The worldwide launch of the mass vaccine provides hope that by the summer we will see a glimmer of normality begin to return to our lives. Until then, however, we also have to consider the profound challenges of delivering and managing vaccines at scale. Logistical barriers are well documented, but the cybersecurity risks are much lower and that’s what I want to highlight.
Clinical and regulatory risks
Two areas of particular concern to me. The first is the persistence of old technology (such as workstations and network infrastructure) and unpatched devices that abound in most healthcare systems such as the UK’s NHS. The second is the increased risk profiles associated with networked medical devices that we may refer to as Internet of Medical Things (IoMT) devices. Together, these pose significant clinical and regulatory risks.
For example, a “standard” ransomware attack targeting a hospital or vaccination center, which makes patient management and electronic medical record systems unavailable, may significantly disrupt vaccinations simply because patient details cannot be verified. Take this a step further with a slightly more targeted attack, and you can see pharmacy systems and IoMT devices like drug refrigerators and dispensing tanks get hacked. It will have a more profound effect, as with vaccines that are more sensitive to heat and time, we can see the loss of high-value batches as a result.
Targeted cyber attacks
There is more to this image. If we consider the entire supply chain – we have transportation companies, distributors, manufacturers, and R&D facilities. The truth is, all of these are attractive targets to compromise with opportunistic or more subtle disruptive cyber attacks. I have repeatedly said that attackers are increasingly understanding clinical urgency as a way to get the outcomes they desire, such as ransom payments. Vaccination programs offer an excellent opportunity to benefit from this.
Each device needs to be viewed in a clinical context because its risk profile will change accordingly and we know that more vulnerabilities in exploitable IoMT are being discovered regularly. My team of clinicians recently analyzed a number of these using a series of clinical case studies in Internet of Things Security White Paper. What we need to ensure is that while we plan the logistical challenges of mass vaccination, we include cybersecurity as part of this. The supply chain is as strong as its weakest link, and we cannot afford to delay the vaccination of those at risk or lose valuable vials.
Ultimately, cybersecurity is about patient safety.
Dr. Saif Abed is the founding partner and director of cybersecurity advisory services at AbedGraham.