Cybersecurity in Medicine
- Time to Assess the Level of Cybersecurity in Healthcare
- The Evolution of Cyber Threats in Healthcare Due to COVID-19
- Ransomware Threats Targeting Medical Organizations
- COVID-Related Phishing Attacks
- Password Spraying (and Credential Stuffing) in Healthcare Organizations
- Tips for Improving Cybersecurity in Healthcare
Time to Assess the Level of Cybersecurity in Healthcare
Or how the pandemic has impacted the security of medical institutions.
The healthcare industry has long been a primary target for cybercriminals. However, since the emergence of COVID-19, organizations on the frontline of the pandemic have experienced an increase in cybersecurity-related incidents and attacks. Cybersecurity in healthcare is indeed becoming a more critical issue.
Between February and June 2020, organizations subject to HIPAA regulations reported 192 large-scale data breaches to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) – more than double the number recorded during the same period in 2019.
While the types of cyber threats faced by healthcare organizations during the COVID-19 pandemic were not entirely unexpected, factors such as the rapid shift to remote work, the expansion of telemedicine, and the additional strain on resources felt by many organizations combined to create new challenges.
For instance, in recent months, some medical organizations temporarily relaxed firewall rules (Windows operating system security) to facilitate additional remote work capabilities. They reduced the number of suppliers or signed new contracts to quickly deploy or expand telemedicine services.
The Evolution of Cyber Threats in Healthcare Due to COVID-19
While the types of cyber threats faced by healthcare organizations during the COVID-19 pandemic are largely similar to those encountered before the pandemic, fraudsters are exploiting the fear associated with it.
The Internet Crime Complaint Center reported receiving 1,200 complaints in March alone related to coronavirus-related cyberattacks, far exceeding the number of complaints received for all types of internet fraud in 2019.
Authorities have warned that cybercriminals are targeting healthcare agencies, pharmaceutical companies, scientific communities, medical research organizations, local governments, and others involved in national pandemic response efforts.
In addition to attempts to steal information for commercial purposes, hackers may aim to steal valuable pandemic-related information, such as confidential COVID-19 research or details about national and international healthcare policies.
Crafty hackers taking advantage the COVID-19 crisis represent a global problem. In March, the Canadian Cybersecurity Center warned about malicious hackers targeting their healthcare sector. These attackers aim to gain unauthorized access to intellectual property, research, and development related to COVID-19.
The Czech Republic also faced a series of cybersecurity incidents, including an attack on one of its largest COVID-19 testing centers, which resulted in the center shutting down and redirecting patients to other hospitals. The risks to public health and safety posed by such malicious activities prompted the U.S. State Department to take global action.
Below are several examples of cyber threats during the COVID-19 era, along with practical steps organizations can take to manage cyber risks in today’s increasingly virtual environment.
Ransomware Threats Targeting Medical Organizations
In the early stages of the pandemic, hacker groups promised to protect hospitals and healthcare facilities from their cyber attacks. These 'promises' were short-lived.
In March, hackers used a variant of the ransomware virus known as Maze to attack a UK laboratory that tests COVID vaccines. Maze has the ability to extract files from the system and force the victim to pay a ransom by threatening to publish the data on the dark web. Fortunately, the institution was able to restore its systems, but this did not stop the hackers from forcing it to pay the ransom by publishing thousands of patient records online, including medical forms and copies of passports (the institution itself did not pay anything).
In June, the University of California, San Francisco, reported that it had paid a ransom of $1.14 million after malware encrypted certain servers in its medical schools.
In response to the ongoing threat of ransomware attacks in the healthcare sector, Microsoft's threat intelligence team has warned hospitals that their network devices and virtual private networks are specific targets as the organization moves to a more remote workforce and therefore faces more cybersecurity threats in the face of remote working.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on 22 May, reporting that insecure VPNs will top the list of vulnerabilities regularly exploited by sophisticated cybercriminals in 2020.
REvil is one of the ransomware campaigns that actively exploit these vulnerabilities to infiltrate organizational infrastructure. Once successfully exploiting them, hackers can steal credentials, escalate access privileges, and move laterally within the compromised network, deploying ransomware or other malicious software.
Unlike self-propagating ransomware like WannaCry or NotPetya, which spread autonomously, Maze and REvil are human-operated ransomware campaigns. They incorporate social engineering tactics that exploit users' fear and need for information.
