Cybersecurity and COVID-19: Risks During the Crisis

Amidst the worldwide Coronavirus pandemic, cyber criminals are trying to take advantage of individuals and organizations' fear and fragile state. Even frontline agencies are major cybercrime targets at this time. The World Health Organization (WHO) has seen clear increase in cyberattack attempts. One recent attempt tried to spoof a WHO login portal to gain access to employee passwords. This was thankfully caught and mitigated, while the U.S. Department of Health and Human Services (HHS) has also had to defend against recent cybercriminal attacks. Now, even COVID-19 research centers in the U.S., U.K. and Canada, which are working around the clock on developing vaccinations, have been the most recent cyber target.

Jump in email phishing
As published by Healthcare IT News, a recent GreatHorn ransomware report found that there were 15 times more phishing attacks in the first two weeks of March than there were for all of January 2020. As of March 14, 2020, Coronavirus-related email threats made up 2% of all email traffic, often impersonating official health organizations' credentials, like the CDC. But the attempts don't stop with email. The HHS Office of the Inspector General issued a fraud alert for Medicare beneficiaries, who are said to be targeted through telemarketing, social media and even door-to-door schemes.

Organizations' responsibility
With the majority of the U.S. under stay-at-home orders, the big push in the last few weeks has been to test and establish end-user remote access. But the responsibility extends beyond initial set up for continued support, maintenance and end-user education, especially in terms of cybersecurity compliance and documentation. Virtual private networks (VPNs) tend to be more vulnerable and targeted by malicious attacks. In fact, Microsoft has alerted dozens of hospitals that their gateway and VPN appliances are actively being targeted by ransomware groups. To help healthcare facilities stay prepared, we’ve compiled the following cybersecurity best practices — many of which coordinate with U.S. Cybersecurity & Infrastructure Security Agency (CISA) recommendations:

• Update VPNs, network infrastructure devices, and user devices with the latest software patches and security configurations.
  • See CISA's Tips Understanding Patches and Securing Network Infrastructure Devices.
• Alert all employees of the expected increase in phishing attempts and continue notices of any attempts, even if they were properly blocked.
  • Conduct phishing practice tests/drills for all employee levels, even for those who have transitioned to remote work. This will keep them vigilant and aware.
• Within the configuration management policy, ensure IT security staff properly follow and document processes for log review, attack detection, and incident response and recovery.
• Implement multifactor authentication (MFA) strategies, especially for those with access to patient data, to allow a more seamless user experience while also ensuring data safety.
• Create a multidisciplinary steering committee to develop an organization report card for data governance and cybersecurity compliance spanning assessments for aspects like policy and procedures audits, cloud hosting audits, medical device security, disaster recovery tests, employee phishing tests, etc.

Individuals' responsibility
To remain on the defense for cybersecurity compliance during the COVID-19 crisis, think before you click. Even if it seems like a request from a healthcare provider, double check credentials.

• Be cautious of unsolicited requests for personal information, such as your social security, Medicare, Medicaid or insurance policy number.
• Be suspicious of unsolicited offers for COVID-19 tests or supplies, especially in blinded links.
  • At this point still, only a physician or other qualified healthcare provider should recommend or approve requests for COVID-19 testing.
• Be aware that no responsible healthcare provider will go door-to-door for testing or general patient care inquiry. Do not answer the door for unsolicited visitors. Maintain the six-foot social distancing rule.
• Don’t fall into the social media fads. Avoid posting graduation pictures and dates online. Refrain from participating in questionnaire posts circulating on Facebook that ask your first car, first job, etc. These details often serve as security questions in banking profiles and online service profiles.
• Report any suspected fraud attempts or incidents to the National Center for Disaster Fraud Hotline at (866) 720-5721.

To remain up-to-date on the latest healthcare and health IT industry insights, check back to the Stoltenberg Blog.

Stoltenberg Blog