A technology disruption in a hospital operating room or an emergency response chain can spell the difference between life and death. Yet as healthcare providers, medical R&D and pharmaceutical companies around the world work to combat the spread of COVID-19, cyber criminals are taking calculated steps to hit these organizations… just when society needs them most. In many cases, attackers are targeting third parties and vendors with privileged access to these organizations’ critical data and systems. Sadly, this has become a regular occurrence for companies involved in COVID-19 vaccine research, development and delivery.
On Wednesday, the European Medicines Agency (EMA) – the EU’s governing body responsible for assessing and approving vaccines – disclosed it was the subject of a cyber attack. While they did not divulge specifics, Ars Technica reports that shortly thereafter, pharmaceutical company Pfizer and biotech company BioNTech issued a joint statement indicating documents related to their COVID-19 vaccine candidate had been unlawfully accessed via an EMA server. The statement notes that “no BioNTech or Pfizer systems have been breached in connection with this incident and we are unaware that any study participants have been identified through the data being accessed.”
The exact attack timeline and the attackers’ motivations are unconfirmed, but the disclosure comes just weeks after Pfizer and BioNTech announced that their “BNT162b2” vaccine is 95% effective in preventing COVID-19.
This attack is just one in a string of breach attempts on third parties that have access to valuable vaccine information.
Last Thursday, headlines emerged on a large-scale email phishing campaign targeting coronavirus vaccine supply chains. The IBM research team that uncovered the threat wrote that “the precision targeting of executives and key global organizations hold the potential hallmarks of nation-state tradecraft.” They went on to assess that “the purpose of this campaign may have been to harvest credentials to gain future unauthorized access. From there, the adversary could gain insight into internal communications, as well as the process, methods and plans to distribute a COVID-19 vaccine.”
The supply chain attack prompted a warning from the Department of Homeland Security and highlighted the challenges today’s R&D organizations and interconnected healthcare providers face in protecting life-saving systems, sensitive patient data and valuable intellectual property from attacks via third-party ecosystems.
Healthcare Partners and Suppliers are High-Value Targets
The healthcare industry is increasingly relying on technology – including SaaS applications, IoT-enabled devices, mobile diagnostics systems, telemedicine platforms and more – to improve patient services and optimize clinical outcomes.
Modern integrated care delivery hinges on the ability to exchange patients’ protected health information (PHI) across all identities and technology components. Privileged accounts and credentials make this “interoperability” possible by allowing administrators to access applications or data, or for devices and systems to access one another. Everything from cloud-based virtual care applications to patient diagnostic data integration from third-party services requires privileged access.
Attackers know that privilege is the path to PHI – and they’re highly motivated to gain access. A single PHI record can fetch as much as $363 on the dark web, compared to credit card records which only go for $1-2. One can only imagine what confidential COVID-19 vaccine “recipes” and related intellectual property could net.
But why try to break into a heavily guarded fortress when you can just hijack a delivery truck that’s authorized to enter the premises? That’s how attackers think and that’s why they target providers, third parties and vendor organizations of all sizes across the continuum of care.
For example, a few years ago a popular SaaS-based transcription service was targeted in a NotPetya ransomware attack. The resulting outages impacted major US healthcare systems, obliterating doctors’ instructions to patients and disrupting numerous critical services, from imaging to order processing to patient care tracking software. The ripple effects of the attack impacted patient care for weeks, and the software company itself lost $92 million in revenue as a result.
According to a recent Ponemon report, the average hospital has relationships with more than 1,300 different external vendors. Each vendor identity requires different levels of privileged access to the healthcare organization’s data and systems to perform its role, from managing medical devices to keeping patient chart records up to date. Manually provisioning and managing privileged access for each of these identities is a major undertaking for IT and security staff. This may contribute to why only 36% of healthcare providers believe they can effectively prioritize external vendor risk, despite 80% believing it’s “very important” to do so.
A new study of more than 700 providers indicates healthcare-specific data breaches will triple in volume in 2021. To protect their organizations from unrelenting attacks – from the outside, inside and across their third-party networks, healthcare IT security teams need the ability to scale their efforts and automate as many identity and privileged access management tasks as possible, like credential and session management, vendor identity authentication and just-in-time provisioning. Not only does this minimize time-consuming operational tasks, it makes it easier for verified vendors to access the systems, devices and data they need to do their jobs, exactly when (and only when) they need to.
To learn more about our approach to managing identity-related risk across the healthcare continuum visit here, and check out CyberArk Alero, our SaaS solution that enables healthcare companies to automatically provision access to external third-party vendors that require privileged access to internal resources. If you’re an existing CyberArk customer, get to know Alero through our current 30-day trial – full details here.