The mass vaccine roll-out across the world offers hope that by the summer we will see a glimmer of normality start to return to our lives. However, until then we also have to consider the profound challenges of delivering and administering vaccines at scale. The logistical hurdles have been well documented but the cybersecurity risks less so and that’s what I want to shed light on.
Clinical and organisational risks
There are two areas that concern me in particular. First is the persistence of legacy technology (e.g. workstations and network infrastructure) and unpatched devices that abound in most healthcare systems such as the NHS in the UK. The second are the increasing risk profiles associated with network connected medical devices which we can refer to as Internet of Medical Things (IoMT) Devices. Taken together these present significant clinical and organisational risks.
For example, a ‘standard’ opportunistic ransomware attack targeting a hospital or vaccination hub that makes patient administration and EMR systems unavailable would significantly disrupt vaccinations simply because patient details could not be validated. Take this a step further with a slightly more targeted attack, and you could see pharmacy systems and IoMT devices such as medication fridges and dispensing cabinets being compromised. These would have a more profound impact, as with the most temperature and time sensitive vaccines we could see the loss of highly valuable batches as a consequence of this.
There’s more to this picture. If we consider the entire supply chain – we have transport companies, distributors, manufacturers and R&D facilities to consider. The fact is that all of these are attractive targets to compromise with opportunistic or more nuanced disruptive cyber-attacks. I have said time and again that attackers increasingly understand clinical urgency as a means of getting the outcomes they desire, such as ransom payments. Vaccination programmes present a prime opportunity to take advantage of this.
Every device has to be considered in a clinical context because its risk profile will change based on that and we know that more exploitable IoMT vulnerabilities are being discovered regularly. My team of clinicians recently analysed a number of these using a series of clinical case studies in an IoMT security research white paper. What we need to ensure is that while we plan for the logistical challenges of mass vaccinations we include cybersecurity as a part of this. The supply chain is only as strong as its weakest link and we cannot afford to delay vaccinating those at risk or to lose precious vials.
Ultimately, cybersecurity is patient safety.
Dr Saif Abed is founding partner and director of cybersecurity advisory services at AbedGraham.