Skip to main content

Health-ISAC Hacking Healthcare 5-19-2021

TLP White: This week, Hacking Healthcare takes an in-depth look at two issues. First, we examine the Biden administration’s openness to COVID-19 vaccine patent waivers, which breaks with decades of policy precedent and raises interesting questions about intellectual property (IP) protections and the effect they may have on cyber espionage and attacks. We then break down some of the secondary effects of the Colonial Pipeline attack to try and draw out some useful insights.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

1. Biden Backs COVID-19 Patent Waivers

On May 5th, President Biden announced that his administration was open to the idea of waiving patent protections for COVID-19 vaccines, as outlined in a World Trade Organization (WTO) proposal put forward by India and South Africa. The move was unexpected by many and represents a deviation from the past presidential policies of both political parties on such matters. If the proposal gains widespread support and adoption, the healthcare implications could be enormous. However, it does raise some questions about intellectual property (IP) protections, especially in relation to COVID-19 IP.

The proposed WTO waiver cites the devastating effects of COVID-19 as necessitating working together to “ensure that intellectual property rights such as patents, industrial designs, copyright and protection of undisclosed information do not create barriers to the timely access to affordable medical products including vaccines and medicines or to scaling-up of research, development, manufacturing and supply of medical products essential to combat COVID-19.”[1]

The proposal asks for, among other things, the removal of Trade-Related Aspects of Intellectual Property Rights (TRIPS) protections that would ultimately affect numerous COVID-19 research, development, and manufacturing technologies. The hope is that removing TRIPS protections would allow scaling up of manufacturing, research, and development globally to help address the growing gap in accessibility to COVID-19 vaccines and treatment, which is illustrated by the fact that “[f]ewer than 1% of people in low-income countries have received COVID-19 vaccines.”[2]

While many public health professionals and governments have praised the move, there is opposition. Many pharmaceutical organizations and trade groups, as well as governments like the UK, Canada, and Japan have argued against such a move, citing concerns about stifling innovation, compromising safety and security in manufacturing, and expressing some doubt as to whether these barriers are actually the bottleneck for vaccine shortages.[3], [4]  Opposition to the proposal is significant, and few expect the issue to be resolved quickly even after the US lent its support for the waiver.

Action & Analysis
**Membership required**

2. Colonial Pipeline’s Secondary Effects

The Colonial Pipeline cyberattack that shuttered fuel delivery operations for a wide swath of the southeast coast of the US appears to be heading towards a complete recovery and resumption of operations.[5] While the details of one of the most consequential known cyberattacks on US soil has been written about in depth by numerous outlets, the full story may be some time in coming. Rather than rehash what is known or speculate on what isn’t, it may be more useful to note many of the secondary effects this attack has had to draw out some useful takeaways.

For legislators, cybersecurity has remained one of the issues both parties in Congress tend to be able to find common ground on. With SolarWinds and simmering election security issues still top of mind, the Colonial Pipeline attack has further forced lawmakers to confront cybersecurity as a primary concern. Members of Congress from both parties have since touted the need for current bills like the Cyber Response and Recovery Act of 2021 to better prepare the country to respond to similar incidents in the future.[6] One of the key aspects of the Cyber Response and Recovery Act of 2021 would be the creation of a response and recovery fund to help pay for the costs of responding to and remediating significant cybersecurity incidents.

Staying on the domestic front, Colonial Pipeline’s decision not to notify the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) of the attack is a cause for concern. CISA only became aware of the attack after being alerted to it by the Federal Bureau of Investigations (FBI). When asked at a Senate hearing if he believed Colonial Pipeline would have eventually reached out to CISA, acting CISA director Brandon Wales responded with an emphatic “No.”[7]

For the international community, the Colonial Pipeline incident has been a reminder that cyberattacks that can cripple critical infrastructure are a very real threat, and pressure needs to be put on countries that harbor cyber criminals to accept the responsibility to address it. While not speaking directly or specifically to just the Colonial Pipeline attack, UK foreign secretary Dominic Raab warned Russia last week that they “can’t just wave their hands and say it’s nothing to do with them,” and that “Even if it is not directly linked to the state they have a responsibility to prosecute those gangs and individuals.”[8] President Biden reiterated a similar message, although in a softer tone, by stating that Russia has “some responsibility to deal with this.”[9]

Cybersecurity experts and journalists were also keen to focus on what the attack means for ransomware. Some have suggested that Colonial Pipeline’s alleged payment of $5 million will continue to “embolden other groups going forward” and further incentivize attacks against critical infrastructure.[10] There is a worry that this attack may now inspire copycats specifically looking to make off with similarly large ransoms.[11]

Finally, despite pleas not to panic buy gasoline, widespread shortages were reported up and down the US’s southeast coastal states as people flocked to gas stations to fill up a reserve. Not only did this cause unnecessary lines at gas stations dozens of cars deep, often snarling traffic, but it largely contributed to reported gas shortages at 80% of gas stations in Washington, DC, 63% of gas stations in North Carolina, 40% of gas stations in South Carolina, and 38% of gas stations in Virginia this past weekend.[12] The shortages coincided with a gasoline price increase across states and impacts to trucking transportation.[13], [14]

Action & Analysis
**Membership required**

Congress–

Tuesday, May 18th:

– No relevant hearings

Wednesday, May 19th:

– Senate – Committee on Homeland Security and governmental Affairs: Hearings to examine COVID-19, focusing on evaluating the medical supply chain and pandemic response gaps.

Thursday, May 20th:

– No relevant hearings

International Hearings/Meetings

Friday, May 21st:

– European Commission and G20: Global Health Summit

EU –

– No relevant hearings

Conferences, Webinars, and Summits –

https://h-isac.org/events/

Contact us: follow @HealthISAC, and email at contact@h-isac.org

[1] https://docs.wto.org/dol2fe/Pages/SS/directdoc.aspx?filename=q:/IP/C/W669.pdf&Open=True

[2] https://www.nature.com/articles/d41586-021-01224-3

[3] https://www.npr.org/sections/coronavirus-live-updates/2021/05/05/993998745/biden-backs-waiving-international-patent-protections-for-covid-19-vaccines

[4] https://www.reuters.com/world/europe/eu-willing-discuss-covid-19-vaccine-patent-waiver-eus-von-der-leyen-2021-05-06/

[5] https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption

[6] https://www.congress.gov/bill/117th-congress/senate-bill/1316?q=%7B%22search%22%3A%5B%22cyber+response+and+recovery+act%22%5D%7D&s=2&r=1

[7] Reuters. Colonial Pipeline didn’t contact us ‘directly,’ cyber chief says https://www.youtube.com/watch?v=_YV3Hn7-J8s

[8] https://www.bbc.com/news/technology-57084943

[9] https://www.rferl.org/a/fbi-confirms-darkside-hacker-group-pipeline-cyberattack-russia/31248174.html

[10] https://arstechnica.com/information-technology/2021/05/colonial-pipeline-paid-a-5-million-ransom-and-kept-a-vicious-cycle-turning/

[11] https://www.cyberscoop.com/pipeline-ransomware-hack-russia-biden/

[12] https://www.cnbc.com/2021/05/15/colonial-pipeline-resumes-normal-operations-after-hack.html

[13] https://www.reuters.com/business/energy/us-gasoline-shortage-improves-some-regions-still-suffer-hefty-outages-2021-05-16/

[14] https://www.washingtonpost.com/business/2021/05/15/truck-drivers-trucking-gas-prices/

This site is registered on Toolset.com as a development site.