As the world reels from the effects of the COVID-19 pandemic, the healthcare sector is one of the most over-stretched and vulnerable to a host of threats, among which are cyber risks.
Phishing is still the top risk healthcare entities face, due to it being a common entry point for attackers to launch other types of cyberattacks, according to Lauren Winchester (pictured), vice president of smart breach response at Corvus Insurance, an insurance technology start-up based in Boston, USA.
“Healthcare entities also struggle to keep up with and prioritize patching,” Winchester told Corporate Risk and Insurance. “Too often, attackers will exploit known software vulnerabilities left unpatched, due to either a failure to identify the vulnerability, or a lack of IT resources to keep up with the sheer volume of patching needed. In addition to computer systems, healthcare entities also struggle to keep inventory of and regularly patch medical devices.
“It’s also worth mentioning the recent increase in distributed denial of service (DDoS) attacks, which attackers are using to add confusion to the network while potentially building a phishing campaign.”
Winchester pointed out that what separates the healthcare sector from others is that patients’ lives are literally at risk. Attackers targeting healthcare entities with ransomware usually know that the entities are under increased pressure to pay the ransom so as not to jeopardize patient safety.
Data projections by Corvus show that the number of ransomware attacks reported by healthcare entities for the first half of 2020 is expected to almost double from the same period last year.
Another worrying finding by Corvus is that over 75% of hospitals do not use email scanning and filtering tools. This metric has barely budged since the COVID-19 outbreak began, despite the increased volume of phishing exploits.
“Beyond cyber extortion, healthcare entities store troves of protected health information and personally identifiable information that can be stolen and sold by attackers on the dark web,” she said. “Protected health information is valuable as it can be used to file false insurance claims. Other forms of personal information, such as Social Security Numbers and financial account numbers can be used to open new lines of credit or make purchases or withdrawals on existing accounts.”
COVID-19 has exacerbated these risks, with healthcare IT employees juggling multiple tasks: keeping systems online and updated, fending off cyberattacks, and dealing with the increased demand for remote access from those employees who can work from home.
“Add to this the financial strain that many healthcare entities are feeling, and you have a perfect storm of more IT work and less resources,” Winchester said. “Attackers are keenly aware of this opportunity and those not purporting to follow a moral code will seek to take advantage.”
She also revealed that there was a massive uptick in the number of COVID-19 related domains being registered in March and April, thousands of which are suspected of being part of phishing scams. Furthermore, with many healthcare workers devoting almost all their time and attention to combating the pandemic, security awareness training has likely taken a backseat.
Do not neglect cybersecurity
As healthcare entities combat the pandemic with strained resources, Winchester said that these entities will need to focus on efficient and effective cybersecurity solutions. Security awareness training, which is one of the most effective ways to prevent phishing, must not be neglected.
Aside from training, multi-factor authentication (MFA) for remote access to devices will encourage awareness while lessening the impact of those inevitable human mistakes.
Winchester advised healthcare entities to invest in a good endpoint detection and response (EDR) product, or a managed detection and response (MDR) service if they do not have the internal resources to monitor an EDR. When used properly, an EDR can detect, contain and significantly lessen the impact of cyberattacks.
Given the recent increase in DDoS attacks, healthcare entities should also discuss how they currently mitigate against these attacks (if at all) and what services they might need to access should they come under attack,” she said. “Finally, healthcare entities should revisit their incident response and business continuity plans and consider whether the pandemic has necessitated changes to the plans.