This is why the hackers behind these ransomware strains target organizations most vulnerable to breaches—for example, those that lack the time or resources to assess cybersecurity threats, install the latest updates, upgrade firewalls, or review user access levels in administrative parts of their information networks. During the COVID-19 era, healthcare organizations have proven to be particularly vulnerable.
COVID-Related Phishing Attacks
Cybercriminals conducting phishing attacks via email have exploited fears surrounding the coronavirus, posing as officials from organizations such as the Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO). Their goal is to deceive users into entering credentials or clicking on links that install malware, capturing sensitive data or locking it behind passwords.
According to Bitdefender, hospitals, clinics, pharmaceutical companies, and medical equipment distributors have been the most frequent targets of phishing campaigns. These emails often claim to offer information on COVID treatments, therapies, or personal protective equipment (PPE).
In fact, American, Canadian, and European organizations rushing to develop a coronavirus vaccine have become prime targets for cybercriminals seeking to steal research data and disrupt medical supply chains in an effort to gain an edge in the vaccine race. This has frequently been linked to state-sponsored hackers.
The U.S. National Security Agency (NSA) has reported that the hackers responsible for this medical espionage include groups known as APT29 and Cozy Bear—the same groups linked to the hacking of the Democratic National Committee's servers during the 2016 election.
Another phishing method, known as voicemail phishing or vishing, targets outdated telephone systems used by some medical organizations. These systems, known as Private Branch Exchange (PBX), automate calls and send voicemail messages to users’ email inboxes to ensure employees don’t miss important messages while working remotely.
In this scheme, attackers spoof messages from PBX systems, informing employees of a new voicemail. To access the message, users are redirected to a website mimicking PBX integration, designed to steal credentials.
Hackers rely on the fact that users often reuse the same credentials across multiple platforms, potentially granting access to personal or confidential information.
Password Spraying (and Credential Stuffing) in Healthcare Organizations
Password spraying is a brute-force attack method in which hackers attempt to gain access to multiple accounts by entering numerous usernames or email addresses into a program that tries to match them with commonly used passwords.
Joint advisories from the Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) warn about this threat targeting healthcare and medical organizations. They recommend users replace any easily guessable passwords with more complex ones, such as those created using three random words.
Credential stuffing involves the automated input of username and password combinations previously stolen—often during past data breaches—to gain unauthorized access to user accounts.
In April, more than 500,000 Zoom credentials, obtained through credential stuffing, were sold on the dark web for less than a dollar or, in some cases, given away for free.
This led to an increase in large-scale “Zoom-bombing" and other malicious actions compromising video conferencing security. To reduce the risk of such attacks, organizations are strongly advised to implement multi-factor authentication (MFA) and enforce regular password updates for employees.
Tips for Improving Cybersecurity in Healthcare
Update Your Cybersecurity Risk Analysis and Management Plans
Ensure your security risk analysis is updated to reflect the technological and operational changes made in response to the pandemic. Implement all relevant risk management plans to reduce the likelihood of cybersecurity incidents, such as ransomware attacks.
Specifically, identify potential risks and vulnerabilities associated with the expansion of remote work, the deployment of new telemedicine technologies, and the establishment of additional testing and treatment facilities.
Ensure Full Compliance with Telemedicine Operations
Organizations that deployed telemedicine services in a manner that may not have fully complied with HIPAA standards—according to OCR guidance on security compliance—should ensure that at a minimum, they have followed all recommendations. These include enabling all available encryption and privacy settings, informing patients of potential privacy risks, and establishing appropriate business associate agreements with technology providers delivering cybersecurity services.
In line with the voluntary cybersecurity principles outlined by the U.S. Department of Health and Human Services for healthcare organizations, providers should identify gaps in compliance with HIPAA and other privacy and security laws. Develop a plan to address any vulnerabilities as quickly as possible to elevate cybersecurity in healthcare to a new level.
Review Privacy and Cybersecurity Policies and Procedures
Examine and, if necessary, expand your privacy and security policies and procedures to ensure they adequately reflect current operations, particularly regarding remote work, telemedicine, and any other newly expanded activities. Additional insights from Katten on best practices for remote work are available [here].
Reinforce Employee Training
To ensure employees are aware of their obligations to maintain privacy and security during the COVID era, conduct regular training sessions on your policies and make these policies accessible via the organization's intranet or by email distribution (including tips on protecting email from hacking).
Training should be practical and aligned with today’s virtual environment—covering topics such as using secure collaboration tools, recognizing phishing emails and COVID-related scams, and securely disposing of documents while working from home.
Your Datami
Fill out the form below, and we’ll get in touch with you right away to discuss a plan to protect your business!