COVID-19 Vaccine Passports can normalize international travel and lead to economic revival. However, phishing and other social engineering attacks pose a very grave threat and must be addressed to prevent threat actors from getting access to your crucial information assets.
Countries worldwide have purchased millions of vaccines hoping that the world’s population will become immune to COVID-19. All organizations desire a return to normality, especially in the matter of travel. The successful implementation of a Vaccine Passport or e-vaccination certificate will enable easy cross-border travel without infection risk. Such a solution is critical to industries like tourism and global economic revival.
However, the healthcare sector is among the most targeted sectors by cybercriminals, and threats like phishing pose a significant risk to the project and international security. This article discusses covid vaccine passports in detail, along with the threat posed by phishing and other cybercrimes. Finally, it touches upon how organizations and users can protect themselves from phishing and the need for standardization in vaccine passports.
(Image source: Pixabay.com)
What is a COVID Vaccine Passport?
A COVID Immunity passport is a document from an official authority that certifies that an individual has been vaccinated and immune to COVID-19. The theory is that passport vaccine holders will be allowed to enter a foreign country to prove they have received a vaccine against SARS-CoV-2.
The health passport concept is not a new idea. The World Health Organization already issues something similar, known as the yellow card, or Carte Jaune, that documents vaccinations against diseases like chorea, yellow fever, and rubella.
Vaccine Passport 2021: A Global Project with Global Risks
The COVID immunity certificate idea is being considered by several countries and organizations around the world. As such, any breach in the COVID vaccine databases can compromise the health information of billions of people around the world. Such a situation would be the worst cybercrime event in history. Taking a look at immunity card developments lets us understand how widespread the idea has become.
Cyprus was the first European country that announced it would abolish quarantine rules for vaccinated travelers. Greece, meanwhile, has called for a continent-wide EU Vaccine passport and was backed by Belgium. The Vaccine passport – UK is a physical card that proves vaccination and includes a vaccine passport app and certificates in its programs. Other Countries like Spain, Denmark, Estonia, Iceland, and Hungary have similar plans. The Vaccine passport airlines project from the International Air Transport Association is a non-governmental initiative. Other private organizations have also proposed immunization-based apps.
Digitization of Medical Data Attracts Cybercrime
The vaccine health passport projects mentioned above are digitized and store data in centralized or decentralized servers. The storage of medical information on a large scale is sure to attract the attention of cybercriminals. This fact is because medical information is highly sought after by adversaries. Medical records contain information such as Social Security Numbers, names, addresses, birthdays, and others and can command as much as $1,000.
Some other reasons why cybercriminals can target the healthcare sector in general and vaccine passports in particular include:
- Large Amounts of Data: The industry deals with an enormous amount of protected financial and health information.
- Patient Lives: Adversaries take advantage of the fact that given the fact that providers cannot deny ransom without putting their patients at risk.
- Reliance on Technology: The healthcare industry is highly reliant on technology. Medical institutions use several connected devices, data in transit, and touchpoints that are appealing vectors of attack.
The unmitigated digitization of health records at a global scale can lead to potential disaster. COVID-19 has already seen a significant upward trend in cybercrime, and with COVID Passports being made, the problem is likely to worsen.
The graph given above shows the massive rise in COVID-related cyberattacks during the first few pandemic months.
Phishing: The Top Security Threat of the 21st Century
75% of executives surveyed by CybeReady‘s State of Security Awareness Training report states that phishing is the most significant threat. Phishing is a social-engineering attack that seeks to manipulate psychological vulnerabilities in people. In a phishing attack, adversaries act as legitimate organizations and companies to gain victims’ trust and obtain information fraudulently.
Some common ways phishing attacks are conducted include adversaries sending out a large volume of emails made to seem as if they are from genuine organizations. Such emails can contain malicious links that compromise a computing system when someone clicks them. Some phishing variants include spear-phishing, where emails are carefully crafted to appeal to the recipient’s curiosity, fear, or other emotions using genuine data that may have been gathered from their social media accounts and other places. Vishing is voice-phishing, while SMSishing involves SMSes.
