The Moderna, Pfizer and most recently Johnson & Johnson vaccines have received emergency use authorization from the Food and Drug Administration, while AstraZeneca plans to soon submit its vaccine for review by the agency.
That means multiple vaccines with different supply chains and global distribution, trickling down to diverse administration sites.
"In isolation, we're not dealing with things that are horrifically complex," said Simon Geale, senior vice president of client solutions for Proxima, procurement specialists. "But if you put them all together, you end up with one of the most complex operations you've ever seen, and it's different in every country."
The complexity of operations means the pharmaceutical industry is playing whack-a-mole to prevent hacks and counterfeiting. Last summer, the U.S. Justice Department accused hackers in China and Russia of trying to steal coronavirus vaccine research.
"We're laying down the tracks in front of the train," Geale said, adding that the supply chain is getting built so quickly that the industry is focusing on monitoring instead of prevention. "We're operating in unknowns, so vulnerabilities are appearing all around us."
The U.S. has well-oiled vaccine supply chains, but the COVID-19 one is different. The parties, including vaccine manufacturers, distributors, federal, state and county governments, and vaccine administrators have not necessarily worked together before.
Technologies like artificial intelligence, automation, collaboration tools and blockchain can help, by building trust and providing one version of the truth, increasing security and reducing fraud possibilities.
4 tools in the cybersecurity and counterfeit fight
COVID-19 vaccines have become the most valuable commodity on the planet, Geale said.
The vaccine research and early production phase has been the most targeted so far, by government and independent attacks, attempting to steal intellectual property, said Duncan Greatwood, CEO of Xage Security, an IoT security company. He's also concerned with cybercriminals conducting ransomware attacks or damaging the vaccines by changing the storage temperature.
Approaching vaccine security is no different than in other sectors, according to Geale.
"At the highest levels, the broad principles are the same," Geale said. That means creating secure-by-design systems, using cloud strategies, protecting system administration tools, and beefing up identity access management.
1. Zero-trust policies
Xage uses a zero-trust approach. That assumes no entity or person should be trusted without the appropriate permissions and verified identification.
A person working for a pharmaceutical company or with access to the lab does not need total access to the entire system, said Greatwood.
"You should have to prove who you are and that you're a member of the [permitted] group," he said. The same would be true in the distribution system.
Typically, production data is encrypted and signed at the point of production, Greatwood said. Xage provides API security where data is access-controlled. The API is then used for verification and electronic signature cross-checking, like ensuring the signature matches that on the software component of the temperature sensor.
"We're operating in unknowns, so vulnerabilities are appearing all around us."
Simon Geale
Senior vice president of client solutions for Proxima
Zero-trust systems require policies that include who — or what machines — are allowed to access specific data.
Previously in a production environment, a machine may be allowed to talk to any other machine, he said. A hack means that machine could then infect others. With a restrictive policy, a machine or human attempting to gain access when not allowed would generate an alert and prevent the hack from spreading. That can help prevent problems on the manufacturing floor.
It can take several steps to move from implicit trust to a zero-trust solution and may require adding software or hardware. Policies and processes need to change as well.
"When you give anyone access to everything, you don't need policies," Greatwood said.
2. Real-time visibility and tracking
Data loggers are the old technology, said David Parker, chief evangelist of Cloudleaf, an IoT sensor and visibility company. They can tell a company where the truck is, but not where the contents are.
Real-time data trackers are like having mobile devices attached to each shipment, said Parker. The device shares the products' location with stakeholders monitoring it on software platforms, which ensures insight into quality.
Meanwhile, the sensors give continual temperature readings, which is critical for vaccine logistics that require specific temperatures. Some sensors can share information on shocks, vibrations and ambient light detection. The sensors can share in real time if the tractor-trailer doors open at unexpected times, sending an email or text alert, or even notifying law enforcement agencies to intercept the delivery if programmed that way, Parker said.
Adoption of higher-level tracking devices, which can be placed on pallets, boxes or individual vaccine vials, has accelerated by two to three years because of COVID-19, Parker said.
