Cyberattacks during COVID-19 highlight a pressing need for cybersecurity
During the COVID-19 pandemic, hospitals have taken heroic efforts to protect their patients and staff from the disease. But there is another invisible threat the virus is posing in the form of cyberattacks. Malicious acts, including phishing campaigns and ransomware, may not only compromise hospital information systems and data, but, because so many medical devices are connected to computer networks, they can also put patients in direct danger.
“A public health emergency brings out the best in some people and the worst in cybercriminals,” says Terry Moon, AVP of IT and Cybersecurity at HealthTrust. “Their scam emails and websites are capitalizing on the anxiety and urgency around the coronavirus in hopes that you’ll click first and ask questions later.”
A global threat
The rise in cyberattacks has led to warnings from the FBI and the U.S. Department of Homeland Security about malware targeting supply chains, as well as hackers stealing data from medical centers and universities researching COVID-19.
The impact is being felt around the world, says Kent Petty, HealthTrust Chief Information Officer. “A hospital in the Czech Republic, a Paris hospital system, the computer systems of Spain’s hospitals, hospitals in Thailand, medical clinics in Texas, a healthcare agency in Illinois—all have reported attacks,” Petty notes.
Europe’s largest private hospital operator, Fresenius, is a major provider of the dialysis products and services that are in high demand throughout the world due to COVID-19. It experienced a ransomware cyberattack on its technology systems in May. The attack affected every part of the enormous company’s global operations, which holds nearly 40% of the U.S. dialysis market. The World Health Organization (WHO) has reported a five-fold number of cyberattacks, Petty explains, adding: “It is a safe assumption that many more attacks have not been reported.”
The uncertainty and panic around COVID-19 create a perfect storm for hackers because their most valuable tools—end users—are more vulnerable to phishing attacks. “People are anxious for news and updates around COVID-19,” says Petty. “They’re doing more online, looking for how to get PPE [personal protective equipment], and doing more on social media—all of which makes them more susceptible to scams.”
With healthcare organizations incredibly stressed and overworked, it means they are more likely to accede to demands for ransom to reclaim their systems. This is another reason cybercriminals are targeting the industry.
“Situations like pandemics create makeshift smoke screens, so hackers can come in through a back door to perform nefarious acts,” Moon explains. “In addition, opportunities created by the need for PPE and related items cause a panic that allows hackers to broaden their attack vectors with creative ideas to gain access to the hospital systems.”
The type of attacks vary. “We’ve seen phishing emails purporting to be from real retailers about PPE for sale and from individuals saying that they have a stash of PPE they’d offer up at the right price,” explains Moon. Many are customized for the company or person, making them appear legitimate. And there has been an increase in identity-fraud attacks as hackers target stimulus checks and employment benefits, Petty adds. Hackers also search for infrastructure weaknesses, such as organizations that don’t use multifactor authentication.
The explosion in people working from home opens another potential vulnerability for hospitals if home users are compromised, says Petty. Hackers use the virtual private network (VPN) as a conduit into the health system. Such actions have triggered a warning from Homeland Security.
Hackers may also use email, remote access accounts, or business-to-business connections of smaller, less secure vendors as a way to get at bigger targets, Petty explains.
Of particular concern are medical devices, Petty notes. “While we haven’t yet seen attacks specifically targeting medical devices, the criminals aim for the most-critical systems to maximize their leverage to get paid or the value of the information they steal. In healthcare, those critical systems include many medical devices.”
While continued due diligence and process education will always be paramount to reducing or eliminating these threats, Moon explains, the good news is that the Food and Drug Administration (FDA) and hospitals have made substantial progress in creating in-depth defense systems to reduce the potential impact of device hacking.
It isn’t easy to ensure that connected devices are protected in a hospital system because of the number of devices, the size and architecture of the network environment, and the management of asset inventory, Moon explains. Many electronic systems and discovery tools need to be implemented to identify threats, manage inventories and control the flow of traffic. Here are some best practices to consider:
- Have a documented, verified and repeatable recovery plan in place that is tested routinely.
- Include aspects of real/near-time backups of critical systems (isolation from the rest of the network for protection).
- Provide continuous education to end users and other teams to ensure that when a security incident or disaster occurs, all hands are on deck with a full understanding of their responsibilities.
“Having all of this in place before an event occurs will reduce the impact to HealthTrust member organizations and the patients under their care,” Moon explains.
It’s also important that hospital systems ensure the devices they acquire have proper security controls and are identified in an asset management database. Then, if there is a vulnerability or compromise, the infected devices can be quickly located and patched or isolated from the network. “Organizations should also utilize network segmentation to isolate vulnerable medical devices from the rest of the network,” adds Petty.
Setting security standards
At the hospital level, it’s best practice for IT professionals to have a complete inventory of assets and follow good tracking system hygiene like configuration, patching, updates, retiring out-of-date systems and endpoint protection, Petty explains. He advises that they also search for open protocols/systems that could be compromised to allow remote access, as well as require multifactor authentication on remote access.
Moon notes that it’s also important to consider suppliers and how they could make systems vulnerable. “[Think about]: What data do they have, and is it protected? What access to your systems/network do they have, is it necessary and is it secure?” Moon suggests.
At the end-user level, security starts with the basics, such as strong passwords. “The longer, the better,” Moon adds. Also, employees can be trained on how to recognize phishing emails that can compromise the system (see sidebar below). Here are some general tips:
- Don’t click. Many phishing emails ask you to open an attachment or click a link. Don’t do it. Instead, confirm any information on the coronavirus from reliable sources like the WHO website.
- Guard your information. Watch for emails asking for personal information such as birthdate, payment details, Social Security number or other sensitive patient data. They are likely to be fraudulent.
- Be on the lookout for typos. Grammatical errors or misspelled words are classic signs of phishing.
Know the sender. Be suspicious of any email from an unknown address.
- Take your time. A deadline or sense of urgency almost always indicates a form of phishing attack. “The bad guys want to make you feel flustered and panicked by telling you that you only have a certain amount of time to take action, or bad things will happen,” Moon explains. “Don’t panic. Take the time to stop and think.”
“Information security teams go to great lengths to put mitigations in place that help slow the impact of hacking, including alerts to let them know when something happens,” Moon adds. “They may be the first people to contact you letting you know your workstation has been compromised.”
Warning signs to watch for
Petty and Moon provide some signs of cybercriminal activity you may find in your email inbox.
- Emails from a well-known health plan provider (even the same one your company uses), thanking you for enrolling in their “Coronavirus Coverage.” The email may include a link for the participant to make a payment for the coverage. Do not click on the link.
- Emails that appear to come from your company’s IT department, offering links on new ways to connect, or a faster VPN. Before you click, confirm with IT that the email is from your company.
- Emails that claim to come from the Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO) and encourage you to click on a link for information. Instead, go directly to these organizations’ websites.
- Emails from doctors or other health groups offering links to “safety measures” to take during the pandemic or to maps of local infections.
- Emails offering COVID-19 vaccinations. If there’s been a medical breakthrough, you likely won’t hear about it via email.