In 2020, the U.S. government chose McKesson as a distribution partner for COVID-19 vaccines and ancillary supply kits.1 It was a race against time to stand up the operation for providing much-needed support in making sure vaccines and ancillary supply kits reached their final destinations.
This was an epic undertaking that required tremendous effort and close partnerships with pharmaceutical manufacturers, industry leaders, government agencies, and cross-functional teams at McKesson. Among the many teams involved in this operation, McKesson's cybersecurity teams had the critical role of enhancing their security program across multiple new internal and external touchpoints while working against extremely compressed timelines.
In this article, Michael McNeil, senior vice president and global chief information security officer at McKesson, describes vital security aspects of the company's COVID-19 vaccine distribution program.
How much lead time did McKesson have to implement the security program for the COVID-19 vaccination distribution effort? Typically, how much time would this type of endeavor take under normal circumstances?
McKesson's security team developed and implemented the playbook for the COVID-19 vaccination security program within 60 days of initial notice. Typically, similar efforts would take more than five times longer to implement.
How did your team collaborate with government and industry stakeholders to meet expectations under compressed deadlines? Were there any surprises?
McKesson met and aligned with several U.S. government entities, adapting previously used playbooks from the Centers for Disease Control and Prevention's Vaccines for Children program to cover new expectations required for the COVID-19 vaccine kitting and distribution programs. Through preexisting relationships with healthcare industry boards, we were able to connect with peer organizations within the supply chain supporting the Department of Health and Human Services' (HHS's) Operation Warp Speed2 (now called the HHS Coordination Operations and Response Element, or H-CORE,3 and housed within the Administration for Strategic Preparedness and Response) to align on and implement security protocols across multiple companies.
What were some of the unique security challenges you faced in this situation? Explain how you overcame them.
Securing intercompany email among Operation Warp Speed's supply chain participants presented a unique challenge. McKesson coordinated with our counterpart to align on the use of secure messaging protocols.
Image courtesy of McKesson Corporation.
What was the most challenging aspect of securing the supply chain and physical inventory? How did you overcome those challenges?
Aligning cold chain security (cyber- and physical security) was challenging due to the unique environmental requirements for the vaccines. McKesson's supply chain security group teamed with cyber, physical, and operations groups to maintain environmental requirements.
How did your team collaborate and align with key stakeholders to accomplish the objectives?
McKesson worked with Operation Warp Speed's supply chain peers through meetings coordinated by government entities, namely HHS, the Department of Homeland Security, and the Department of Defense. Each entity held recurring meet-ups, stand-ups, and coordination calls. In addition, healthcare-industry public and private partnerships with AAMI, the Health Information Sharing and Analysis Center (H-ISAC), and Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group helped McKesson leverage preestablished relationships fostered within organization boards and working groups to quickly align on plans of actions.
What was your approach for collaborating across many different teams and functions?
McKesson's Technology Department leveraged technology teams at each tiered layer of management, which consisted of a leader and subject matter experts. Identifying clear leadership at each level allowed nontechnology teams to approach leadership to provide answers and solutions as required. Recurring, twice-daily meetings (morning and evening) prevented barriers as team members were presented a platform for open and honest discussion leveraging the “debate-decide-commit” framework.
What would be your advice to others who need to fast-track data security in the medical field during a crisis?
Prepare now by ensuring cybersecurity professionals participate with the Cybersecurity and Infrastructure Security Agency (CISA) and take advantage of nonfinancial government service offerings. Also, they should participate in industry standard associations and develop relationships prior to a crisis, so those relationships can be leveraged during a crisis to fast-track recommendations, solutions, and implementations. Information Sharing and Analysis Centers (ISACs), such as H-ISAC and Sector Coordinating Councils, offer threat intelligence and best practices to critical infrastructure owners and operators within the 16 critical infrastructure sectors established by Presidential Policy Directive/PPD-21.4
Image courtesy of McKesson Corporation.
What other key takeaways or insights from your experience can you share?
I believe that incredible value exists when companies participate in preplanning pandemic exercises with peers and the U.S. government every two years (e.g., CISA's Cyber Storm5) to foster national alignment for pandemic response. In addition, participating in Cyber Storm promotes national cybersecurity defense alignment. Companyrun tabletop exercises also serve as a precursor for readiness prior to participating in national exercises for leadership and cybersecurity staff.
As an additional precaution, consider establishing a tertiary “set of eyes” to monitor critical systems outside of your day-to-day security operations center and managed security services provider.
References
- 1. McKesson . COVID-19 vaccine program: when duty calls . www.mckesson.com/Our-Stories/When-Duty-Calls . Accessed Nov. 17 , 2022. .
- 2. Department of Health & Human Services . Explaining Operation Warp Speed . www.nihb.org/covid-19/wp-content/uploads/2020/08/Fact-sheet-operation-warp-speed.pdf . Accessed Nov. 17 , 2022. .
- 3. Department of Health & Human Services . H-CORE: HHS Coordination Operations and Response Element . https://aspr.hhs.gov/H-CORE/Pages/Default.aspx . Accessed Nov. 17 , 2022. .
- 4. The White House . Presidential Policy Directive: Critical Infrastructure Security and Resilience . https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil . Accessed Nov. 17 , 2022. .
- 5. Cybersecurity & Infrastructure Security Agency . Cyber Storm: securing cyber space . www.cisa.gov/cyber-storm-securing-cyber-space . Accessed Nov. 17 , 2022. .