Authorities warn hospitals of potential physical, cyber threats to vaccine supplies

CHARLESTON, S.C. (WCSC) - The South Carolina Department of Health and Environmental Control will not identify which medical facilities will receive the COVID-19 vaccines at this time, citing physical and cyber security concerns.

Instead, state health officials are urging hospitals to keep specific delivery dates and vaccine location information confidential.

However, many medical centers are identifying themselves as recipients and soon-to-be distributors of Pfizer’s first phase of vaccine doses.

“Different states or facilities are announcing various degrees of information. At this time, South Carolina considers providing the specific locations of limited quantities of vaccine a security risk, with regard to the possibility of theft or disruption to the state’s fair and equitable vaccine distribution plan,” a statement from SCDHEC said.

“Agencies are working together to ensure vaccine is stored in safe, secure locations,” state health officials said. “Of course, information about vaccine locations and providers will widely be available as vaccine production ramps up and the vaccine becomes available for everyone.”

Other states are being much more transparent about where the COVID-19 vaccine will be available.

On Thursday, the North Carolina Department of Health and Human Services released a list of the 53 hospitals that will be getting the first round of COVID-19 vaccines in the Tarheel state.

In the meantime, the South Carolina Law Enforcement Division has urged hospitals to review their physical security procedure. SLED officials are also concerned about cyber threats to those facilities receiving the vaccine. The agency released a COVID-19 Vaccine Cyber Situational Awareness Report on Dec. 7, which outlined several “cyber actors” who may prey on entities and convince them to divulge sensitive or financial information.

“Due to the ongoing COVID-19 pandemic, cyber threat actors, hacktivists, or anyone with the wrong set of tools can take advantage of organizations that are currently overextended and underfunded. While cybersecurity recommendations and other common tips can assist in avoiding a network disruption, nothing can ensure the possibility of an attack is completely mitigated,” the report stated.

SLED warned that “cyber threat actors” may use phishing campaigns to brand spook and impersonate well known or trusted entities.

“With many continuing to work from home, users may let their typical guards down and be more likely to take action on emails from unverified senders, particularly those dealing with measures that affect health and public safety,” the report stated.

It is feared these so-called “malicious cyber actors” may be targeting the global COVID-19 cold supply chain, which is an integral part of delivering and storing a vaccine at safe temperatures, according to the report.

“On December 3, 2020, CISA and IBM X-Force released a report showing that since at least September 2020, these actors have been attempting to impersonate biomedical companies and sending phishing emails to executives and organizations involved in vaccine storage and transport to harvest account credentials. The emails pose as requests for quotations for participation in a vaccine program. An HTML attachment is included with the malicious email. When opened, a prompt for the user’s credentials is seen before the file can be viewed,” the report described.

“SLED understands that our doctors, nurses, and other health care workers are critical in the battle against COVID-19 and that their health and safety are vitally important. Out of an abundance of caution and as a professional reminder, during a recent conference call with DHEC, we took the opportunity to encourage Health Care facilities to review their physical security procedures. The purpose and goal of the comment was to remind everyone of the importance of physical security. We thank the SC Hospital Association for relaying that message to their members,” said SLED’s Pubic Information Officer in a statement.

Copyright 2020 WCSC. All rights reserved.