"Everyone was talking about a digital transformation, but they were at the thought and discovery process, thinking about design and implementation. That's all been fast-tracked," he said.
Supply chains distribute hundreds of millions of vaccines
Algorithms determine the best route for a delivery, based on the criticality of the journey and client preferences. The shipment, even at an item level, is tracked from origin to destination, including the shipping route and waypoints.
If the carrier deviates from the designated route, or a door opens or closes when it's not supposed to, alerts are sent, said Parker. Cloudleaf or the client may ask the carriers about an unfamiliar travel pattern if the shipment takes an unexpected course, and they may recommend halting further shipments until they better understand the circumstances. This can help prevent theft and other issues.
Visibility and the alert system can save on other costs. Parker said that last year, a customer sending $8 million to $10 million in vaccines per shipment sent an empty tractor-trailer behind the shipment in case the main vehicle broke down.
"Given the technology we've implemented with them, they don't need the second tractor-trailer because they have full visibility," Parker said.
Tracker data may not be available 100% of the time. If wireless communication and cloud upload are not available, their sensors can store the information and transmit it when communication is restored. That can be difficult if the sensors are in areas of low connectivity.
3. No single point of access
Xage recommends using a distributed ledger approach to collect and store information, including passwords. If a person or software tries to use false data, thousands of other nodes will reject it.
"Distributed ledgers are powerful data structures for dealing with many party interactions," Greatwood said.
IBM has two products based on blockchain: the Vaccine Accountability Network and Digital Health Pass. The Vaccine Accountability Network is a platform linking the supply chain, from manufacturers to vaccine administrators.
The vaccine administrator can scan the vial to see the manufacturing date, temperatures along the supply chain, and verify storage temperatures at the administration site. If there were no problems with the vaccine, a green checkmark would appear. This information could transfer to the Health Pass app on a smartphone, where the vaccine recipient would have proof of inoculation, said Jonathan Wright, IBM's global head of Supply Chain for Business Transformation Services.
Temperature excursions cost healthcare shippers $34B annually
This blockchain technology can help in recalls, identifying where affected vaccine lots went.
"That underlying technology manages the risk of ensuring there is no counterfeiting, making sure that we have trust, and creating a platform where all parties can use the data at the same time," Wright said. The data already exists, Wright said, and the platform allows one version of the truth.
The Vaccine Accountability Network was tested on other pharmaceutical products in a collaboration between IBM, KPMG, Walmart and Merck. IBM is ready to pilot it for the COVID-19 vaccine.
Wright said in the first wave of vaccine distribution, there's no time to set up a solution like this. The goal is to get shots in arms. In the next phase, the focus will shift more to the recipient's experience, ensuring those who get vaccines are more comfortable with the process. There will be efforts made then to add value when the vaccination process is less of an emergency.
4. Digital certifications and serialization
Faking data is a common component of cyberattacks and counterfeiting, said Greatwood.
"The attacker wants the victim to believe everything is fine," he said, like providing fake temperatures or substituting vaccine information. "Data integrity is key for every phase of the vaccine system."
When implementing security and enforcement systems, Xage inserts software code at the point where it would be produced, like at the temperature sensor, so that data can be signed with a digital certificate and mapped to a fixed value.
Pharmaceutical companies include batch and lot identifications when serializing their manufactured products, said Parker. That information is coded into the smart label or sensor affixed to the vial. If someone tampers with the vial, altering the serialization, that signals that the product could be counterfeit.
"Data integrity is key for every phase of the vaccine system."
Duncan Greatwood
CEO of Xage Security
Serialization alone is not a complete solution, said Parker, as real serial numbers can be used on fake products. Digital certification and seeing the chain of ownership helps solve for that.
Most pharmaceutical companies have some security measures already in place, Greatwood said. "Very few are hoping and crossing their fingers." However, most also still have significant issues around assumed or implicit trust, he said, where a person is given more access than necessary.
Implementing new security measures is usually rolled out in phases through the supply chain, such as first on the production floor, then the lab facilities, followed by the distribution chain. The order can differ based on the company's priorities and current security efforts. It involves creating or understanding the current security policies.