The world was already relying heavily on online interactions when the COVID-19 pandemic hit. However, the pandemic and stay-at-home mandates accelerated the trend towards a virtual lifestyle. The increased activity on virtual devices opened new doors for cybercriminals. According to the FBI, cyberattacks have surged by 400% during the pandemic. 

In the healthcare industry cybercrime has been a steady and increasing problem. In the beginning of the pandemic, cybercriminals ran ransomware attacks on hospitals and other healthcare providers to steal research and patient care data to sell on the Dark Web. Now, as the vaccines are rolling out, they are targeting the vaccine supply chain. 

Targeting of Vaccine Supply Chain 

Recent reports form Recorded Future show that attackers are expanding their focus from vaccine makers to include companies within the vaccine “ecosystem.” The main targets are the essentials needed to get the vaccine out, like cold storage and logistics facilities. In December 2020, IBM uncovered widespread phishing operations that targeted employees of trucking, rail, and cold storage companies. Attackers, criminal and state-sponsored, are seeking patient data of people who have been vaccinated, tested, or those who participated in the vaccine trials. They hope to get money from companies by threatening the release of private data and by hindering vaccine rollout. Another major concern is that scammers are getting health information and financial information from victims by offering them “early access” to the vaccine or selling fake ones. 

These attackers pose real threats to both companies and their customers in the healthcare sector. Therefore, it is crucial that companies run risk assessments and implement strong security protocols to protect their vaccine supply chains. 

Top Risks for the Vaccine Supply Chain 

The first step in protecting your company and your vaccine supply chain is to know what poses a risk. According to the National Institute of Standards and Technology (NIST), cyber supply chain risks can come from a lot of sources. Here is a list of some of the most common sources: 

• Third party service providers or vendors with physical or virtual access to your information systems, software code, or IP.  

• Poor information security practices by your lower-tier suppliers 
• Compromised software or hardware purchased from your suppliers 
• Software security vulnerabilities in supply chain management or supplier systems 
• Counterfeit hardware or hardware with embedded malware 
• Third party data storage or data aggregators 

Top Protective Practices for Your Vaccine Supply Chain 

There are many practices your company should adopt to better manage your cyber supply chain risk. Here is a list of some of those recommended by NIST:  

• Include security requirements in every RFP and contract 
• Have a security team work with your contracted vendors on-site to address vulnerabilities 
• Inspect parts purchased from other vendors carefully before accepting them 

• Obtain the source code for all your purchased software 
• Limit access to your software to very few vendors and ensure all hardware vendors are limited to mechanical systems only 

Technological Tools to Fight Cyberattacks 

Outside of protocols and security practices, you may also want to consider using technology to enhance your supply chain’s safety.  

One of the most common tools is digital certification and serialization. In serialization, information is coded into a smart label or sensor that is attached to the vial of vaccine. If the vial has been tampered, the serialization will be altered, which means that the product can be counterfeit. While this is a common practice, serialization is not a full solution. Real serial numbers can be placed on fake products. That is why other strategies are still required.  

Another strategy involves the zero-trust policy. The zero-trust approach is simple: assume no person or entity can be trusted without the appropriate permission and verified identification. Essentially, this means that your company should provide bare minimum access to a select number of individuals. This policy also extends to machines. You should know which machines should be allowed to access specific data. By limiting access and contact between individuals and machines, you are limiting the risk of having a hack spread to other systems. 

Real-time visibility and tracking can boost not only your company’s vaccine supply chain efficiency, but also its security. Real-time data trackers can share product information as it travels through the supply chain, which means all stakeholders can monitor shipments and guarantee quality. Advanced sensors can even detect shocks, vibrations, and ambient light. If tractor-trailer doors are opened at unexpected times, the sensors can trigger text alerts, emails, or law enforcement notifications. Overall, having access to real-time data as your vaccines are moved from the assembly line to hospitals and medical centers can allow for close monitoring of your products. 

As demonstrated by the increase in cyberattacks, especially within the life sciences and healthcare sectors, cybersecurity is one of the most important areas companies need to focus on. Clarkston Consulting offers cybersecurity consulting. We help clients assess their security landscape and fully integrate cybersecurity into their business model. 

Coauthor and contributions by Maggie Wong