Sean Kelley, Executive Vice President of Operations at Unissant leverages his 25 years experience in the Healthcare industry to weigh in on the security of the COVID-19 vaccine and healthcare in general during a pandemic. He offers the top things he would do as a CISO right now to make healthcare more secure.

Table of Contents

• [01:14] COVID Vaccines Safety
• [06:01] Jeopardizing the Delivery of Vaccines and Effective Treatment Options
• [11:02] Thinking From a COVID Perspective
• [16:34] Minimal Impact With Maximum Protection
• About Our Guest

COVID Vaccines Safety

Carolyn: Today we have Sean Kelley, executive vice president of operations at Unissant. He's the former chief information security officer for the US Environmental Protection Agency. Sean has over 24 years of health IT and cybersecurity experience in the federal and private sector.

Carolyn: He's also the host of Cyber Chat. It’s a monthly podcast discussing cyber topics and challenges impacting the federal community. He joins us today to talk about cyber security and healthcare during COVID-19, specifically to discuss how secure a vaccine is.

Sean: Thank you so much. Pleasure to be here.

Eric: You were also at VA for quite a while, right?

Sean: I was there for about four years. I was a deputy CIO when I left the VA over the insurance branch. When I was over the national capital region, the research arm of the VA fell under me. So I have some familiarity with this topic as well.

Eric: You know this space.

Sean: Just a little bit. Retired from Navy medicine as well. Most of my career has been in healthcare.

Carolyn: This weekend I was talking to my mom about how close we are to a COVID-19 vaccine. We have several companies that are in phase three, which means they're testing on people.

Sean: Moderna.

Carolyn: Moderna, there we go. They just started today. I told my mom that the companies developing this are being targeted by hackers and she was surprised. She said, "Why would anybody want to steal it or compromise it being developed quickly? Isn't it for the good of all?"

The Potential Theft of COVID-19 Vaccines

Carolyn: I would love for you to address that question, Sean.

Eric: Sean, before you even get to it, let me point out on May 13th the FBI released a press release looking at the People's Republic of China. Affiliated cyber actors and non-traditional collectors have been observed attempting to identify and illicitly obtain valuable intellectual property.

Eric: Also public health data related to vaccines, treatments and testing from networks and personnel affiliated with COVID-19 related research. The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options, right from the FBI and DHS.

Sean: That kind of tells you right there. Let's approach this from the outside and then bring it in. From an external source outside of the country, COVID is disruptive. It's wreaking havoc on the economy, it's wreaking havoc on people's lives.

Sean: There is a lot of justification why people would want to not let the United States get this solved. Because there’s some confusion and disruption that's happening within our society. You could go in a million different directions on how that would benefit a foreign actor, a state-run foreign actor.

Sean: We just had Houston, whatever's going on in Houston at the Chinese consulate and they were asked to leave and shut down. I don't know if that's related or not, but we're seeing a lot of activity.

Sean: When you get into the borders of the United States, you have companies. Whoever discovers this, this is going to probably be a billion dollars, at least, in revenue. And that's going to go to this company in packaging it and distributing it and treating it.

An Economic Advantage

Sean: There's a lot of thought that this could be like the new flu so every year we'll have to have a vaccine. Just think, if you're the first one, you're going to be in a great financial position.

Sean: Whether you're outside of the United States or inside, you're stealing it. But also, there's just people that will want to have that IP because of what it will represent.

Eric: I see it as an economic advantage. China's already getting their economy back in order. They’re able to, as an authoritarian state, shut down and do, from the reports we see, a decent job of marshaling COVID. I don't know that I necessarily believe their numbers. But they've done a good job and you see it in the productivity side.

Sean: No matter what we're talking about the economy, whether we're talking about IP and stealing, to be the first company out, whether you're a state run actor, doing this is all about the economy. This is all about this disruption. Because they are the society, they’re able to get control on it as quickly as possible and move forward. They're in the driver's position.

Sean: But there's so many other things going on in this world that are more important to them. The quicker they can be in front of those, the better.

