Last fall, a small business no one had ever heard of kept Josh Corman awake at night. It was one of the only groups in the world to manufacture an ingredient that pharmaceutical companies like Moderna and Pfizer / BioNTech needed to make the COVID-19 mRNA vaccines. And he didn’t employ a single cybersecurity expert.
Corman is a senior advisor to the US Cybersecurity and Infrastructure Security Agency (CISA) and for the past year has worked in a task force within the agency focused on supply chain protection. COVID-19 vaccine against cyber threats. Healthcare organizations have been among the biggest victims of the growing waves of cyberattacks in recent years, and during the pandemic they have been an even bigger target.
What worried Corman weren’t places like Pfizer and Moderna. These large, well-known branded companies all employ in-house cybersecurity experts. He worried about companies like the one making an mRNA ingredient: small, anonymous groups that made essential pieces for vaccines, but who might never have thought they would need to protect themselves from a campaign. hacking.
“You could sneeze on that one business and it would be confused. And if they were upset, we would be living in a very different world right now because they were so critical of these mRNA candidates, ”Corman said.
Over the past year, the task force has tracked down hundreds of similar companies critical to the development, production and distribution of COVID-19 vaccines in the United States. He offered to help them check for gaps in their digital networks, give them resources to improve their preparedness and help them respond to any incident. A cyberattack on one of them could have slowed vaccination efforts, keeping the shots out of range longer – at a wholesale cost to the health of the country, Corman says. “We wanted to make sure we didn’t have any delays due to cybersecurity. ”
Recreate the supply chain
The US approach to the development of the COVID-19 vaccine took place as part of Operation Warp Speed - a $ 10 billion project that involved partnerships between biomedical companies and various federal government agencies, including the Food and Drug Administration, the Department of Defense and the Department of Health. and Personal Services. He funded the development of vaccine candidates at companies like Moderna and Johnson & Johnson and was in close contact with others involved in manufacturing and distribution.
“Operation Warp Speed is generally described as being around the 30 largest vaccine-related companies – research, delivery and up to shipping to states,” says Beau Woods, senior advisor at CISA working on the group. working COVID-19.
The CISA was one of the other federal agencies involved in Operation Warp Speed. It is part of the Department of Homeland Security and is responsible for assisting both the government and the private sector on cybersecurity issues. Along with the response to COVID-19, he spent 2020 working on presidential election security.
During Operation Warp Speed, CISA was asked to assist in the safety of the top 30 players. “CISA has the capacity to provide protection, prevention and response services to designated critical infrastructures. Anyone on that list obviously had priority, ”Corman said.
But there were more companies involved in the vaccine development, production and distribution process than those on this list. Each of those roughly 30 companies has its own supply chain, Woods says. The groups that make up these supply chains would also need protection.
When Corman began working on COVID-19 response efforts as part of the working group within CISA, these companies had yet to be identified. No one knew who they were. “I asked who are these smaller, less obvious players who, if disturbed, mean there is no vaccine? And no one had an answer, ”Corman says.
Corman worked with colleagues like Michelle Holko, a presidential innovation specialist who worked with the task force, and Reuven Pasternak, another CISA senior advisor who is also a physician, to develop a column that would help them identify these players. They searched for companies that made products that were scarce or difficult to replace, and companies that made products on which the vaccine groups were heavily dependent. The group asked international partners to send them the names of any groups that might also be important to the vaccine development process.
“We identified people who were never nominated, but who made it to the top. These are some of the most important weak links in the chain, ”Corman said.
The list was dynamic – early in the process, it focused on groups involved in vaccine research and development. Then it moved to companies working with manufacturing and distributing the plans. Overall, the group identified hundreds of companies involved in the process that could have presented risks.
“A lot of them are smaller. In some cases, they numbered less than 100 people and may not have traditionally looked at cybersecurity threats, ”says Woods. Because they were involved in the vaccination process, they were targeted by hackers, but they lacked the know-how to protect themselves from threats. “This is where we focused,” he says.
After compiling this list of companies that could be potential targets of cyber attacks, the task force began contacting each of them to offer their services. Much of those early conversations involved making sure companies understood that the group was not a regulator but was simply coming to offer a service, says Steve Luczynski, head of the CISA COVID-19 task force. “Everyone is worried when the government calls,” he said.
But after hearing what the group was offering – helps understand vulnerabilities, alerts about possible threats, and other advice – many companies were eager to use their resources, Woods says. “In a few cases the organizations came back and said, ‘Hey, we saw something, we think we got there on time – but we’d like you to just check out,’ he says.
Health informatics and electronic health records company Cerner was one of the groups that worked with CISA and the task force. Cerner assisted with dose planning, inventorying and tracking for organizations administering vaccines, and its electronic health records contained data on who received the injections. Kevin Hutchinson, Cerner’s cybersecurity operations manager, originally registered the company for security alerts with CISA. The CISA working group then made contact to participate in their other programs. “Considering Cerner’s footprint, they were really excited to have us on board,” said Hutchinson. The edge.
The CISA team reviewed Cerner’s existing security protocols, which were already strong. “It was a good pat on the back that we were doing things that we should be,” says Hutchinson.
Cerner also meets regularly with a dozen of the larger hospital systems that use its services to talk about safety, and a handful of those groups also used CISA’s services. Many hospitals do not have the funding of a dedicated security team. “They had mentioned how precious it had been to them,” says Hutchinson.
The task force was able to offer services such as analysis of business systems for cybersecurity vulnerabilities and custom cyber intelligence tools, Woods said. But one of the most important parts of raising awareness was simply creating a relationship with the company so that CISA was able to quickly relay any important information. “Part of that is just building that trust, so that when they pick up the phone, they know who you are,” he says.
Through these relationships, the task force and CISA have helped businesses respond to cyber threats over the past year. The threats included a phishing campaign targeting the cold chain vaccine delivery system and the SolarWinds hack, which targeted U.S. government agencies. None had a major impact on the vaccine development and distribution process. “We had these good relationships. We knew that was the right person to call, and here’s the email to send when these things happen, ”says Luczynski.
These connections could last into the future and help healthcare facilities manage cybersecurity threats. “I’m happy to see a greater engagement between CISA and healthcare, and I really hope that continues,” said Woods.
The work the working group has done on the vaccine supply chain could also be a model for other projects in the future, he said. “Often times when government works with the private sector, it gets involved the most in large organizations because it has no ties to smaller ones,” says Woods. This work has shown that, on several occasions, the riskiest areas are in fact these small organizations.
So far, the process of developing and distributing the COVID-19 vaccine has not been delayed by any cyberattacks. Luczynski says the task force can’t take all the credit – it’s hard to say for sure if his work was the reason there weren’t any major issues. But he thinks it made a difference. “I am convinced that we have helped to improve things. ”