Skip to main content
Sister Publication Links
  • ESG: THE IMPLEMENTATION IMPERATIVE
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Digital Health
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Unwell in America
  • Opinion
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • Data Center
    • Data Center Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Cybersecurity
March 16, 2020 11:15 AM

Hackers taking advantage of COVID-19 to spread malware

Jessica Kim Cohen
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Modern Healthcare Illustration / Getty Images

    Hackers have wasted no time figuring out how to exploit the worldwide COVID-19 pandemic.

    Hospitals are already seeing "active attacks" trying to take advantage of the coronavirus outbreak, said Chris Frenz, assistant vice president of information security at Interfaith Medical Center in New York and chair of the Association for Executives in Healthcare Information Security's incident response committee.

    Frenz said he's seen emails where a sender—pretending to be from the Centers for Disease Control and Prevention—urges a recipient to open a link that deploys malware. Another scam involves pointing people to an online map that purports to track COVID-19 cases, but actually steals usernames, passwords and credit card numbers stored in a user's browser.

    Hackers might also be looking to spread misinformation about the disease or interfere with response to the outbreak. HHS this past weekend suffered a cyberattack on its computer system, which reportedly involved incidents including spreading false information about a national quarantine, according to Bloomberg. HHS officials haven't confirmed who was behind the attack, but believe it might have been a hostile foreign actor looking to slow the department's response to the pandemic, according to the report.

    But hackers targeting hospitals so far have been looking to take advantage of growing urgency around COVID-19 for their own financial gain.

    Hospitals have become attractive targets to hackers in the wake of the outbreak, since they're rushing to deal with an unprecedented situation, said Charles Henderson, head of X-Force Red, a team within IBM's security division.

    Security researchers at IBM discovered one of the first email scams tied to coronavirus, in which a cyberattacker urged recipients to download a malware-infected email attachment by claiming it was a Word document containing infection-prevention measures.

    "Scammers quickly identified that hospitals are under a lot of pressure, therefore they're apt to make poor decisions, and so they're trying to take advantage of that," Henderson said. "Scammers are really good at taking advantage of urgency."

    Malware—or "malicious software"—attacks like ransomware always pose a significant risk for hospitals, because of their potential disruption to patient care, sometimes even forcing hospitals to divert patients to nearby facilities. That concern intensifies with a global public health emergency like COVID-19, during which many hospitals are already feeling strained by patient volumes.

    Frenz said he anticipates that as hospitals continue to face a shortage of personal protective equipment like gloves, face masks and gowns, that could be an area for hackers to exploit, too.

    "You're going to see a lot more phishing attempts trying to (promise) availability of those resources," he said.

    This uptick in email scams isn't unique to coronavirus. Hackers tend to try to capitalize on topical events—such as the Super Bowl, Olympics and elections—particularly when sending phishing emails, a tactic in which cybercriminals send malware or trick targets into sharing personal information via email by posing as a trusted entity, such as the recipient's employer.

    "We always see phishing directly correlated to things people want to read about," said Caleb Barlow, CEO and president of cybersecurity consulting firm CynergisTek. "People are anxious for news and much more likely to click on a link that they probably shouldn't."

    It's important to keep staff up-to-date on types of emerging email scams, so that employees know what to watch out for. But security experts stress that many tips will remain the same as for standard cybersecurity awareness: look closely at the email address a message is sent from, be wary of clicking links and attachments, and—overall—keep an eye out for things that don't seem right.

    "Make sure that you're following what would be the process if it were not COVID-19," Henderson said. Hackers will attempt to take advantage of the urgency workers feel around the outbreak, but "if you have a certain workflow that always happens for invoices, for example, don't go outside that process unless you have independent verification that you're supposed to."

    Hospitals also need to consider the security of employees' personal devices and home Wi-Fi networks, and whether those will open up holes in the organization's cybersecurity posture as more staff begin working remotely. It varies by hospital which employees are able to work from home, but for now, it's mostly back-office staff like those in finance and human resources.

    The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency last week released an alert urging organizations to "adopt a heightened state of cybersecurity" as more employees work remotely.

    Taking advantage of remote work processes is how hackers using the now-infamous SamSam ransomware infiltrated Hancock Health in Indiana in 2018—using a remote desktop protocol to gain access to the system's network.

    At home, employees and their devices are "outside the traditional corporate firewall," and may be working on an unsecured Wi-Fi network, Barlow said. That makes it imperative for hospitals to implement processes like multi-factor authentication to validate that users requesting access to various systems are who they're claiming to be, as well as ensuring remote employees are using a virtual private network.

    A VPN typically encrypts network traffic, so that hackers won't be able to snoop on passwords, patient records or other sensitive information, Barlow said.

    "Employees have to recognize that their home network is likely not as secure as that network at the hospital," he explained. "Although this sounds exotic, it's extraordinary easy to tap into a Wi-Fi connection or home network."

    Organizations that typically restrict remote work to employees with hospital-issued devices might be put in a tough position, too, without enough equipment for all staff, Frenz said. Personal laptops—which tend to have fewer security features installed—can possibly spread malware through a hospital's network if compromised.

    He encourages hospitals to do a risk assessment when determining which employees should be in the office and which should work remotely.

    "There's risks in having employees unnecessarily come to work, because you don't want a chance of those employees becoming infected, or a chance of those employees infecting patients or other people," Frenz said. "But at the same time, there are also information security risks like ransomware that become feasible through remote work."

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    cybersecurity
    Health insurance data breach exposes Congressional members' personal info
    cybersecurity-data-hacking_2_i.png
    Following alleged cyberattack, Tallahassee Memorial resumes some services
    Most Popular
    1
    More healthcare organizations at risk of credit default, Moody's says
    2
    Centene fills out senior executive team with new president, COO
    3
    SCAN, CareOregon plan to merge into the HealthRight Group
    4
    Blue Cross Blue Shield of Michigan unveils big push that lets physicians take on risk, reap rewards
    5
    Bright Health weighs reverse stock split as delisting looms
    Sponsored Content
    Health IT Strategist (HITS) Newsletter: Sign up for the latest IT and medical technology news delivered 3 days a week (M, W, F).
     
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Digital Health
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Unwell in America
    • Opinion
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top 25 Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • Data Center
      • Data Center Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing