Identity and access management is critical in regulating user access and preventing unauthorised parties from accessing private information. Rob Elliss, VP for Data Security solutions for Europe, the Middle East and Africa (EMEA) at Thales, explains why a robust access and identity management strategy to security is essential in the rollout of the COVID-19 vaccines to build strong security foundations and ensure that the toughest precautions are in place.
There is no doubt that over the last year we have seen our professional and personal lives changed, and for many us our commute to work is now a stroll to the front room, spare room or other part of our homes. This surge of home working has forced IT teams across the world to accelerate Digital Transformation plans.
In a world where COVID-19 is constantly on the mind, in the news and on our social feeds, our curiosity to consume more about it has created a new way to lure unsuspecting employees into hackers’ traps. New frontiers have emerged for cybercriminals, ranging from attacks on businesses and governments through their rapidly expanded remote workforce, to targeting schools and universities struggling to cope with virtual learning, through to ransomware attacks. In addition, hackers have unleashed attacks on COVID-19 research, making the vaccine an obvious next target for malicious assailants.
While the world is still learning to manage heightened security risks and the increasing incidence of cyberattacks, a new challenge has emerged as hackers target the mass scale rollout of the COVID-19 vaccine itself. While immunisations are well underway in the UK, the data and supply chains supporting the access and distribution of vaccines are at great risk from cybercriminals, who’ve long sought to take advantage of a crisis. Serious attacks have already taken place with the European Medicines Agency reporting that threat actors broke into its servers and accessed documentation about the Pfizer and BioNTech vaccines.
Accomplishing secure distribution of the COVID-19 vaccine is a massive undertaking – from manufacturing to storing data, to distribution and maintenance of the whole cycle. However, there are multiple safeguards, technologies and steps that the government and businesses can take to protect and ensure this valuable process.
Secure the vaccine information, protect the databases and defend the supply chain
Protecting the data of those who need the COVID-19 vaccine, where the need is and who has already received their dose is a massive undertaking, and security around this valuable data – as well as information on the vaccine itself – is significant. The quality and security of the data are crucial.
This veil of protection must also extend to the physical distribution of the COVID-19 vaccine across the UK – a complicated process that involves many moving parts and needs to operate to a tight schedule. As part of this supply chain, numerous IoT devices – from GPS tracking technology to mobile systems – are being used to store, transport and distribute the vaccine within its low temperature requirements.
The reliance on a multifactor supply chain involving a wide variety of IoT devices, as well as large-scale databases, exposes the process of vaccine distribution up to a greater cybersecurity risk. It is therefore essential that caretakers behind the rollout of the COVID-19 vaccines build strong security foundations and ensure that the toughest protections are in place with the expectation that threats will evolve. An attacker only has to be successful once, but the guardians of the vaccine database must be successful every minute of the day.
Identity and access management – the key to security success
With such a complicated and sensitive distribution process, it is vital that only those who are authorised to access data relating to the COVID-19 vaccines can do so. Identity and access management will therefore be crucial in regulating user access and preventing any unauthorised parties from accessing private information about patients or even the vaccine itself.
The first step in this security defence is understanding exactly what information is being held and where it is being stored. A comprehensive internal audit will help organisations to not only identity their data but also where it sits and, importantly, who has access to it.
Once this has been established, security controls can be implemented to provide a vital layer of defence. Encrypting data at its source will ensure that even if there is a breach of the NHS’s systems, the data will be rendered useless if it ends up in the wrong hands. This is regardless of whether its stored on company servers, in the public cloud or in a hybrid/multi-cloud environment. Meanwhile, the adoption of Two-Factor Authentication will ensure only authorised employees have access to the data they need and nothing else. Under this method, the user will be asked for an extra piece of information in order to verify themselves, such as a unique code sent to them via their device. Adding Zero Trust protocols on top of this provides an extra layer of protection. This means implementing a ‘verify but never trust’ philosophy that restricts people to accessing only what they are authorised to. Should there be a breach, it essentially prevents hackers from accessing the wider network and the keys to the kingdom.
When implemented correctly, these security tools will protect the distribution of the COVID-19 vaccines – which is especially critical in the age of GDPR, where the loss of someone’s private information can result in big fines under compliance regulations.
The creation and distribution of the COVID-19 vaccines is a critical healthcare undertaking and the security of the information behind it will be of a similar importance. Lives literally depend on it, with many vulnerable people around the UK in line for the life-saving vaccine and hackers always keen to jump on a crisis. However, with the rollout going well and millions more pieces of valuable data being created every day, now is not the time to rest easy. With the right data security measures in place, all organisations involved in this effort can secure themselves against potential attackers.
