Mitigating Risk Along the COVID-19 Vaccine Supply Chain

By Troy Ament, field CISO for healthcare, Fortinet
Twitter: @Fortinet

In line with their standard playbook, hackers never let a good opportunity go to waste. As the U.S. undertakes what is probably the largest and fastest vaccine rollout in its history, it’s already been challenged with issues along the supply chain. Rollout of the COVID-19 vaccine has varied across states, and supplies have lagged while some companies try to ratchet up production.

In addition, cybercriminals are also getting their hooks in. From global health organizations to regional healthcare centers, hackers have preyed upon all types of opportunities. Let’s look at why the vaccine and its supply chain are such rich targets and what healthcare IT leaders need to know and do to stay safe.

The risk of expanded remote care
The healthcare sector faced a bevy of new security challenges last year. Pharmaceutical, healthcare and life sciences organizations pivoted to deal with the COVID-19 pandemic by transitioning to telehealth services, creating temporary remote COVID-19 testing sites and developing and manufacturing vaccines. That meant security teams struggled to ensure performance, compliance and security. Many organizations had to revamp their security infrastructure to support these remote users as cybercriminals seized the opportunity to exploit the global health crisis. These attacks will not end in 2021, and healthcare CISOs need to be prepared to address these concerns, as well as whatever else this year has in store for them.

Hackers have also taken notice of the vaccine supply chain and have been looking for vulnerabilities that present opportunity for them to take advantage.

Healthcare takes a hit – and hackers capitalize on COVID-19
Oftentimes, cybersecurity strategies in the healthcare industry have been driven, at least in part, by compliance requirements like HIPAA. But there are still multiple hurdles to clear within the industry, including a growing threat landscape. Due to the Internet of Things (IoT) and Industrial Internet of Things (IIoT) device integration stemming from OT/IT convergence, the attack surface has greatly expanded. A number of other digital innovations are also contributing to the large number of attack targets available in healthcare, including connected medicine and telehealth, cloud migrations, the massive surge in remote work and the proliferation of endpoints. According to FortiGuard Labs research, web browsers and IoT devices, in particular, continue to be an attractive target for bad actors, and we’re seen an uptick in attempts to exploit vulnerabilities in parallel with the rise of remote work.

During the past year, the healthcare industry has been hard hit by attacks like ransomware, and it shows no signs of stopping – in fact, analysts with Black Book Research anticipate attacks against this sector to triple in 2021.

Threats to the vaccine supply chain
Cyber-attacks in the healthcare space – and particularly what has happened so far with the vaccine supply chain – carry a great deal of potential danger. It’s not just financial losses that are at stake but patient safety, too.

Hackers are also leaking the information online, sometimes in ways that could sow mistrust in the vaccine. They are also going after technology that helps facilitate and enable the vaccine. In fact, even enabling technology that handles scheduling has been targeted.

Clearly, hackers are creating opportunities for themselves that the healthcare industry must defeat in order to secure the vaccine supply chain.

Managing Risk
It becomes increasingly more important to have a strong security foundation as networks become more complex and volatile. While it’s true that the CISO can’t control the actions of their vendors’ vendors, they ultimately must take responsibility for the security of the components those vendors give them. Accordingly, CISOs must scrutinize their supply chain and the policies and protocols that govern it.

Developing a supply chain risk management plan is the first step. This defines policies and procedures for dependencies and risks. The plan identifies and catalogs the risks across the system development life cycle, including design, manufacturing, production, distribution, acquisition, installation, operations, maintenance and decommissioning. It then finds solutions to those risks, creating alternatives for every link in the chain that needs them.
One key aspect of risk solution involves a new way of looking at network security. A recent report by IDG found that healthcare IT leaders, in response to the unprecedented demands now placed on their organizations, are integrating their networking and security strategies to increase the efficacy of both.

As these leaders report a massive surge in the use of IoMT devices and cloud services, network demands – and cyber risks – have increased, as well. Leaders are now more likely to deploy unified strategies that focus on predictability and consistency. They are evaluating solutions like SASE (secure access service edge) and SD-WAN to enable their integration effort. Networking and security are no longer viewed as two competing demands, and complexity is reduced.

Plan well
With the convergence of healthcare and digital transformation, mapped onto a world held in the thrall of a pandemic, the potential damage from attacks on the vaccine supply chain cannot be overstated. The threat to human health and safety has never been higher. The burden of cybersecurity has shifted from guarding sets of ones and zeros to safekeeping the supplies and equipment that help keep humanity alive.

In the midst of attacks all along the supply chain, healthcare IT security professionals must truly work as a team, combining knowledge and skills to defeat attackers at every step. This involves carefully examining that supply chain, creating a risk management plan and then implementing it with all diligence and consistency. There’s far too much at stake to leave even one chink in the armor where attackers could get through.