations in 2020, with an average of 816 attempts per endpoint, or a 9,851% jump from 2019.

Many attacks involved what’s known as “island hopping,” where bad guys build on an attack against one organization to launch secondary infections among other organizations, partners and patients.

The practice is similar to the way in which Russian spies are believed to have pulled off a massive supply chain hack of U.S. government systems in late 2019. Last year, operatives planted code in servers owned by SolarWinds, a major software contractor. That route is similar to a series of cyberattacks thought to have been the work of the North Korean government, which infiltrated companies and governments distributing Pfizer’s coronavirus vaccine. Researchers from the Department of Homeland Security and IBM believe criminals were attempting to steal network log-in credentials from executives and officials connected to the “cold chain” refrigeration storage process for the Pfizer vaccine, which must be kept at a minimum of minus 76 degrees Fahrenheit until shortly before inoculation.

Attacks go crazy

“Healthcare has seen an insane rise in attacks, with many of them originating from the supply chain,” says Marc Moring, director of strategic accounts at Tanium. “If you think about it, the industry is moving away from pens and pads. Everything is going digital. The average healthcare organization, supplier or distributor probably has hundreds of applications being used on thousands of endpoint devices by tens of thousands of users. All those digital instances represent potential targets — opportunities to disrupt the administration of vaccines and other much-needed treatments.”

Moring says attacks against healthcare organizations, suppliers and distributors are likely to intensify and wreak havoc. For example, hackers could potentially reduce the number of vaccine doses that a healthcare provider receives from a pharmaceutical company, say from 1 million to 100, forcing facilities to turn away patients. Hackers could also alter appointment counts to show nobody arriving when, in fact, hundreds are expecting to see doctors or nurses. Or hackers could instruct delivery drivers to transport goods to out-of-the-way locations in hopes that the temperature-sensitive vaccines will spoil.

[Read also: Supply chain security: What should good look like?]

Experts say gangs of cyberthieves looking to seize and sell confidential patient data on the dark web are behind many attacks. As providers rush to get vaccines into as many arms as possible, hackers are luring unsuspecting medical employees and patients into clicking on links and attachments in seemingly innocent phishing emails that launch TrickBot and ransomware like Ryuk to infect organizations.

The threat became so pervasive late last year that the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the FBI delivered a strongly worded warning about “an increased and imminent cybercrime threat to U.S. hospitals and other healthcare providers.”

“It’s not surprising when criminals do cruel things,” says John Pescatore, director of emerging security trends at the SANS Institute. “They’re looking for ways to quickly make money. And whenever there’s a rush, as with getting vaccines out during the pandemic, they know human beings will make mistakes.”

Securing endpoints

Dr. Russell Handorf, a former FBI computer scientist and principal threat intelligence hacker at White Ops, says the logical way for healthcare organizations to increase security would be to evaluate identity and access practices around the millions of endpoint devices they currently deploy.

“It all starts with the endpoint, because that is the storefront to network access,” he says. “You can have firewalls and other security systems spread evenly around your network to build castle walls. But your endpoints are still portals that everyone goes through to get into the castle.”

Endpoints are still the portals that everyone goes through to get into the castle.

Handorf says many organizations concentrate on watching and limiting the traffic that tries to infect endpoint devices through distributed denial of service (DDoS) attacks or Structured Query Language (SQL) injection attacks. But he says the most effective strategic measures nowadays involve validating and granting access to authorized users and blocking the many other unauthorized requests. 

“If I were to be scared of anything right now in healthcare, it would be the risk around the delivery of vaccines and other medications using these endpoints,” Handorf says. “I am confident pharmaceutical companies are taking the right measures to create, ship and track their products. But all it takes is one person to accidentally plug in an insecure laptop for that last mile of delivery to go sideways.”

Practicing security hygiene

Endpoint devices are the soft underbelly of healthcare security. Experts say organizations must have visibility across an integrated IT infrastructure. Good IT security hygiene practices include running behavioral anomaly detection and prevention programs, conducting regular cyberthreat hunting exercises to find compromised systems, and enforcing multifactor authentication that can head off most, if not all, phishing attempts.

Leaders should also update service level agreements (SLAs) with partner organizations, setting levels of information security, notification, and response processes when incidents occur, and then defining the consequences of noncompliance. These SLAs should not only apply to the traditional supply chain but also to the often forgotten information supply chain, including outside lawyers, marketing firms and other vendors that hackers often target.

[Read also: IT hygiene begins with asset discovery and inventory]

Pescatore agrees with the importance of mandating security requirements across the supply chain. But he says healthcare and pharmaceutical organizations must also make sure they’re also doing the right things. 

“It’s not enough to push out the highest possible security requirements you can think of if you’re not following them yourself,” he says. “If you’re not, you are the weak link in the chain. You first have to secure your own house. And then you can start looking at suppliers in order to bring them up to your level.”