Eric: Long term here, Carolyn, as you talk to your mom, they're trying to gain economic advantage over everybody else in the world. That's really their intention. If they can advance their research so that they don't have to buy, which is cost and they can treat their people faster, that saves lives. But it also, from an economic perspective, is a ton.

Jeopardizing the Delivery of Vaccines and Effective Treatment Options

Eric: Another thing, if you read the FBI report, it talks about jeopardizing the delivery of secure, effective, and efficient treatment options. One of the things we have to worry about in cyber is always sabotage. You think about it from an economic advantage perspective.

Eric: I'm not basing this on any reports I have but imagine if you can steal the code. You can also change, modify, or insert something that puts one of the other nation states out there at a disadvantage.

Carolyn: If China were to get the vaccine first, would we take it from them? Would we trust that?

Sean: It depends. I don't know what the numbers are today. But we had over a thousand deaths the last three days that I understood in there. There's a lot of conspiracy theories, we can go in a million different directions. But at the end of the day, when you're losing that level of lives everyday.

Sean: We have this level of infections that we've been having, I would imagine that our folks will put it through some kind of testing. Also think about the leverage the country that comes out with this will have on other countries in different negotiations.

Sean: There's just so much to this. Right now, I don't know in my lifetime, have I ever seen anything like this. I think we're all kind of in uncharted territories. We were talking about quantum computing as a race a year ago. Now I think the race is to this pandemic vaccine.

Eric: Certainly the near term race.

How Privacy Laws Have Slipped

Carolyn: Part of getting to the vaccine and just getting this pandemic under control, privacy laws have slipped a little bit.

Sean: Relaxed, definitely relaxed.

Carolyn: Let's talk about that for a minute. What does that mean now and in the future?

Sean: A couple of things. I said a couple of years ago that a privacy fight is kind of out the window. What everybody wants to know about us, they got. For the convenience most of us have allowed our innate privacy to go by the wayside. By the time a lot of Americans realize that it will be too late. Because pretty much what they want to know about us, they know.

Sean: But HHS has recently relaxed privacy regulations to enable telemedicine and telehealth initiatives because they're just at capacity. That has also introduced great risk because a lot of organizations weren't ready for that. They weren't ready to expand their telehealth and telemedicine posture the way they are.

Sean: The fear is now that people kind of just plugging things in to get it out there and help people be safe and healthy. But the security ramifications of this is going to be great coming down the road.

Eric: Not only is a doctor more accessible, but now the data more accessible, too.

Sean: You said it, they could hijack the calendar. They can hijack anything associated with that business if they didn't lock it down correctly.

Eric: I used to go to my doctor, Carolyn, and he would write everything down on a clipboard chart. Then at some point, I didn't go very often. But he would have somebody in there typing on a laptop while he was asking me questions about my knee.

Are Vaccines Safe When Administered Over Tele-Consults

Eric: Or whatever it may have been, but he was still writing it down. I haven't been to the doctor since COVID began, but I imagine everything's online. Everything's accessible. They're not writing it on paper anymore, I suspect.

Carolyn: I feel like it was all online even before COVID. My doctor types into the computer.

Sean: There's definitely been a movement with HHS incentives to move everybody towards electronic healthcare records and being able to exchange that data electronically. We've been moving in that direction.

Sean: We're seeing during COVID that there’s been a big push to do a lot of care remotely over video, over telephone, over tele-consults. There has been a big amount of our large volume of patients that are no longer going to the facility. But they can actually see their doctor like we're talking right now.

Carolyn: This is going to sound really naive, but why would anybody be interested in my doctor visit? Why would I be worried about that?

Sean: For you, what it could do is it can add on. So social security numbers on the dark web have so much value. A date of birth has so much value. But the more that I know about you, the bigger I can make a profile and the bigger that I can go for what I'm trying to go for, financial advantages to take advantage of that data.

Sean: Also fraud, claims and putting in claims under your name. The more that you can build up that profile, the more value. Healthcare records were already valuable before the COVID. They were already probably more valuable than anybody's social security number at this point.

