This blog is part of a series on digital safeguards and enablers for COVID-19 vaccine delivery.
The COVID-19 pandemic brought a significant shift to our lives and emphasized our growing dependency as a society on digital technologies. The reality shows, however, that along with the progress and the economic and social developments come risks and threats. In fact, since the very beginning of the pandemic, countless cyber incidents have been reported, including, among others, ransomware attacks, phishing scams, and data extortion, targeting individuals, businesses and governments. These attacks have used the time of turmoil for easy profit or to gain a competitive advantage, while jeopardizing the confidentiality, integrity, or availability of data and information systems.
The National Cyber Security Center (NCSC) UK reported that every second organization has experienced a cyber-attack on a remote device in 2020 (a 41 percent increase compared to 2019). In May alone, more than a 300 percent increase in phishing scams targeting remote workers was reported. In Autumn 2020 hundreds of US healthcare facilities were disrupted by a ransomware attack affecting treatments and procedures and a first fatality due to such a cyber-attack was reported in Germany when a patient had to be diverted to another hospital.
As health authorities have approved the use of the vaccines and launched their vaccine delivery campaigns, online adversaries have also began to target the vaccination supply chain , such as suppliers of ultra-cold equipment for the distribution of the vaccines and organizations involved in the delivery of it.
The European Medicines Agency (EMA) revealed that some of the Pfizer COVID-19 vaccine data was stolen from its servers and leaked online (December 2020). The European Commission, together with dozens of companies working in the vaccine delivery industry, were targeted in a spear-phishing campaign, aimed at harvesting credentials used in the collection of information on COVID-19 vaccine distribution.
The possibility of cyberattacks, such as intrusion, ransomware and even DDoS (Distributed Denial of Service), present concrete risks for every country’s vaccination delivery campaign. Threats can vary. Interference with digital tools and information systems, used in the shipment, deployment, and distribution of the vaccines could cause major logistics delay, losses of vaccine stocks, incorrect treatment of patients, and exposure of sensitive personal data. Unsafe digital platforms and fear of data extortion could reduce public trust in the vaccination process and might increase vaccine hesitancy.
In light of these threats, governments should consider the vaccine pipeline as an essential service and take concrete actions to minimize potential cyber risks.
Balancing the need for speed and security
In countries with advanced digital economies and with mature cybersecurity deployment, governments could use existing digital platforms and databases throughout the vaccine delivery life cycle (e.g. for planning, monitoring, tracking purposes). To manage the risks arising from the use of these digital systems, these countries would apply cybersecurity safeguards and appropriate measures that rely on the national cybersecurity infrastructure already in place.
When countries do not have a mature cybersecurity deployment to support the vaccine delivery, as is the case in many developing countries, they will have to face the dilemma of how to balance the need for a quick vaccine deployment while maintaining a safe and trusted digital environment throughout the whole delivery process.
A creative solution is needed that delivers an appropriate balance between the need to respond quickly and the need to ensure an adequate level of security of the digital platforms adopted. If possible, this solution should bring with it long term benefits to the countries in which it is deployed.
A full national cybersecurity response mechanism may not be feasible in a country with a weak cybersecurity deployment. Rather, an alternative approach could be considered in which the vaccination delivery is considered a “stand alone” event and a dedicated cybersecurity plan is applied only to this event.
This approach, which relates to the actions taken to secure a “stand alone” event, has three main phases: Identification, Implementation and Mitigation. The methodology can be best demonstrated by referring to the actions taken to cybersecure the Olympic Games.
Securing an Olympic effort
The Olympic Games is a “stand alone” event (for each hosting country). As such, the organizing committee usually designates a dedicated task force for securing the digital infrastructure of the event, as done for Tokyo 2021. As mentioned, the task force works in three phases:
- Identification of the specific cyber threats relevant for the Olympic Games. These might include, for example, tampering with results of doping tests or intentionally damaging the stadium building management systems during the competition (e.g. electricity, air-conditioning, fire-alarms etc.). It would also include identification of the existing digital platforms in use and their vulnerabilities (e.g. the Olympic Village clinic and laboratory information system, the Olympic Stadium fire control system, etc.).
- Implementation of specific cybersecurity measures and solutions designed to resolve the existing vulnerabilities within the specific digital platforms supporting the event assets identified at risk.
- Mitigation of the risks during the course of the event.
A similar approach could be applied to ensure an appropriate level of security of the COVID-19 vaccine delivery campaign. Governments could set a designated task force of external and local cyber experts, with the task to cybersecure the systems adopted to deliver the vaccines and the data shared in the process.
This task force would work to identify the specific that may arise throughout the life cycle of the vaccine delivery process in the examined country. In some cases, the main challenge could be to ensure that criminals do not succeed in obtaining sensitive medical information for the purpose of extortion. In others, the main challenge could be blocking phishing emails asking people to make a payment to ensure securing their dose.
When identifying all threat vectors, the team would design the cybersecurity measures needed to prevent or minimize the possible threats and will monitor and provide a response to unfolding incidents during the vaccine delivery.
Besides enabling a fast and safe deployment and distribution of the vaccines, this approach holds long-term benefits. The knowledge and skills acquired by local experts during the course of the vaccine delivery, could be used later to enhance the country’s broader cybersecurity capabilities. A cyber-safe vaccine delivery could increase a government’s awareness for cyber risk management and lead it to invest more in their national cybersecurity readiness, resulting in long term benefits for the country.
This work is supported by the Digital Development Partnership, administered by the World Bank. For more information or how you can receive assistance with these topics, please contact Digital4Vaccines@worldbankgroup.org
RELATED: Tell Me How: Sharpening Policies for Better Cybersecurity Outcomes
Join the Conversation