Civic News
COVID-19 / Cybersecurity / Municipal government

While link-sharing issues are being handled in Philly, the COVID-19 vaccine rollout faces cybersecurity risks

There are a handful of steps software makers handling scheduling could take to make the process more secure, a Temple cyber expert tells Technical.ly.

The COVID-19 vaccine. (Photo by Daniel Schludi on Unsplash)

The City of Philadelphia said Tuesday that it was working with PrepMod, the software company contracted by Philadelphia and the State of Pennsylvania to schedule COVID-19 vaccine appointments, to address issues allowing ineligible folks to snag appointments.

The software had presented a loophole: The links sent out to eligible residents to schedule an appointment could be forwarded to and accessed by anyone.

“We have had some problems that have been seen around the country where the email invitations end up being shared, and people come in and get vaccinated who were not invited,” Health Commissioner Dr. Thomas Farley said Tuesday.

But on Tuesday, City officials said that that the software company would remedy the link-sharing issue by allowing single-use links that would only work for eligible people. Although municipalities across the country have been having similar issues, Philadelphia is among the first to make this request of the company, City spokesperson Jim Garrow told Technical.ly. The issue should be resolved Wednesday, Farley said.

A mass, coordinated public health measure like this is prime for potential security issues, said Aunshul Rege, an associate professor at Temple University in criminology with a focus in cybersecurity and social engineering.

“This happens with a lot of technology,” Rege said. “The functionality is about getting it done, maybe not exactly in the way they envisioned it, but ‘we’ll deal with it later’ sort of mentality.”

When it comes to implementing a new technology, whether to keep up with a new trend or, as in this case, for emergency situations, the mentality can be to release it first and deal with the issues later. Basically, starting the vaccine rollout was likely more important than having the perfect vaccine rollout.

And the issue of link-sharing wasn’t even one of typical cyber attacks. Instead, it was human action — one person sharing the link with another — that lead to the flaw in the system. The City’s new unique link setup should prevent this from happening, Farley said this week.

Aunshul Rege

Aunshul Rege. (Photo by Temple University)

“It’s not a technical issue with the system, per se, but it was something with the system that could be exploited,” Rege added.

But there’s a few ways the software makers could have gone about solving the issue, Rege said. They could require users to re-enter unique information only known by the intended registree, like insurance information, in a few steps throughout the process. Or, they could include two-step verification, she said.

Some cities are also watching for trends with their unique registration links. If a city sends out 50 invitations for appointments and gets 200 registrations, they likely know that there’s link-sharing or other technical flaws. Or, a technologist might be able to check a database of appointments to see which link or origin they came from.

But as a cybersecurity expert with a focus on criminal activity, Rege said she’s glad she hasn’t heard of many cases of hackers exploiting these registration systems for medical or other personal information, especially since each region is using different methods of sign-ups, and many older, less tech-savvy people are often first on the list.

And when it comes to encouraging folks to do the right thing and only register for an appointment if they’re the intended invitee, you don’t always need high-tech strategies, Rege said. A simple warning in the email itself can go a long way.

It’s been working in communities in Virginia, where Norfolk health department officials began warning recipients that if they forwarded their registration link along, they could be bumped to the end of the list. Paul Brummund, chief operating officer for Norfolk and Virginia Beach’s health departments, told news station WAVY that since the department began including those warnings, the problem has diminished.

Once the mass vaccine sites are up and running smoothly with their systems, there’s less room for the process to be misused, Rege said.

“I know we all want to get vaccinated, people are so done,” she said. “But with any supply and demand situation, there’s opportunity for cyber concerns and information to be exploited.”

Companies: City of Philadelphia / Temple University

Before you go...

Please consider supporting Technical.ly to keep our independent journalism strong. Unlike most business-focused media outlets, we don’t have a paywall. Instead, we count on your personal and organizational support.

3 ways to support our work:
  • Contribute to the Journalism Fund. Charitable giving ensures our information remains free and accessible for residents to discover workforce programs and entrepreneurship pathways. This includes philanthropic grants and individual tax-deductible donations from readers like you.
  • Use our Preferred Partners. Our directory of vetted providers offers high-quality recommendations for services our readers need, and each referral supports our journalism.
  • Use our services. If you need entrepreneurs and tech leaders to buy your services, are seeking technologists to hire or want more professionals to know about your ecosystem, Technical.ly has the biggest and most engaged audience in the mid-Atlantic. We help companies tell their stories and answer big questions to meet and serve our community.
The journalism fund Preferred partners Our services
Engagement

Join our growing Slack community

Join 5,000 tech professionals and entrepreneurs in our community Slack today!

Trending

Philly-area gold exchange startup reaches $1M in revenue just 10 months after launch

Philly-area social media startup LifeBrand lays off entire staff, as CEO says it's still 'fully operational'

He started at Neya as an intern. 10 years later, he’s director of robotics — and loving life

What Philadelphians need to know about the city’s 7,000-camera surveillance system

Technically Media