Behind the scenes of Beaumont’s Covid-19 vaccination scheduling breach
The Covid-19 pandemic spurred the use of technology, but with growing use comes new challenges.
Southfield, Michigan-based Beaumont Health experienced this firsthand at the end of January, when an unknown user took advantage of an Epic scheduling tool vulnerability. But the incident served as a teachable moment, with the system quickly working to safeguard its vaccine scheduling process, said Beaumont Health Chief Information Officer Hans Keil in a phone interview.
The user publicly shared a link to the scheduling module for the clinic providing Covid-19 vaccines. This allowed 2,700 people to register for an unauthorized vaccine appointment, all of which had to be canceled.
Keil believes that the high level of demand for Covid-19 vaccine is what ultimately led to this incident.
“We had challenges with demand,” he said. “We had to triple our server capacity to be able to support the public and their high interest in getting vaccinated.”
When the vaccine rollout began, Beaumont was leveraging technology already available via its Epic EHR system. It had previously used this technology to schedule influenza vaccinations and conduct serology testing last April.
But the Epic system did not have the ability to send out randomized invitations for vaccinations, Keil said. It was important for the health system to be able to randomize that process to ensure it was administering the vaccine equitably. So, Beaumont set up that capability themselves and improved its server capacity to field the high level of demand. But that still left a gap in the process within the Epic EHR.
The vaccination scheduling process was running smoothly until the unknown user found a way to exploit that gap, short-circuit the registration and go straight to the scheduling tool, Keil said.
It was a sudden spike in traffic that alerted the health system’s IT team to the breach. The health system shut down its Covid-19 vaccination registration and scheduling services, for close to 24 hours.
Now that nearly two weeks have passed since the incident was discovered and addressed, Beaumont is focused on preventing this from happening again.
In the short term, the health system is monitoring its IT traffic and making sure every pathway coming through is legitimate, said Keil.
In addition, Epic now offers the capability to randomize vaccination invitations within their EHR. Going forward, the health system will use that capability as well as other enhancements that Epic has made to make sure it is “one individual, one ticket, one opportunity to schedule,” said Keil.
Keil does not envision any further IT issues arising in scheduling upcoming Covid-19 vaccinations. But high demand remains a concern.
“We just need to make sure that we maintain the integrity of this process and we be as fair as possible,” he said. “These tools, these platforms were never meant for this kind of demand. Epic didn’t think about that way, we didn’t think about it that way. But it’s different now.”
In some ways, the pandemic has sharpened the focus of the health system’s IT team.
Beyond the rollout, Keil and his team are thinking about how to help get the system’s surgery volumes up to help with financial recovery. This will include creating end-to-end experiences around surgery services and increasing the level of digital engagement among patients.
“You can get spread thin on lots of priorities,” Keil said. “This [public health crisis] makes it a lot more crystal clear as to what’s most important…to make a difference for the experience of patients and the financial health of the system.”
Photo: bsd555, Getty Images