Oct 15 2020

How Cybercriminals Are Exploiting the Pandemic (and How to Stop Them)

To protect your providers and patients, know the common threats and vulnerabilities.

Early in the pandemic, some healthcare leaders held out hope that cybercriminals would stand down so hospitals and other organizations could focus on treating the sick and studying the virus.

They didn’t.

“In the beginning, maybe, a lot of the bad actors said that because of COVID-19 they would not attack — that has not been our experience,” said Karl West, CISO and assistant vice president of IT at Salt Lake City-based Intermountain Healthcare, who spoke as part of an online panel hosted this summer by the Healthcare Information and Management Systems Society.

Instead, hackers have shifted and refined their tactics to catch busy clinicians off guard and to conduct phishing schemes that play on the public health crisis.

The number of cybercrimes reported daily to the FBI is three to four times higher than before the pandemic, one official noted this spring. Some of that is due to threat actors seeking COVID-19 treatment insights and attempting to exploit remote work perimeters.

In June, medical school servers at the University of California, San Francisco were hit with malware. The school was working on COVID-19 research, according to the BBC. Although the institution said the breach didn’t affect patient care, UCSF ultimately paid a $1.14 million ransom.

Six of Intermountain’s closest partners have suffered phishing attacks in recent months, West noted. One of them endured six separate attacks and ended up paying a ransom to cybercriminals.

The events can have deeper effects beyond a temporary scramble or a costly payout.

“In most of these instances, when partners have been impacted, we’ve gone to our playbook and severed connections,” said West. “It has meant serious disruption to business processes.”

Phishing Scams Are Targeting COVID-19 Concerns

Cybercrime related to the pandemic is cruelly precise.

Attackers not only are targeting geographical areas of the United States where COVID-19 caseloads are rising, they’re also aiming phishing attacks at healthcare workers most likely to be under additional stress, said Ryan Witt, managing director of the healthcare industry practice at Proofpoint.

“As we get into COVID more, we see attacks that tug at your emotions tend to be the most impactful and favored by cybercriminals,” said Witt, who spoke at a different HIMSS webinar on the subject.

Proofpoint researchers discovered a shift in COVID-related phishing targets. The hackers’ focus has moved from administrators to clinicians and, more recently, hospice workers — a group that often has weaker infrastructure and less cybersecurity training.

READ MORE: Learn how hospitals can take action to reduce their vulnerability to phishing attacks.

At first glance, the phishing lures observed by Proofpoint might seem credible: imposter emails from the World Health Organization, fake purchase orders for personal protective equipment, and bogus notices about receiving a “vaccine ID” from the Centers for Disease Control and Prevention.

“In the healthcare sector, if we had weaknesses coming into this, they’re definitely showing now,” said Lee Kim, director of privacy and security at HIMSS, who emphasized the need for a comprehensive education program for all staffers.

“Also, simply put, if there was no plan in place or really an ad hoc plan in terms of business continuity for unusual times such as this, I strongly believe healthcare organizations must take a second look to make those plans more robust.”

How to Establish a Safe Perimeter for Remote Work in Healthcare

A massive shift to remote work quickly flipped the script for many industries. When the crisis began, 70 percent of Intermountain caregivers had the ability to work remotely. But the migration required many new provisions to keep bad actors from infiltrating a vastly different perimeter.

“It was truly a cyber pandemic as we tried to get everyone in the right containers and buckets, using the right connections, making sure we had people set up with VPNs,” West said. “And in the middle of that, we had people taking office-provisioned machines into homes.”

At first, the company’s perimeter defenses weren’t sufficient to address new work-from-home requirements, so the organization took steps to extend the perimeter into people’s homes. “We used reverse proxy back into the home so we could make sure what was happening in the home on our device was safe and secure,” West said.

Intermountain also distributed information to employees about maintaining a safe computing environment, such as reminders to keep home routers updated, use a firewall and a VPN client, and not leave laptops unattended in the house.

Just as important, Intermountain expanded multifactor authentication and network segmentation — extra steps that weren’t met with universal enthusiasm.

“All remote access should have multifactor authentication,” West said. “Of course, people like multifactor authentication almost as much as COVID masks.”

Why Identity Controls and Long-Term Planning Matter

Identity management has been a critical tool during the pandemic to ensure organizations know who is accessing IT resources — and which resources they’re supposed to access.

“You need identity controls first,” said Mike Gregory, CISO for the Community Foundation of Northwest Indiana, a regional healthcare nonprofit. “You need to know your workers, staff, contractors and vendors, and you need to centralize identity records.”

The foundation also took steps to shore up its email defenses by deploying Domain-based Message Authentication Reporting and Conformance (DMARC), which helps detect and prevent email spoofing.

It has also invested in threat simulation and training to help employees spot signs of trouble. “We have seen how much phish and spam have not just invaded our network but how much they prevent us from being productive,” Gregory said.

Ultimately, the webinar panelists said, pandemic-related cyberattacks have forced a greater focus on business processes and their department’s role within the organization.

“This type of healthcare crisis is not going away,” Gregory said. “If it’s not COVID, it will be something different, so how can cybersecurity play a strategic role in the business to keep it operating?”

West agrees that the current challenges can be viewed as an opportunity to improve safety and advance operations.

“For us, it’s been a very positive thing, because this is what we believe the transformation of healthcare looks like,” he said.

DKosig/Getty Images