Hackers have wasted no time figuring out how to exploit the worldwide COVID-19 pandemic.
Hospitals are already seeing "active attacks" trying to take advantage of the coronavirus outbreak, said Chris Frenz, assistant vice president of information security at Interfaith Medical Center in New York and chair of the Association for Executives in Healthcare Information Security's incident response committee.
Frenz said he's seen emails where a sender—pretending to be from the Centers for Disease Control and Prevention—urges a recipient to open a link that deploys malware. Another scam involves pointing people to an online map that purports to track COVID-19 cases, but actually steals usernames, passwords and credit card numbers stored in a user's browser.
Hackers might also be looking to spread misinformation about the disease or interfere with response to the outbreak. HHS this past weekend suffered a cyberattack on its computer system, which reportedly involved incidents including spreading false information about a national quarantine, according to Bloomberg. HHS officials haven't confirmed who was behind the attack, but believe it might have been a hostile foreign actor looking to slow the department's response to the pandemic, according to the report.
But hackers targeting hospitals so far have been looking to take advantage of growing urgency around COVID-19 for their own financial gain.
Hospitals have become attractive targets to hackers in the wake of the outbreak, since they're rushing to deal with an unprecedented situation, said Charles Henderson, head of X-Force Red, a team within IBM's security division.
Security researchers at IBM discovered one of the first email scams tied to coronavirus, in which a cyberattacker urged recipients to download a malware-infected email attachment by claiming it was a Word document containing infection-prevention measures.
"Scammers quickly identified that hospitals are under a lot of pressure, therefore they're apt to make poor decisions, and so they're trying to take advantage of that," Henderson said. "Scammers are really good at taking advantage of urgency."
Malware—or "malicious software"—attacks like ransomware always pose a significant risk for hospitals, because of their potential disruption to patient care, sometimes even forcing hospitals to divert patients to nearby facilities. That concern intensifies with a global public health emergency like COVID-19, during which many hospitals are already feeling strained by patient volumes.
Frenz said he anticipates that as hospitals continue to face a shortage of personal protective equipment like gloves, face masks and gowns, that could be an area for hackers to exploit, too.
"You're going to see a lot more phishing attempts trying to (promise) availability of those resources," he said.
This uptick in email scams isn't unique to coronavirus. Hackers tend to try to capitalize on topical events—such as the Super Bowl, Olympics and elections—particularly when sending phishing emails, a tactic in which cybercriminals send malware or trick targets into sharing personal information via email by posing as a trusted entity, such as the recipient's employer.
"We always see phishing directly correlated to things people want to read about," said Caleb Barlow, CEO and president of cybersecurity consulting firm CynergisTek. "People are anxious for news and much more likely to click on a link that they probably shouldn't."
It's important to keep staff up-to-date on types of emerging email scams, so that employees know what to watch out for. But security experts stress that many tips will remain the same as for standard cybersecurity awareness: look closely at the email address a message is sent from, be wary of clicking links and attachments, and—overall—keep an eye out for things that don't seem right.
"Make sure that you're following what would be the process if it were not COVID-19," Henderson said. Hackers will attempt to take advantage of the urgency workers feel around the outbreak, but "if you have a certain workflow that always happens for invoices, for example, don't go outside that process unless you have independent verification that you're supposed to."
Hospitals also need to consider the security of employees' personal devices and home Wi-Fi networks, and whether those will open up holes in the organization's cybersecurity posture as more staff begin working remotely. It varies by hospital which employees are able to work from home, but for now, it's mostly back-office staff like those in finance and human resources.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency last week released an alert urging organizations to "adopt a heightened state of cybersecurity" as more employees work remotely.
Taking advantage of remote work processes is how hackers using the now-infamous SamSam ransomware infiltrated Hancock Health in Indiana in 2018—using a remote desktop protocol to gain access to the system's network.
At home, employees and their devices are "outside the traditional corporate firewall," and may be working on an unsecured Wi-Fi network, Barlow said. That makes it imperative for hospitals to implement processes like multi-factor authentication to validate that users requesting access to various systems are who they're claiming to be, as well as ensuring remote employees are using a virtual private network.
A VPN typically encrypts network traffic, so that hackers won't be able to snoop on passwords, patient records or other sensitive information, Barlow said.
"Employees have to recognize that their home network is likely not as secure as that network at the hospital," he explained. "Although this sounds exotic, it's extraordinary easy to tap into a Wi-Fi connection or home network."
Organizations that typically restrict remote work to employees with hospital-issued devices might be put in a tough position, too, without enough equipment for all staff, Frenz said. Personal laptops—which tend to have fewer security features installed—can possibly spread malware through a hospital's network if compromised.
He encourages hospitals to do a risk assessment when determining which employees should be in the office and which should work remotely.
"There's risks in having employees unnecessarily come to work, because you don't want a chance of those employees becoming infected, or a chance of those employees infecting patients or other people," Frenz said. "But at the same time, there are also information security risks like ransomware that become feasible through remote work."