Thinking From a COVID Perspective

Eric: Think about it, from a COVID perspective, there's a lot of money out there and there aren't a lot of controls around it right now. So if somebody can steal enough data to impersonate a large group of people, they can go after all that money that the government is handing out at this point. That isn't as well maintained or marshaled as it should be.

Eric: Additionally, if you are somebody in a place of interest, they can gather information about you. Social security numbers, all kinds of information, that allows them to hack your password or impersonate you with IT to get into the organization.

Eric: If you work for Pfizer, you may be a key research scientist and they want that information. There's now another alternate path or an additional path to gain information to get into the business.

Eric: The other thing is you can study a society. If you can hack enough people, you actually have a generalized view of what's happening medically in certain areas of the country.

Carolyn: I just read an article in the Washington Post. It actually said that stealing vaccine research doesn't necessarily directly violate the rules of the road. What does that mean? How does it not violate the rules of the road?

Carolyn: President Trump loosened the restrictions on what we can do in cyber. The report just allowed the CIA the ability to do a lot more. They don't have to go to the president necessarily to do a cyber attack. So the Washington Post said because of that, stealing vaccine research isn't necessarily violating the rules of the road.

Coming Up With Vaccines Safe Enough to Protect People

Eric: Well, I haven't read the article and I don't want to touch this one. So Sean, I'll hand this over to you.

Sean: So, I would say it is intellectual property. The same rules that represent intellectual property and companies' interests would be governed here. At the end of the day, it goes back down to, I'm not a national security person. But I am someone who would be helping companies secure their IP.

Sean: When we get down to IP, as you mentioned in the first question, this is worth billions. If I'm able to steal your research and look at your research and compare it to what's going to mine then figure out what the disconnect is in what I'm doing, or what testing you are doing to fast track this.

Sean: Again, everyone's racing towards this. To be the country that came up with a cure for COVID, or at least, vaccines safe to protect people. Some articles that I read said some of the vaccine trials have said that the immunization. The immune system has responded eight times than if someone has been exposed by themselves, they only get it twofold. Just think about that.

Sean: I think it should fall into the IP rules and companies should be able to address it. We've heard many times the accusations that China is stealing IP, has been for years, decades. So I feel like this just falls back in there.

Eric: So Sean, you were a CISO. You have the CIO background. What would you worry about here? And what would your advice be to these organizations?

How to Protect the Data

Eric: Whether governmental agencies like NHS, VA where I know you have the background, the military itself or private agents. Private organizations like Pfizer, Moderna, doctor's offices, what do you recommend?

Sean: First is data. The data that is being used in this research and to develop this vaccine is gold, if not diamonds. So how do I protect that data first and foremost? How do I protect the folks that are working on it in the environment that they're working in first and foremost?”

Sean: That would be how do I deal with it at the data level. How do I deal with it at the system level? And how do I do it at the peripheral level and around their perimeter to make sure that they're 100% secure?

Sean: Active and robust monitoring so that if someone is knocking on the door, trying to feel the way around that I'm detecting them early and making sure that they don't get in. And we can adjust our security posture as we do.

Sean: The next thing is looking at the overall if I'm a healthcare institution and I want to expand my services. We talk about this all time didactically, but how do we make sure the security is in the room? I want to expand telehealth. My ER is overrun, my ICU is overrun, and I got a million one of our patients in our IPO.

Sean: I'm sorry, not IPO, but healthcare organizations that are calling their doctor and we just don't have the bandwidth. So we're going to do this telemedicine to increase our bandwidth. Well, okay, great. But you're now opening an opening into your network.

Minimal Impact With Maximum Protection

Sean: How can we do that in a short and long term? As both of you mentioned earlier, we're really dealing with today's problems. Making sure those problems don't haunt us three, six, 12, 18 months down the road.

Eric: Yes, tomorrow. The other thing, when you look at the practitioners, whether they're doctors and nurses or scientists, I suspect they're all rushing 100% effort on saving patient lives, treatment plans, or research.

Eric:  They're not thinking cybersecurity at all. So you'd have to come at it, how do I minimally impact them and their ability to do their jobs while maximizing the protection for them? Is that fair?

Sean: It is fair. First thing I don't think they think about it every day anyway. There's always a constant struggle with the healthcare providers and the IT folks just trying to do things. Through IT, the CIO's a little bit more mature than the CISOs, but they've learned to be business partners.

Sean: How do we help them? You have to take the relationships that are hopefully already cemented and say, "This is what we're going to do. We're going to try to make you secure." But a lot of our business practitioners really do look at security as a nuance or a nuisance. We've got to find ways to protect them without them really knowing.

Sean: Eric, I think you bring up a great point. I think not only in the healthcare institution, everybody's just kind of relaxed. There's so much information coming out and there's so much remote touching of people, whether it's text messages, emails. What we're seeing is really sophisticated attacks from phishing. Phishing has come a long way and it's really robust right now.

Active Participants in Keeping the Vaccines Safe

Sean: I got an email the other day. When I read it the first time, I literally thought this was a real email. Then when someone said, "No, I don't think so, that doesn't make sense." They weren't questioning the email, they were just making the scenario didn't make sense. I went back and I really examined the email really strongly.

Sean: It was a complete hoax. My first look at that, they had particulars. They had dates, they had phone numbers, they had people. This isn't just a blind phishing attack, this is very coordinated. It's very tailored that that email was tailored to me.

Sean: Now, think about it, you have a doctor who just worked a 24 hour shift in the ER. They’re exhausted, mentally drained, emotionally distressed. They decide to check their emails real quick and they get an email there. It’s fresh and looking at it, it looks real, they go and click, they click the link.

Eric: You have a cyber background, too.

Carolyn: Well, you just made a really good point. It was an aha moment for me. There's two different missions here. The practitioners, they're focused on taking care of the patients.

Carolyn: The security does, it's a nuisance. It gets in their way, it sometimes prevents them from taking care of their patients. That is not their objective. Then we have the cybersecurity people that want to keep it safe. I loved what you said, we've got to make it easy. We've got to do it for them.

Sean: It has to be almost invisible. They have to be active participants because we can't protect every piece of data out there.

Getting Into Conversations With Healthcare Providers

Sean: The stakeholders have to be involved, but at the same time, we've got to make it easy for them. If it doesn't, you start getting into conversations with healthcare providers.

Sean: They say, "Well, you're going to cost people their lives if you do this. We're reduced in capability, etc." And when you were a security provider, this CISO, the CIO, or anybody, you're never going to win when you get into that level of conversation. You've got to win them and get their trust way ahead of time.

Eric: It goes back to the default, mission always trumps security.

Sean: It does.

Carolyn: I'm going to bring us to a close on that. There's our call to action. The cybersecurity professionals to make it invisible and easy for our practitioners that are out there saving lives. We need to enable them.

Eric: We need to understand them and then enable them in an easy fashion as Sean says.

Eric: What do you think your mom will say, Carolyn?

Carolyn: She will have a better understanding after listening to this, I do. Thanks to all of our listeners. You can get information about the COVID-19 vaccine and links to Sean's podcast on our show notes. Until next week, be kind to others, wear a mask, be kind to yourself, run your updates.

About Our Guest

Sean Kelley is Executive Vice President of Operations at Unissant. He is the former Chief Information Security Officer for the U. S. Environmental Protection Agency. In this role, he served as an executive responsible for providing enterprise-wide leadership. To establish and maintain a comprehensive Information Security and Data Privacy program.

Mr. Kelley has over 24 years of Health IT and Cyber Security experience in the federal and private sector. He has held positions as a Deputy Chief Information Officer of Benefits. The Chief of Staff and Principal Senior Advisor to the Assistant Secretary for Information & Technology. And the Chief Information Officer for the Veterans Affairs.

Prior to Federal service, Mr. Kelley served as an Independent Consultant with numerous Healthcare, IT and cyber security companies. Sean also hosts Cyber Chat, a monthly podcast discussing cyber topics and challenges impacting the federal community.