As businesses reimagine their day-to-day operations in response to ever-evolving COVID-19 restrictions, those who work in the healthcare industry will want to consider educating employees on the risks associated with cyberattacks and putting appropriate measures in place to protect their systems, information, and access.
An early report related to COVID-19 cybercrime suggested that hackers might refrain from attacking hospitals and other organizations working against the pandemic, if for no other reason than the harsh response they might expect during this time of national upheaval; “A particularly spectacular and effective ransomware attack may even elicit military action up to and including a special forces mission to take out the actors responsible for the cyber-attack,” according to Ian Thornton-Trump, CISO at Cyjax, in a Forbes article.
The article described several cyber criminals as having little interest in targeting medical organizations during a pandemic, but, ultimately, they did just that. Hackers stole and then posted sensitive information online from a COVID-19 vaccine test center. Other threats were identified. The World Health Organization foiled an attack earlier this month to steal employee passwords, with a senior official describing a “two-fold increase in cyberattacks.” WHO has since posted a warning to the public about COVID-19-related fraudulent websites and emails designed to steal money or sensitive information. The FBI is warning the hardest-hit states of California, New York, and Washington to be particularly on guard. The U.S. Department of Health and Human Services thwarted a sustained attack meant to overwhelm its systems.
As IT system administrators and cybersecurity professionals know, employees can unwittingly serve as conduits for bad actors seeking entrance to systems. The World Economic Forum notes, “The vast majority of cyberattacks—by some estimates, 98%—deploy social engineering methods.”
Ensuring that employees are educated on cybersecurity best practices is critical. Many are working remotely for the first time outside the more robust business firewalls that they had as on-site workers, and they need to understand how to prevent security breaches in this new environment. The Harvard Business Review outlines strategies that employees and employers can follow to make themselves less successful targets for cyber criminals. Knowing what might be considered social engineering threats and how to avoid them can help those in the health care industry protect sensitive patient information and ensure it is available and uncompromised.
For every hacker that stays away from the opportunities that fear and uncertainty during a pandemic create for various online scams, others may continue to see medical systems as lucrative options. Discussing the recent attack on the Brno University Hospital in the Czech Republic, Wired magazine noted, “Ransomware attacks on hospitals are common, because scammers hope that the urgent need to function will push administrators to simply pay the ransom. Such attacks always pose a potential threat to the health and safety of patients, but are especially horrific during a pandemic that is straining the world’s health care systems.”
In addition to employee education on cybersecurity best practices, another way that healthcare organizations can safeguard their systems and meet HIPAA-mandated responsibilities is to ensure that they have the right system to support their disaster recovery, business continuity, and contingency plans. That way, even if parts of the system cannot be accessed by doctors and nurses, the hospital can still maintain operations and protect data through a server that has been kept separate from the compromised system. This “vault” can be accessed by medical staff serving patients while IT team members work to get the entire system back online.
As healthcare staff members work around the clock to “flatten the curve” of COVID-19 cases, they can rest assured that they will have the information they need to treat patients. As concerning as the possibility of cyberattacks may be, hospitals can put safeguards in place to ensure doctors and nurses can access information critical to treating patients caught up in the pandemic.
In an effort to help hospital IT departments face these challenges head-on, we’d like to offer you a complimentary, 30-minute consultation between now and April 30 to discuss any data-accessibility questions or concerns your organization may have related to the evolving COVID-19 crisis.