Phishing and social engineering attacks are a grave threat as they can bypass technical defenses governments or other institutions set up. They can thus be used to compromise the vast volumes of medical data a COVID vaccine database might contain.
Some cybersecurity statistics during the COVID -19 era that shed light on the current situation include:
- COVID-19 related email scams jumped by 667% in March alone.
- People are now three times more susceptible to click on pandemic related phishing scams.
- 90% of all coronavirus related domains are fraudulent.
- Phishing was related to 67% of all security breaches before the pandemic. This number is now expected to rise.
- Google is now blocking more than 100 million phishing emails a day.
Why is Phishing the Biggest Threat to COVID-19 Vaccine Passports?
Phishing has always been among the top cybersecurity threats to the healthcare industry. According to a recent report from Wandera analysts, phishing was the second-largest cybercrime affecting the healthcare sector, and 56% of all healthcare organizations had suffered from phishing attacks.
Phishing attacks have continuously risen in both scope and volume since the COVID-19 pandemic started. The 600% increase in phishing attacks over the last few months means that this cybercrime is now an even more significant threat to healthcare than it was before. Spear phishing is a particular menace for executives and authorized personnel, and the authorities related to the COVID vaccine passports will likely be targeted.
The following factors make phishing the most significant risk to vaccine passports:
- Third-Party Vendors and Phishing: Healthcare organizations rely on a wide range of third-party suppliers to deliver services to them. Third-party organizations often do not have the same cybersecurity standards and are used as an entry point into larger healthcare organizations. This gateway could be used to carry out vaccine passport invoice scams or other cybercrimes.
- Inefficient Phishing Awareness: Medical institutions have a very high turn-over rate, and thus, a new stream of susceptible employees are continuously injected into the system. Phishing awareness programs are, therefore, not wholly effective.
- Remote Work and Phishing: Phishing attacks over remote working, for example, may cause employees to disclose passwords of privileged accounts, which can then be used to target vaccine passport data. Remote workers are more likely to become victims of phishing attacks, and thus this is a likely scenario.
- Insider Threats via Phishing: According to Verizon, Internal threats account for more than 56% of all healthcare industry incidents. These are mostly unintentional workers who become victims of phishing attacks. However, low-level disgruntled employees, who may perhaps be part of conspiracies like QAnon or Anti-vaccine protestors, might conduct a spear-phishing insider attack to sabotage vaccine passport information.
- DDoS Attacks Caused by Phishing: Phishing can be used to get the passwords of IoMT (Internet of Medical Things) and other devices and then cause massive DDoS attacks that can, in turn, prevent people from using their vaccine passports.
- Rising Sophistication of Social Engineering: Cybercriminals are increasing the sophistication of their phishing attacks. Cybercriminals are now using advanced machine learning and artificial intelligence technologies to launch even more convincing phishing attacks. For instance, they can get information about a CEO from a video and use deepfake technology to impersonate their voice and face while phishing.
- Mobile Phishing: Phishing attacks are not limited to computers. As people are increasingly using mobile phones, cybercriminals are conducting phishing attacks through them. Such attacks may steal confidential passport information if it is stored on mobile devices. Verizon’s Data Breach Report 2019 states that 25% of healthcare organizations suffered from mobile-related breaches, with 67% of said breaches classified as significant.
- Lack of Phishing Preparedness: A survey by Survata shows that 95% of respondents underestimated how often phishing was used to start data breaches. Surprisingly, 64% also had awareness training as their top concern. The data shows that although professionals realize the need for training, they still do not understand the problem’s magnitude. Vaccine passports are at risk from such attacks.
- Phishing is Used To Launch Other Attacks: Around 91% of all cyberattacks start with phishing emails. Email phishing was the most significant vector for ransomware until remote ports, and public-facing servers began gaining popularity. Recently, Proofpoint researchers have found a resurgence in email phishing.
Cybersecurity Issues in Vaccine Passports That Phishers Could Exploit
There are several issues regarding COVID 19 Passports. These range from ethical concerns of people like disadvantaged sections of society unable to travel to political issues such as privacy rights.
