By Justin Armstrong
Chair, EHRA Privacy & Security Workgroup

For updated COVID-19 resources for health IT developers and other stakeholders, click here.

In the midst of a healthcare crisis like COVID-19, the furthest things from the minds of many may be cybersecurity. However, now is the time for a heightened alert level. Attackers frequently take advantage of current news and distracted organizations, and the COVID-19 crisis is no different. 

Forbes reports that “there are now more than 40,000 ‘high-risk’ COVID-19 threats on the web.” Hackers have already attacked or attempted attacks on the U.S. Department of Health & Human Services, the World Health Organization, a vaccine test center, hospitals, a public health department, and other healthcare organizations in the U.S. and around the world. The increase in teleworking opens up new avenues of risk. 

John Riggi, senior advisor for cybersecurity and risk at the American Hospital Association (AHA) told The Hill that he was “very concerned” about the potential for hackers to take advantage of the coronavirus crisis to target healthcare centers. “Ransomware attacks definitely could pose a potential threat to public health and safety and interrupt care delivery and patient care operations.”

But we’re not helpless. Just as PPE and hand-washing help protect staff in the clinical setting, cyber-hygiene and increased awareness can help protect organizations from computer malware by educating staff on best practices to identify threats, such as phishing and fake charities.

Ransomware, Malware, and Human-Operated Attacks

Cyberattacks have increased across the board. Although some ransomware hackers have stated that they will not attack healthcare during this pandemic, Microsoft, the NCTFA (National Cyber-Forensics and Training Alliance) and others continue to see ransomware attacks on hospitals at the height of this crisis, offering cybersecurity recommendations. 

The FBI has reported “an increase in reports of online extortion scams during the current ‘stay-at-home’ orders due to the COVID-19 crisis… It is important to remember that scammers adapt their schemes to capitalize on current events such as the COVID-19 pandemic, high-profile breaches, or new trends involving the Internet, all in an attempt to make their scams seem more authentic.” Among the FBI’s recommendations are:

• Do not open e-mails or attachments from unknown individuals.
• Do not communicate with unsolicited e-mail senders.
• Use strong passwords and do not use the same password for multiple websites.
• Never provide personal information of any sort via e-mail. Be aware that many e-mails requesting your personal information appear to be legitimate.

Phishing

Be alert to potential phishing emails, which pretend to be about COVID-19. Norton has good examples of phishing emails. See examples of COVID-19 phishing attempts from IANS here. Phishing is still the most common way for hackers to get into your network. 

Government watchdogs in the U.S. and U.K. warned in April:

“[We are] seeing a growing use of COVID-19-related themes by malicious cyber actors. At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations… Cybercriminals are targeting individuals, small and medium enterprises, and large organizations with COVID-19-related scams and phishing emails… Most phishing attempts come by email but [we have] observed some attempts to carry out phishing by other means, including text messages (SMS).”

Taking the time to think before you click is just as important in preventing digital infections as washing hands between patients is in preventing viral infections. Learn more about phishing and other hacker tactics in our previous blog. 

Telecommuting

Securing organizations becomes more complex as many work from home, including some physicians treating patients via telehealth, and remotely accessing EHR records. AHA and the American Medical Association (AMA) have created a resource, “Working from home during the COVID-19 pandemic,” with best practices, such as strong passwords, multi-factor authentication, and utilizing VPNs. 

“For physicians helping patients from their homes and using personal computers and mobile devices, [there are] important steps to help keep a home office as resilient to viruses, malware and hackers as a medical practice or hospital.” 

The resource advises that “your EHR vendor can also act as a source of technical assistance, offer educational resources, or even provide supplemental cybersecurity training. Reach out to your customer support representative or helpdesk for additional information.”

Using collaboration software? The National Security Agency (NSA) offers its guidance in “Selecting and Safely Using Collaboration Services for Telework.”

Fake Charities

Criminals also set up fake charities to take advantage of the COVID-19 situation. Independently verify the authenticity of any charity you’re considering donating to; the Federal Trade Commission’s (FTC) page on charity scams offers guidance. 

In a notice titled, “Defending Against COVID-19 Cyber Scams,” the Cybersecurity and Infrastructure Agency (CISA) warns:

“Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.”

Healthcare organizations are on the front lines of 2020’s battle against COVID-19. Sadly, malicious actors are always ready to take advantage of crises, and they see coronavirus as their latest opportunity.