The COVID-19 pandemic has changed the way we live and work. The way out is the vaccine — or, as turns out, several vaccines, developed by many organizations. They’re now making it into the arms of people around the world, and their supply-chain journey serves as an interesting use case for examining security threats.
In the era of “fake news,” the pandemic took the world by surprise. Humanity went through the inevitable stages of grieving, the first of which was denial. News didn’t immediately filter out of official channels. Concern escalated with reporting of the first cases in each part of the world. Healthcare professionals scrambled, and official reporting was slow at first. Drawing on reports from schools, local news, workplaces and social media, some organizations were better prepared than others. As early as January of 2020, it was clear that the entire world was about to go into crisis mode. Some businesses cut down on travel, started planning for remote work, or ordered supplies that would soon run short.
Since then, all eyes have been on vaccine development — whether and when it would become available. At the same time, manufacturers and distributors faced any number of threats to the security of their product. Nghi Luu, supply-chain risk leader at Cisco, summed it up: “We’ve come to realize that it’s not just about boxes getting from Point A to Point B. It’s geopolitical risks, cyber risks, overall supply-chain continuity risks.” This could mean changing legal environments, customs restrictions, political sanctions, logistical delays, infrastructure constraints, or labor actions. Only by employing proactive intelligence will we be able to shift the vaccine supply-chain security posture from reactive to proactive.
The rogue threat actors of yesterday have been replaced by profit-hungry and increasingly systematic groups that operate very much like businesses. The COVID-19 pandemic was their payday. Very early on, threat actors got to work on scams to take advantage of fear and confusion. As we shifted to work from home in those early weeks and months, few among us were at our best. Threats were disguised as medical professionals with key information, access to supplies such as personal protective equipment and sanitizers that were unavailable elsewhere, and payroll communications.
Threat actors have always had a special interest in high-value, high-reward intellectual property or personally identifiable information (PII) held by pharmaceutical companies. For biotechnology and pharmaceutical sectors, research and development data forms the critical basis of what they do. Developing a new drug and bringing it to market is a huge undertaking, requiring considerable time and money. Compromised clinical trials can result in lost revenue, or worse. For smaller and mid-sized pharmaceutical companies, the theft of intellectual property could mean ruin.
Healthcare and pharmaceutical companies were warned that their information could come under attack. How they protect their proprietary data through management and controls, as well as the technologies they employ for storing and processing I.P., is still a top priority. The vaccine race has become the new arms race.
In December, 2020, the European Medicines Agency (EMA) was attacked. Luckily, it remained functional, and timelines for the evaluation and approval of COVID-19 vaccines and treatments weren’t impacted. Yet upon full investigation, it was revealed that a number of documents belonging to third parties were accessed and obtained. In January, 2021, it came to EMA’s attention that some of the stolen data on the Pfizer/BioNTech vaccine was released on the dark web shortly after the attack.
Managing supply-chain risks related to the COVID-19 vaccine more holistically and proactively will go a long way toward avoiding threats, at a time when there are clear indicators that danger still lies ahead.
This article was originally published in SupplyChainBrain but written by The Media Sonar Team.