The biggest issue, however, is that of cybersecurity in general and phishing in particular. The data storage associated with COVID 19 vaccines brings several privacy and security risks that need to be addressed.
Some cybersecurity issues include the following:
- Lack of Encryption: Encryption is a must for protected health information or PHI, but some vaccine passports from third-parties could have flaws like unencrypted backups that can be exploited. Although encryption cannot guarantee protection against phishing, it provides a degree of protection.
- Data Storage Issues: The ideal solution would be to store the user’s data on their smartphones. However, that brings problems, too, as they may remain susceptible to phishing.
- Secure Connection Issues: The passports need to connect with vaccination centers to certify results securely. There are possibilities of Man-in-the-middle attacks and even phishing attacks where adversaries pretend to be authorized centers.
- Changing Health Department Norms: Health department requirements are continuously adjusted as new information arises, and vaccines are made available. The confusion could lead to more phishing attacks.
- Unsecure Apps: Different smartphone apps might be used for vaccine passports. The problem comes up because data is shared between different parties involved. If one organization gets compromised by a phishing attack, the entire database connected to it could get compromised.
Protecting Vaccine Passport and Other Data From Phishing
Safeguarding vaccine passport and other information from phishing attacks are vital. Some methods users can deploy to protect themselves from such attacks include:
- Using Anti-Phishing Solutions: Dedicated anti-phishing solutions go a long way in protecting users and organizations against social engineering-based cyberattacks.
- Avoid Suspicious Links or Attachments: Phishing emails entice users to click on malicious links or attachments.
- Avoid Entering Personal Information On Pop-Up Screens: Genuine organizations will not ask for information using pop-up screens.
- Anti-Phishing Awareness: Every Organization related to the vaccine passport should undertake anti-phishing awareness training with simulated attacks.
- Employee Data Security: Organizations must take care that employee data cannot be mined from websites like LinkedIn. A simple request to data mining aggregators can remove personal data from being sold.
- Scan For Exposed Email Addresses: Vaccine passport organizations should scan the internet for exposed emails or other employees’ credentials.
The COVID Vaccine Passport project can restore normalcy to the world and revive the travel industry. However, it faces severe challenges like phishing that need to be addressed. Further, the WHO has stated that although it recognizes the need for vaccine certification and tracking, it opposes vaccination passports as a travel requirement for the time being. According to the WHO, vaccination passport is an idea that currently has uncertainties. These range from the effectiveness of vaccinations and standardization of vaccination proofs. Therefore, the organization is working on setting up global technical specifications and standards before e-vaccination certificates can be used worldwide as passports. Such a cautionary stance by the WHO shows the project’s extreme sensitivity and need to protect it from cyberattacks like phishing.
Meghan Hufstader Gabriel, Data Breach Locations, Types, and Associated Characteristics Among US Hospitals,
Roscoe Whalan , Europe desires coronavirus ‘vaccine certificates’ asap. But how will they work, and who would sign up?
David Strom, It’s time to think about getting a Covid-19 vaccine passport for travel,
Fignet, 5 Ways Big Data is revolutionizing and transforming the Healthcare Industry,
Europol, COVID-19 SPARKS UPWARD TREND IN CYBERCRIME,
CybeReady, The Security Of Security Awareness Training,
Jessica Davis, Google Finds Phishing Success Based on Targeted Nature, Evolving Variant,
Veronica Combs, The five most significant cybersecurity threats for the healthcare industry,
Kevin Lancaster, Phishing Attacks Increase As Pandemic Scams Flourish,
Verizon 2020 Data Breach Report
Robert Best, How AI and ML are Leading to More Business Phishing Attacks,
Jessica Davis, 25% of Healthcare Providers Faced Mobile Device Breach in 2018,
Sherrod Degrippo, Ransomware as an Initial Payload Reemerges: Avaddon, Philadelphia, Mr. Robot, and More,
Euronews and AFP, Coronavirus: WHO against vaccine passports as a condition for travel ‘for the time being,’
WHO, World Health Organization open call for nomination of experts to contribute to the Smart Vaccination Certificate technical specifications and standards,
BACK TO MAIN PAGE