Cybersecurity and COVID-19 Vaccine Efforts
In this Q&A, Peter Romness, Cybersecurity Principal, US Public Sector CTO Office, Cisco Systems, and Steve Caimi, Public Sector Cybersecurity Specialist, Cisco, discuss ways to secure this unprecedented effort.
How do efforts to distribute and administer the coronavirus vaccine pose challenges for governments?Caimi: There are all kinds of things that need to be coordinated and communicated. Who gets the vaccine first? What about the challenges of keeping it refrigerated and administering the correct dosages? When you look at something like this and the logistics that need to be thought through and then executed, it could be overwhelming. And then you must put security on top of it.
Hospitals and medical providers have consistently been the target of ransomware threats. What can state and local governments learn from their experiences?Caimi: In cybersecurity, we tend to think about confidentiality and integrity first, and then availability. But in health care, availability is paramount. Ransomware threats remind us that we have to do everything we can to keep systems up and running during the vaccine rollout. Like any cybersecurity problem, you have to take it and break it down to its fundamental components. People, process and technology controls absolutely apply to the vaccine rollout. When it comes to people, for example, one of the threats we saw early in the rollout was the health care worker who reportedly pulled out vaccinations that were in a freezer. This was someone who was trustworthy one day and then admitted to spoiling hundreds of doses. It goes to prove the idea of zero trust — a technology, person or device that can be good one day is not necessarily trustworthy the next. Authentication, authorization and constant monitoring — these are cybersecurity principles we can apply to these situations.
What is the role of state and local governments in vaccine distribution efforts?Caimi: The onus of distribution is on state governments, and each state must coordinate among different agencies and health care providers. Many states are leveraging public-private partnerships, but they require a lot of communication and coordination. Clearly that communication has to be secured. States are providing information on social media, and we can’t have false information floating around.
How can governments and their public health departments ensure personal health information remains secure given the unprecedented scope of the vaccination efforts?Romness: We really do recommend and advocate for a zero-trust approach. We like to break zero trust down into three steps — workforce, workplace and workload. First, we think about who we allow into certain resources. We call that the zero-trust workforce — the person logging into the resource and making sure the device they’re using is safe. People often don’t think about the second w — workplace. That’s all the other devices in the organization. In a medical environment, that could be all the medical devices on the network. Finally, there is the trusted workload, which is applications. What applications are talking to each other and what applications can talk to each other? You have to apply zero trust to all of them. Beyond that, it also includes thinking about your suppliers and vendors, and applying zero trust to them. We don’t want people to be overwhelmed and paralyzed. There is no one path to zero trust but taking its ideas into account is very important.
To view more videos like these, click here.