How to battle the increasing security and privacy risks in the healthcare sector during the COVID-19 pandemic
To prevent coronavirus (COVID-19) from spreading person to person, several countries have implemented curfews, social distancing policies, and even total lockdowns. Medical professionals are working overtime, putting their own lives at risk, to save the afflicted.
As medical staff work hard to trace new cases and protect the suffering, some cybercriminals are plotting their own schemes to take advantage of these challenging times. The DoppelPaymer cybercrime group has said that it will not target hospitals and healthcare organizations during this crisis. However, they are merely trying to project themselves as "ethical cyberattackers," and organizations should not believe any cybercriminal's word.
Brno University Hospital, one of the largest COVID-19 testing facilities in the Czech Republic, felt the brunt of a cyberattack a few days ago. This led to scheduled surgeries being canceled, and patients being referred to another nearby hospital. In another incident, the Champagne-Urbana Public Health District website was compromised by attackers. More recently, the U.S. Department of Health and Human Services (HHS) suffered a DDoS attack.
These incidents show that hackers will stoop to any low for financial gain, even during a major health crisis. This means that security is an even more important concern for organizations during these demanding times.
Even after facing an attack, the HHS, with very noble intentions, announced that it will not impose penalties for noncompliance with HIPAA for healthcare organizations that use telehealth solutions to care for patients. Healthcare organizations can now use general video chat applications, like Google Hangouts, FaceTime, Facebook Messenger, WhatsApp, and Skype, to provide services without facing any repercussions. Despite the suspension of penalties for HIPAA noncompliance, privacy remains a major concern during this ongoing crisis.
Considering all this, hackers have a good opportunity to strike healthcare organizations with the following types of attacks:
1. Ransomware:The consensus among security professionals when it comes to ransomware is to never pay the ransom. But now, when the stakes are far greater, healthcare organizations may feel that the best recourse is to pay the ransom to quickly resume the services they provide.
2. Phishing email scams:The frequency of phishing and spear phishing emails is expected to increase. Due to the increased focus medical professionals are placing on providing care to patients during the COVID-19 crisis, they might not think twice before clicking on an email only to fall victim to a malicious attachment. Medical staff may be working extended hours and battling exhaustion; this only compounds the challenge. A hacker could also employ social engineering tactics to achieve higher success rates during attacks.
3. Identity fraud:With HIPAA rules being relaxed for now, and healthcare organizations allowed to use general video chat applications, the threat of identity fraud looms large. Under normal circumstances, a shared responsibility for the privacy of patients needs to be established through a business associate agreement (BAA) between the healthcare provider and the video conferencing vendor. At this time of crisis, lack of a BAA is fine as long as the service is provided in good faith. While the chances are low, this can expose healthcare organizations to privacy loopholes at the vendor’s end.
Telemedicine use is usually limited to rural areas, specific locations where the patient could be during the visit, and to patients located in states in which the physician has an active medical license. These rules are now relaxed as well. Furthermore, these teleconsultations need not be just about COVID-19; they can be about any ailment or illness. These changes are very much required at this time, but they do increase the risk of sensitive information being intercepted by bad actors.
Healthcare organizations must protect themselves against security calamities and data breaches by using the right technical, administrative, and physical safeguards. Since personnel are distracted by the more pressing issue of caring for patients, automatic measures must be in place to detect attackers in the network. These tools must have the ability to look for anomalies in user or system behavior, assign risk levels, and empower IT security personnel to take appropriate action.
Technology can also be leveraged to read threat intelligence feeds in real time and alert security staff of an impending attack. File integrity monitoring should also be continuously performed to ensure that malicious activities aren't taking place. In this way, ransomware, phishing attacks, IT sabotage, and identity fraud can be prevented.
In case a breach does take place, technology should enable the organization to respond automatically and limit the amount of damage. Organizations should also be able to drill down to the root cause of the problem and plug any vulnerabilities to limit damage and ensure the exploit doesn't happen again.
Healthcare organizations must ensure that sensitive information does not fall into the wrong hands. All of this means that already overworked security professionals will have their hands even more full. But these measures are required to ensure that cyberattacks themselves don't turn into a pandemic.