By Pieter Arntz, Malwarebytes Labs
As if stress levels in the healthcare industry aren’t high enough due to the COVID-19 pandemic, risks to our healthcare system’s already fragile cybersecurity infrastructure are at an all-time high. From increased cyberattacks, to exacerbated vulnerabilities, to costly human errors, our healthcare cybersecurity has been sent into a tailspin due to COVID-19 (if it wasn’t already before).
No Time To Ship For A Bette Solution
Because of being occupied with fighting off the virus, many healthcare organizations have found themselves unable to shop for different security solutions better suited for their current situation.
For example, the Public Health England (PHE) agency, which is responsible for managing the COVID-19 outbreak in England, decided to prolong their existing contract with their main IT provider without allowing competitors to put in an offer. They did this to ensure their main task, monitoring the widespread disease, could go forward without having to worry about service interruptions or other concerns.
Extending a contract without looking at competitors is not only a recipe for getting a bad deal, but it also means organizations are unable to improve on the flaws they may have found in existing systems and software.
Attacks Targeting Healthcare Organizations
Even though there were some early promises of removing healthcare providers as targets after COVID-19 struck, cybercriminals sadly can’t be bothered to do the right thing for once. In fact, we have seen some malware attacks specifically target healthcare organizations since the start of the pandemic.
Hospitals and other healthcare organizations have shifted their focus and resources to their primary role. While this is completely understandable, it has placed them in a vulnerable situation. Throughout the COVID-19 pandemic, an increasing amount of health data is being controlled and stored by the government and healthcare organizations. Reportedly this has driven a rise in targeted, sophisticated cyberattacks designed to take advantage of an increasingly connected environment.
In healthcare, it’s also led to a rise in nation-state attacks, to steal valuable COVID-19 data and disrupt care operations. In fact, the sector has become both a target and a method of advanced social engineering attacks. Malicious actors taking advantage of the pandemic have already launched a series of phishing campaigns using COVID-19 as a lure to drop malware or ransomware.
COVID-19 has not only placed healthcare organizations in direct danger of cyberattacks, but some have become victims of collateral damage. There are, for example, COVID-19-themed business email compromise (BEC) attacks that might be aiming for exceptionally rich targets. However, some will settle for less if it is an easy target—like one that might be preoccupied with fighting a global pandemic.
As mentioned before, hospitals and other healthcare organizations run the risk of falling victim to “spray and pray” attack methods used by some cyber criminals. Ransomware is only one of the possible consequences, but arguably the most disruptive when it comes to healthcare operations—especially those in charge of caring for seriously ill patients.
INTERPOL has issued a warning to organizations at the forefront of the global response to the COVID-19 outbreak about ransomware attacks designed to lock them out of their critical systems to extort payments. INTERPOL’s Cybercrime Threat Response team detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response.
Special COVID-19 Facilities
During the pandemic, many countries constructed or refurbished special buildings to house COVID-19 patients. These were created to quickly increase capacity while keeping the COVID patients separate from others. But these ad-hoc COVID-19 medical centers now have a unique set of vulnerabilities: They are remote, they sit outside of a defense-in-depth architecture, and the very nature of their existence means security will be a lower priority. Not only are these facilities prone to be understaffed in IT departments, but the biggest possible chunk of their budget is deployed to help the patients.
Another point of interest is the transfer of patient data from within the regular hospital setting to these temporary locations. The staff working in COVID facilities will need the information about their patients, but how safely is that information being stored and transferred? Is it as protected in the new environment as the old one?
Data Theft And Protection
A few months ago, when the pandemic proved to be harder to beat than originally anticipated, many agencies reported targeted efforts by cybercriminals to lift coronavirus research, patient data, and more from the healthcare, pharmaceutical, and research industries. Among these agencies were the National Security Agency, the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, and the UK National Cyber Security.
In the spring, many countries started discussing the use of contact tracing and/or tracking apps to help keep the pandemic under control. Apps that would warn users if they had been in the proximity of an infected user. Understandably, many privacy concerns were raised by advocates and journalists.
There is so much data being gathered and shared with the intention of fighting COVID-19, but there’s also the need to protect individuals’ personal information. So, several US senators introduced the COVID-19 Consumer Data Protection Act. The legislation would provide all Americans with more transparency, choice, and control over the collection and use of their personal health, device, geolocation, and proximity data. The bill will also hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.
Even though such a protection act might be welcome and needed, the consequences for an already stressed healthcare cybersecurity industry might be too overwhelming. One could argue that data protection legislation should not be passed on an ad hoc basis but should always be in place to protect citizens, not just when extra measures are needed to fight a pandemic.
In the meantime, the healthcare industry needs to employ simple, yet effective solutions and strategies to keep malware off their machines so they can have one less virus to worry about.
About The Author
Pieter Arntz is a Malware Intelligence Researcher for Malwarebytes Labs who was also a Microsoft MVP in consumer security for 12 years running.