HIT Stoltenblog

The latest in healthcare and health IT news

Cybersecurity and COVID-19: Risks During the Crisis

As we're glued to our devices for constant COVID-19 updates, be aware of current cybersecurity threats lurking.

Amidst the worldwide Coronavirus pandemic, cyber criminals are trying to take advantage of individuals and organizations' fear and fragile state. Even frontline agencies are major cybercrime targets at this time. The World Health Organization (WHO) has seen clear increase in cyberattack attempts. One recent attempt tried to spoof a WHO login portal to gain access to employee passwords. This was thankfully caught and mitigated, while the U.S. Department of Health and Human Services (HHS) has also had to defend against recent cybercriminal attacks.

Jump in email phishing
As published by Healthcare IT News, a recent GreatHorn ransomware report found that there were 15 times more phishing attacks in the first two weeks of March than there were for all of January 2020. As of March 14, 2020, Coronavirus-related email threats made up 2% of all email traffic, often impersonating official health organizations' credentials, like the CDC. But the attempts don't stop with email. The HHS Office of the Inspector General issued a fraud alert for Medicare beneficiaries, who are said to be targeted through telemarketing, social media and even door-to-door schemes.

Organizations' responsibility
With the majority of the U.S. under stay-at-home orders, the big push in the last few weeks has been to test and establish end-user remote access. But the responsibility extends beyond initial set up for continued support, maintenance and end-user education, especially in terms of cybersecurity compliance and documentation. Virtual private networks (VPNs) tend to be more vulnerable and targeted by malicious attacks. In fact, Microsoft has alerted dozens of hospitals that their gateway and VPN appliances are actively being targeted by ransomware groups. As such, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) encourages organizations to conduct the following:

  • Update VPNs, network infrastructure devices, and user devices with the latest software patches and security configurations.
  • Alert all employees of the expected increase in phishing attempts and continue notices of any attempts, even if they were properly blocked.
    • Conduct phishing practice tests/drills for all employee levels, even for those who have transitioned to remote work. This will keep them vigilant and aware.
  • Within the configuration management policy, ensure IT security staff properly follow and document processes for log review, attack detection, and incident response and recovery.
  • Implement MFA on all VPN connections to increase security.

Individuals' responsibility
To remain on the defense for cybersecurity compliance during the COVID-19 crisis, think before you click. Even if it seems like a request from a healthcare provider, double check credentials.

  • Be cautious of unsolicited requests for personal information, such as your social security, Medicare, Medicaid or insurance policy number.
  • Be suspicious of unsolicited offers for COVID-19 tests or supplies, especially in blinded links.
    • At this point still, only a physician or other qualified healthcare provider should recommend or approve requests for COVID-19 testing.
  • Be aware that no responsible healthcare provider will go door-to-door for testing or general patient care inquiry. Do not answer the door for unsolicited visitors. Maintain the six-foot social distancing rule.
  • Don’t fall into the social media fads. Avoid posting graduation pictures and dates online. Refrain from participating in questionnaire posts circulating on Facebook that ask your first car, first job, etc. These details often serve as security questions in banking profiles and online service profiles.
  • Report any suspected fraud attempts or incidents to the National Center for Disaster Fraud Hotline at (866) 720-5721.


Stay tuned for more COVID-19 crisis response insights. Wishing you health and safety.