The US drug regulator has taken the unusual step of having the Covid-19 vaccine data physically handed over by FBI agents, refusing to send it over the internet for fear of a cyberattack.
Vaccine makers have sent confidential documents to the Food and Drug Administration on a USB stick turned over to the FBI, according to people familiar with the matter. The FDA, which generally takes filings electronically, took the extra precautions because of the sensitivity of documents related to coronavirus vaccines, the people said.
Cybersecurity experts have warned that hackers are scrutinizing the vaccine development process, possibly aiming to steal intellectual property or wreak havoc by disrupting it. The US and the UK have previously accused state-sponsored hackers in China and Russia of targeting groups developing vaccines and treatments for Covid-19.
Those risks were underscored last week when vaccine makers Pfizer and BioNTech said some of their documents were exposed during a cyber breach targeting the European Medicines Agency, the EU’s drug regulator.
The US regulator said it was always improving its cybersecurity strategies and hired specialists to help address “the demanding challenges of protecting highly sensitive information.”
Michael Farrell, co-executive director of the Institute for Information Security and Privacy at Georgia Tech, said the limits that the FDA was going to go to to protect unclassified data on vaccines showed the “severity of threats in 2020.” .
“That kind of conscious decision – bypassing the network and transferring data manually – hints at concern for adversaries targeting the systems between the researchers and the FDA.
“There are many parties involved in the Covid-19 vaccine supply chain: research, development, testing, distribution, and then actual medical providers doing the inoculation. They are all under attack. “
The EMA, which allows companies to transmit key data through an online portal, said last week that its servers were the target of a cyberattack. He said he was working with law enforcement and informing interested companies.
Ugur Sahin, CEO of BioNTech, said he hoped the EMA would learn from the attack.
“You always think that this is somehow too much protection, until you understand that everything is right,” he told the Financial Times.
Dr. Sahin added that the partners were still evaluating what had been stolen, but their intellectual property was proprietary, which could offer commercial protection in case someone tried to replicate their work. But even if hackers accessed important data, they were unlikely to have the skills and experience to figure out how to make a vaccine, he said.
Moderna, which is submitting documents to the EMA as part of an “ongoing review” of its vaccine candidate, said Friday that it had not been informed of any documents exposed in the infraction. AstraZeneca, which is also seeking approval from the EU regulator for a Covid-19 vaccine, declined to comment.
The agency said it used an “electronic exchange standard” implemented by major regulators around the world, including the FDA.
You could face more difficulties keeping data offline as you have to share the information with at least 27 regulators across Europe. Senior health officials working for EU member states said national systems did not appear to have been compromised, which one official described as a “nightmare scenario.”
The Amsterdam-based regulator, which moved to London in the wake of Britain’s vote to leave the EU, said it remained fully functional and the timelines for evaluating Covid-19 hits were unaffected.
Additional information from Kiran Stacey in Washington