Last fall, a tiny company no one had ever heard of was keeping Josh Corman up at night. It was one of the only groups in the world that made an ingredient that pharmaceutical companies like Moderna and Pfizer / BioNTech needed to make the mRNA COVID-19 vaccines. And it didn’t employ a single cybersecurity expert.
Corman is a senior adviser to the United States’ Cybersecurity and Infrastructure Security Agency (CISA), and for the past year, he’s been working on a task force within the agency focused on protecting the COVID-19 vaccine supply chain from cyber threats. Healthcare organizations have been some of the biggest victims of growing waves of cyberattacks over the past few years, and during the pandemic, they were an even bigger target.
What worried Corman weren’t places like Pfizer and Moderna. Those big, name brand companies all employ in-house cybersecurity experts. He was worried about companies like the one making an mRNA ingredient: small, anonymous groups that made bits and pieces pivotal for vaccines, but that might not have ever thought they’d need to protect against a hacking campaign.
“You could sneeze on that one company, and they would be disrupted. And if they were disrupted, we’d be living in a very different world right now because they were so critical to those mRNA candidates,” Corman says.
Over the past year, the task force tracked down hundreds of similar companies critical to the development, production, and distribution of COVID-19 vaccines in the US. It offered to help them check for any gaps in their digital networks, give them resources to boost their preparedness, and help them respond to any incidents. A cyberattack on any of them could have slowed down the vaccine efforts, keeping shots out of reach for longer — at great cost to the health of the country, Corman says. “We wanted to make sure we had no delays because of cybersecurity.”
Re-creating the supply chain
The US approach to COVID-19 vaccine development ran through Operation Warp Speed — a $10 billion project that involved partnerships between biomedical companies and various agencies within the federal government, including the Food and Drug Administration, the Department of Defense, and the Department of Health and Human Services. It funded the development of vaccine candidates at companies like Moderna and Johnson & Johnson and was in close contact with others involved in manufacturing and distribution.
“Operation Warp Speed is generally described as being around the 30 biggest companies related to vaccines — research, delivery, and all the way to shipping out to states,” says Beau Woods, a senior adviser at CISA working on the COVID-19 task force.
CISA was one of the other federal agencies pulled into Operation Warp Speed. It’s part of the Department of Homeland Security and is responsible for assisting both the government and the private sector on cybersecurity issues. Along with the COVID-19 response, it spent 2020 working on security for the presidential election.
During Operation Warp Speed, CISA was asked to help with security for the main 30 players. “CISA has the ability to deliver protective, preventative, and response services to designated critical infrastructure. Anyone on that list was obviously prioritized,” Corman says.
But there were more companies involved with the vaccine development, production, and distribution process than just the ones on that list. Each of those 30 or so companies have their own supply chains, Woods says. The groups that made up those supply chains would need protection as well.
When Corman started working on COVID-19 response efforts as part of the task force within CISA, those companies hadn’t been identified yet. No one knew who they were. “I asked, what are those smaller, less obvious players that, if they’re disrupted, means there’s no vaccine? And no one had an answer,” Corman says.
Corman worked with colleagues like Michelle Holko, a presidential innovation fellow who worked with the task force, and Reuven Pasternak, another CISA senior adviser who’s also a physician, to develop a rubric that would help them identify those players. They looked for companies making products that were in short supply or couldn’t be easily replaced and companies making products that the groups making vaccines were highly dependent on. The group asked international partners to send them the names of any groups that could be important to the vaccine development process as well.
“We identified people who were never nominated at all, but bubbled up right to the top. Those were some of the most critically important weak links in the chain,” Corman says.
The list was dynamic — at the start of the process, it focused on groups involved in vaccine research and development. Then it shifted to companies working with the manufacturing and distribution of the shots. Overall, the group identified hundreds of companies involved in the process that could have been risks.
“A lot of them are smaller. In some cases, they’d have fewer than 100 people, and may not have traditionally looked at cybersecurity threats,” Woods says. Because they were involved in the vaccine process, they were targets for hackers, but they didn’t have the know-how to protect against threats. “That’s where we focused,” he says.
After making that list of companies that could be potential targets for cyberattacks, the task force started reaching out to each one to offer its services. A big part of those early conversations involved making sure companies understood that the group wasn’t a regulatory body but was just coming in to offer a service, says Steve Luczynski, the lead of the CISA COVID-19 task force. “Everybody’s concerned when the government’s calling,” he says.
But after they heard what the group was offering — help understanding any vulnerabilities, alerts about possible threats, and other guidance — many companies were eager to use their resources, Woods says. “In a few cases, we’ve had the organizations come back and say, ‘Hey we saw something, we think we got to it in time — but we’d love for you guys to just double check,’” he says.
Health IT and electronic health records company Cerner was one of the groups that worked with the CISA and the task force. Cerner assisted with scheduling, inventory, and dose tracking for organizations administering vaccines, and its electronic health records had data on people receiving the shots. Kevin Hutchison, Cerner’s cybersecurity operations manager, had initially signed the company up for security alerts with CISA. The CISA task force then got in touch about participating in their other programs. “Given the footprint of Cerner, they were really excited to have us on board,” Hutchison told The Verge.
The CISA team took a look at Cerner’s existing security protocols, which were already strong. “It was a good pat on the back that we were doing things that we should be,” Hutchison says.
Cerner also regularly meets with around a dozen of the largest hospital systems that use its services to talk about security, and a handful of those groups were also using CISA’s services. Many hospitals don’t have the funding for a dedicated security team. “They had mentioned how valuable it had been for them,” Hutchison says.
The task force was able to offer services like scanning company systems for cybersecurity vulnerabilities and custom cyberintelligence tools, Woods says. But one of the most important parts of outreach was just creating a relationship with the company so that CISA was able to quickly relay any important information. “Part of it is just working out that trust, so that when they pick up the phone, they know who you are,” he says.
Through those relationships, the task force and CISA helped companies respond to cyber threats over the course of the past year. Threats included a phishing campaign aimed at the cold chain vaccine transport system and the SolarWinds hack, which targeted US government agencies. None had major impacts on the vaccine development and distribution process. “We had these good connections. We knew that this is the person to call, and here’s the email to send to, when these events happen,” Luczynski says.
Those connections could carry through into the future and help healthcare organizations manage cybersecurity threats. “I am happy to see greater engagement between CISA and healthcare, and I definitely hope that continues,” Woods says.
The work the task force did on the vaccine supply chain could also be a model for other projects in the future, he says. “A lot of times when the government works with the private sector, they’re most engaged with larger organizations because they don’t have connections with the smaller ones,” Woods says. This work showed that, many times, the riskiest areas are actually those smaller organizations.
So far, the COVID-19 vaccine development and distribution process hasn’t been delayed by any cyberattacks. Luczynski says the task force can’t take all the credit — it’s hard to say definitively if its work was the reason there weren’t major issues. But he thinks it made a difference. “I am confident we contributed to making things better.”
Correction: We incorrectly spelled Kevin Hutchison’s last name in our original version of this article, which has one n, not two. We regret the error.