When hackers infiltrated the European Medicines Agency systems late last year and leaked vaccine data from Pfizer and Moderna online, it signaled a new type of cyberattack that could have drastic effects on public health efforts.
In January, the EMA confirmed that some of its data from the pharmaceutical companies regarding their COVID-19 vaccines and treatments had been leaked online. However, before posting the information, the hackers manipulated the data in a way that "could undermine trust in vaccines," the EMA said.
In February, reports began to surface that South Korea's National Intelligence Service accused North Korea of attempting to hack into Pfizer's systems to steal COVID-19 vaccine technology.
With cybersecurity attacks rising across the healthcare industry, Becker's asked six IT executives from hospitals and health systems across the U.S. what attacks on vaccine data could potentially mean for public health.
Question: How does a situation such as the hacking of Pfizer and Moderna's COVID-19 vaccine data affect public health? What does this mean for the future of healthcare cybersecurity?
Curtis Cole, MD, assistant vice provost of information services and CIO at Weill Cornell Medical College (New York City): There are two aspects of this I find fascinating. First, this is a new way to perpetuate the problem of "deep fakes." We have been anxiously discussing how to protect from AI-driven fake images, videos and news. And while the problem of fake data and fake research is not new, this presents a new dimension of fraud. This isn't a misguided scientist passing off a fake result. Rather, they are trying to undermine source data that legitimate researchers might want to use.
The second aspect is that this is only important because of the increased blurring of scientific discourse, which was confined to a protected sphere of like-minded researchers, with public discourse, where it is inevitably simplified and taken out of context. Social media then accelerates the transmission of misunderstanding. So, this is certainly concerning. But I take some solace in the fact that researchers are also trying to create legitimate synthetic data to protect privacy. That turns out to be really hard, so this fraud may not be easy to replicate either.
Jim Noga, vice president and CIO at Mass General Brigham (Boston): While the exfiltration and breach of data are extremely concerning and we need adequate protection in place, the real concerning cybersecurity threat in healthcare is the modification of data. What if the efficacy of a drug or vaccine is modified due to a run silent, run deep cybersecurity attack? The same scenario could apply to a specific patient. When we detect a "hack" at least we are in a position to respond; what happens when the hack goes undetected and data is modified?
Christian Dameff, MD, medical director of cybersecurity at UC San Diego Health: When critical connected public health infrastructure is attacked, we are potentially facing multiple threats. The first is our ability to actually do great public health. Nowadays, we rely on telecommunications and digital communications to help with things like contact tracing, quarantining people and managing huge swaths of our population to reduce the risk of them spreading this disease. Much of that infrastructure – from email to legacy systems – are all connected, so if those vulnerable systems are exploited, we first have at risk the ability for us to even do the public health efforts we need to effectively control this virus and hopefully go back to some type of normalcy in the future.
The second is there are serious concerns that digital adversaries, malicious hackers and state actors through their campaigns to attack these systems could sow distrust in the actual technology itself. The best example of this is they can manipulate data to suggest there are safety issues with a vaccine. That type of attack is of course egregious at its base but also one that could easily outlast our current pandemic. We've seen huge amounts of vaccine hesitancy as well as anti-vaxx rhetoric that's been swelling the last few years. This type of attack not only fuels these issues but keeps it burning for a long, long time.
The last thing is that when public health work becomes controversial as a response or a side effect of these types of hackers coming in and changing data, for example, then it becomes much more difficult to implement legislative fixes, policy changes and help support public health initiatives in the future. There will always be controversy, and even though you could probably pretty easily prove that the controversy shouldn't exist, or that the data was manipulated. There is that concern working on things like the internet or in certain circles that when you go to try and pass a law, you say "oh well we didn't do this very effectively during the pandemic. We need to fix this, so let's implement a policy legislative fix so that next time this won't happen." These cyber attacks make it much more difficult to legislate the appropriate angling for change regulation or prove our response and posture for some next public health crisis, whether it be a pandemic or something else.
Jeri Koester, CIO at Marshfield (Wis.) Clinic Health System: The incidents within the last year exemplify the need for continued vigilance. These attacks can be paralyzing to healthcare organizations; therefore, we need to continue to be stewards of our data and protect it from monetary and public health perspectives. Healthcare organizations must have resiliency programs in place to rapidly react and recover in the event of an incident. Research data is incredibly valuable to nation states and cyber threat actor – even more so with COVID-19.
Protection of this information is critical; this is everyone's fight. Collaboration between healthcare delivery organizations, private sector companies and federal partners is the only way to combat this threat effectively.
Raymond Lowe, senior vice president and CIO at AltaMed (Los Angeles): Hackers are attracted to data breaches that have a long shelf life compared to other forms of information that can be stolen. Healthcare records are known to be one of the most valuable types of information that hackers look for. Most of the personal health information that is compromised throughout the industry happens through hacking or IT incidents. That is because PHI is known to be one of the highest valued types of information that can be stolen. A Social Security number can sell for $0.53; credit card information for $5.40; but the healthcare record for one person can go for about $250 when sold on the dark web.
The consequences of Pfizer and Moderna's COVID-19 vaccine data getting hacked as well as its effect on public health depend on what kind of information was stolen. If it was data submitted to regulatory bodies, then we may be talking about confidential information of the vaccine, its mechanism of action, efficiency, risks and known side effects. This information has been discussed publicly, so there may be limited risk. If it was detailed information on other parties involved in the supply and distribution of the vaccine, this information could risk a supply chain block or disrupt distribution. If formulas and information about the production of the vaccines was hacked or stolen, this could benefit entities with ulterior motives.
The other concern is the possible breach of the vaccine trial participants' PHI. Vaccine trial participant information can potentially provide information about the patients that may be used to cause harm to the public. Additionally, this HIPAA violation would negatively impact the affected pharmaceutical companies. In the future, OCR may mandate stricter regulations to protect proprietary and confidential health information. This will force our industry to take healthcare cybersecurity a lot more seriously.
Darrell Bodnar, CIO of North Country Healthcare (Lancaster, N.H.): This type of situation does a couple of things. First, it demonstrates the potential impact that data manipulation can have. In the past, everybody thought of data breaches as having purely financial incentives for the hackers. As we have seen in recent years, however, data manipulation has become the preferred tool of political and election influence as well. I would suspect that industrial data espionage is widely prevalent, too, but not publicly reported.
This attack, however, is something new, using data to influence public opinion on a social topic that could have far-reaching effects on a global population. The motivation is purely a social agenda or movement, not a financial ploy. While I respect everybody's personal opinions, it's clear that altering factual data is not justified and potentially harmful to health outcomes. At the end of the day, it will only add to the confusion in an incredibly challenging time. My hope is that as with many other topics, consumers of data will look toward reputable sources of truth and that we are able to provide them securely.
The second impact this event brings front and center is the real vulnerability of some healthcare systems. While private systems have made great strides in recent years to protect healthcare data from becoming exposed, the industry is still behind other areas such as financial and manufacturing sectors. We are constantly focusing on the protection from data breaches for financial gains, with the exponential growth of ransomware attacks as a primary example. I fear, however, that public health systems are even more vulnerable and that the one thing we have not even begun to address is the potential for health data manipulation.
Healthcare is a data-driven service. As clinical care providers become more reliant upon systems to feed data into the EMR, that data could be altered or modified with extraordinarily little chance of its being detected. Many of these systems and devices are running proprietary or outdated software that is rarely patched and feeding data directly into our clinical systems. We are vigilant to ensure our data does not get exposed or lost, but undetected manipulation of clinical data affecting care delivery and potentially patient outcomes—that's what keeps me up at night.