The City of Philadelphia said Tuesday that it was working with PrepMod, the software company contracted by Philadelphia and the State of Pennsylvania to schedule COVID-19 vaccine appointments, to address issues allowing ineligible folks to snag appointments.
The software had presented a loophole: The links sent out to eligible residents to schedule an appointment could be forwarded to and accessed by anyone.
“We have had some problems that have been seen around the country where the email invitations end up being shared, and people come in and get vaccinated who were not invited,” Health Commissioner Dr. Thomas Farley said Tuesday.
But on Tuesday, City officials said that that the software company would remedy the link-sharing issue by allowing single-use links that would only work for eligible people. Although municipalities across the country have been having similar issues, Philadelphia is among the first to make this request of the company, City spokesperson Jim Garrow told Technical.ly. The issue should be resolved Wednesday, Farley said.
A mass, coordinated public health measure like this is prime for potential security issues, said Aunshul Rege, an associate professor at Temple University in criminology with a focus in cybersecurity and social engineering.
“This happens with a lot of technology,” Rege said. “The functionality is about getting it done, maybe not exactly in the way they envisioned it, but ‘we’ll deal with it later’ sort of mentality.”
When it comes to implementing a new technology, whether to keep up with a new trend or, as in this case, for emergency situations, the mentality can be to release it first and deal with the issues later. Basically, starting the vaccine rollout was likely more important than having the perfect vaccine rollout.
And the issue of link-sharing wasn’t even one of typical cyber attacks. Instead, it was human action — one person sharing the link with another — that lead to the flaw in the system. The City’s new unique link setup should prevent this from happening, Farley said this week.
“It’s not a technical issue with the system, per se, but it was something with the system that could be exploited,” Rege added.
But there’s a few ways the software makers could have gone about solving the issue, Rege said. They could require users to re-enter unique information only known by the intended registree, like insurance information, in a few steps throughout the process. Or, they could include two-step verification, she said.
Some cities are also watching for trends with their unique registration links. If a city sends out 50 invitations for appointments and gets 200 registrations, they likely know that there’s link-sharing or other technical flaws. Or, a technologist might be able to check a database of appointments to see which link or origin they came from.
But as a cybersecurity expert with a focus on criminal activity, Rege said she’s glad she hasn’t heard of many cases of hackers exploiting these registration systems for medical or other personal information, especially since each region is using different methods of sign-ups, and many older, less tech-savvy people are often first on the list.
And when it comes to encouraging folks to do the right thing and only register for an appointment if they’re the intended invitee, you don’t always need high-tech strategies, Rege said. A simple warning in the email itself can go a long way.
It’s been working in communities in Virginia, where Norfolk health department officials began warning recipients that if they forwarded their registration link along, they could be bumped to the end of the list. Paul Brummund, chief operating officer for Norfolk and Virginia Beach’s health departments, told news station WAVY that since the department began including those warnings, the problem has diminished.
Once the mass vaccine sites are up and running smoothly with their systems, there’s less room for the process to be misused, Rege said.
“I know we all want to get vaccinated, people are so done,” she said. “But with any supply and demand situation, there’s opportunity for cyber concerns and information to be exploited.”-30-