The COVID-19 vaccine is rolling out to the public, and in the past few months we’ve witnessed cyber criminals take advantage of vaccine logistical networks through supply chain attacks: a technique where cybercriminals infiltrate a network through an outside provider with access to its systems.

As vaccine distribution continues through 2021, the companies managing the process must proactively think about their current risk level, how they can decrease that risk, and how they can strengthen their security posture moving forward.

Breaking down IBM’s December 2020 warning:

Healthcare distribution networks are behind on their cybersecurity measures. However, there are some legitimate reasons for this.

Healthcare distribution networks face challenges that spur from working on legacy systems storing a lot of private data. From a pentesting perspective, these organizations are typically hesitant to conduct routine cybersecurity checks due to the risk of outage during critical procedures that can put patients’ lives at risk.

To best understand how easily cyber criminals can operate against healthcare distribution networks, let’s break down IBM’s December 2020 Advisory and what caused it. The advisory stated that threat actors “sent phishing emails to executives involved in vaccine storage and transport to harvest account credentials.” The way the criminals conducted these attacks were successful in two-fold.

First, phishing attacks are easy to perform. Internet service providers like Gmail and Yahoo! grant untraceable email access to virtually anyone. Similarly, it takes minutes to register a new domain name - one that is similar to the targeted organization.

Second, phishing is just the tip of the iceberg when it comes to access. Once a threat actor swindles a victim into granting them one login credential, knowing the human tendency to use one password for many portals, criminals can gain access to a suite of data.

This data and systems access enables them to carry out higher-stakes ransomware and malware attacks. Put simply, a threat actor leverages phishing to “fish” for what else they can find to do more damage. These threat actors don’t necessarily need to have a target in mind; they are agents of chaos and opportunity.

A simple phish could even lead to a physical social engineering attack. Consider this scenario: I’m targeting a vaccine developer, and I phish one of their employees. I find the distribution partnership they have, as well as the destination of the vaccine shipment. I can then identify the truck that is physically transporting the load (easily spotted based on their sub-zero temperature capability). I could find its end destination, make my way into the warehouse, and physically unplug the refrigerated trucks: resulting in financial damages -- and worse, putting lives at risk by delaying the vaccines.

How distribution and healthcare organizations must proactively protect themselves:

A simple phishing attack can yield major destruction for healthcare distribution organizations. Here’s how they should think about their cybersecurity posture for the year to come.

First, they must understand that in the criminal world, data is the new currency. When you agree to do work with another company, there is a trust extension that must be made when it comes to data and systems access.

So, for those that are moving the vaccine and working directly with healthcare organizations, the first step to data protection is classification. Understanding what your data is, what risk level it has, and how you are storing it is key. Then, segmenting that data to only provide access to those who need it is crucial.

Conducting regular pentests can be extremely helpful for these distribution organizations. A thorough security assessment can help them identify weaknesses or flaws an attacker could exploit to impact confidentiality. Now more than ever, pentesting should be as much of a precaution to distribution networks as background checking drivers.

Organizations should also leverage anti-phishing tooling installed to email platforms. But that solution may not be 100% foolproof: cue social engineering. The weakest link in any cybersecurity program is the end user. This is where security awareness training comes in. This, in combination with threat modeling and pentesting, enables employees to understand where they could be the bottom line for attacks.

It’s all about enhancing the maturity of a cybersecurity program. To prevent attacks, vaccine distribution organizations can’t just think about the technical solutions of a cybersecurity program. They must adopt cybersecurity “layers” that help them prepare for the worst.