Guest Column | August 31, 2020

Defending Healthcare IT In The Pandemic Landscape

By Renee Tarun, Fortinet

Cybersecurity Security Lock

Attackers have used subjects in the news as social engineering lures before, but this moved to the next level in the first half of 2020. From opportunistic phishers to scheming nation-state actors, cyber adversaries found multiple ways to exploit the pandemic for their benefit at enormous scale. Phishing and business email compromise schemes, nation-state-backed campaigns, and ransomware attacks were paramount among them. Bad actors worked to maximize the global nature of a pandemic that affected everyone, combined with an immediately expanded digital attack surface.

Threat researchers with FortiGuard Labs looked at this activity and identified some specific trends facing the healthcare sector over the past several months. That includes malware and phishing related to healthcare organizations, ransomware, and remote work/expanded attack vectors.

Phishing And Malware Preyed On Healthcare Worries

It is estimated that more than half of the U.S. workforce is now working from home, and employees are connecting to the office from their home networks, typically using their personal computers. Home networks are typically less secure, which opens the door for malicious opportunists. In the 2020 Remote Workforce Cybersecurity Report, 32 percent of respondents said secure connectivity is the most challenging aspect of switching to remote work.

Attackers are trying to target remote workers’ devices as an inroad into the corporate network or cloud. They try to lure unsuspecting victims into visiting malicious sites, clicking on malicious links, or providing personal information via email or over the phone.

Malicious actors do this by impersonating legitimate organizations, such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC), and offering fake informational updates, discounted masks and other supplies, and even promises of accelerated access to vaccines. Similar attacks target healthcare workers, political movements, or even the recently unemployed using the same kind of tactics.

In April, the U.S. Secret Service (USSS) posted an alert about fraudulent COVID-19 emails using malicious attachments. A representative of the USSS’s Criminal Investigative Division reported that the malware spreaders were seeking to exploit CVE-2017-11882, a Microsoft Office memory corruption vulnerability that has been around for several years and used for multiple campaigns. A particularly unkind attack pretends to come from the U.S. Department of Health and Human Services (HHS) and informs the recipient that they’ve contracted COVID-19. Another targets medical equipment manufacturers with a malware-laden document sent via email asking them to provide equipment.

The Expansion Of Potential Attack Vectors

The COVID-19 pandemic created a sudden need for temporary testing and treatment facilities at many healthcare organizations. This then necessitated an expansion of secure network connectivity. And that means more potential vectors for bad actors to exploit.

For example, one national government healthcare entity experienced a major and sudden expansion as a result of COVID-19. Before the pandemic, this healthcare entity was responsible for operating over 130 hospitals and treatment locations. During the COVID-19 pandemic, the organization needed to open over 20 additional sites as quickly as possible to cope with the crisis. By creating new locations, the government entity could work to curb the spread of the virus by providing a local treatment option to infected citizens. And that means they had to find a stronger cybersecurity solution to protect this expanded network.

Similarly, as healthcare organizations worked to shift some employees to work from home, that meant more devices connected to more networks and more potential vectors for attack. For instance, one homecare provider serving the elderly needed to quickly enable homebound customer service staff to handle seven to ten thousand calls per day. Phone systems must be secure when used to conduct healthcare services, and cybercriminals know that many providers inadvertently left security doors open in their rush to deploy remote solutions.

Ransomware In The Time Of COVID-19

In addition to all these threats, the healthcare sector also has suffered from the rise in ransomware that threat researchers have observed in the past few months. COVID-19-themed messages and attachments have been used as lures in several different ransomware campaigns. 

FortiGuard Labs threat researchers tracked three such ransomware variants in H1 2020 —NetWalker, Ransomware-GVZ, and CoViper. Of the three, CoViper was particularly malevolent because it rewrote the computer's master boot record (MBR) before encrypting data. We have observed several attacks in the past where adversaries used MBR wipers in combination with ransomware to effectively cripple the PC.   

In addition, there was an increase in ransomware incidents where adversaries not only locked a victim organization's data but stole it as well and used the threat of widescale release as additional leverage to try and extort a ransom payment. This unwelcome trend significantly heightens the risks of organizations losing invaluable information or other sensitive data in future ransomware attacks.  

Protecting Critical Data Today

Healthcare IT professionals always have had a critical and difficult job: keeping bad actors away from highly personal medical and financial data. The pandemic and its exploiters have made this task exponentially more difficult – and more important. As the attack surface expands across the remote work landscape, healthcare organizations need to take concrete steps to protect their users, devices, and information in ways similar to the corporate network.

Threat intelligence and research organizations can help by providing broad insight via in-depth analysis of attack methods, actors, and new tactics to help supplement current cyber knowledge. The need for teleworker solutions to enable secure access to critical resources, while scaling to meet the demands of the entire workforce, has never been greater. A holistic cybersecurity strategy that provides comprehensive visibility and protection across networked, application, multi-cloud, and mobile environments will be better able to secure today’s rapidly evolving healthcare networks.

About The Author

Renee Tarun is deputy CISO at Fortinet. She is focused on enterprise security, compliance and governance, and product security. She is also a contributor to the book, The Digital Big Bang. Previously, she served for over 20 years with the U.S. government, with over 12 years as a cybersecurity leader for the National Security Agency (NSA). Renee received her master’s degree in computer/information technology administration and management from the University of Maryland University College. She is also a board member for the George Mason University Volgenau School of Engineering. She is married with two children.