The disruption caused by COVID-19 is unlike anything seen before. Organisations around the world have had to rapidly adapt to remote working, securing new, untested environments with minimal disruption to service.
The pandemic has not been easy for any industry. But for healthcare, it has proven to be both a medical and business challenge. Not only are hospitals, health systems, insurers, and pharmaceutical companies quickly building and implementing new ways of working, they are doing so at a time of unprecedented demand for their services.
Unfortunately, healthcare is not alone in adapting. Cybercriminals have adapted too, tailoring their phishing and social engineering attacks to the pandemic. By May last year, over 300 COVID-related campaigns were detected in the wild.
This elevated threat level moved the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) to warn the industry to expect ransomware attacks, data theft, and the disruption of service, in what it calls an “increased and imminent cybercrime threat.”
An industry replete with masses of personal data, intellectual property, and sensitive information must do more to protect these valuable assets, now more than ever. This starts by gaining a clear understanding of the threats it faces.
How cybercriminals kept pace with COVID
As the coronavirus pandemic spreads around the world, so too do cyber-attack campaigns looking to capitalise on the panic and uncertainty left in its wake.
By last summer, almost 20 countries witnessed COVID-19-themed phishing lures, designed to catch victims outside the more formal, secure working environment. Common attacks include those offering updates on cures and vaccines, and others reporting that close contacts have tested positive.
As new measures come into force, cybercriminals act fast to adapt their messaging. Campaigns are increasingly aligned to local and governmental policies.
A surge in attempted cyber-attacks is cause for concern enough. Unfortunately, however, there’s also a greater chance that these attempts will see success.
Remote working is known to significantly increase the risk of a successful cyber-attack. Add to this an anxious user base grasping for information during an unusual time, and you have a cybercriminal’s dream. In an industry where users have a vested interest in following a developing health crisis, with many actively encouraged to do so, this risk level only increases.
For the cybersecurity teams tasked with protecting users in this previously unimaginable set of circumstances, the challenge has never been greater. The only successful defence is broad and in-depth. And this starts with your people.
Preparing your last line of defence
Like most modern threats, the phishing, ransomware and BEC cyber attack methods currently facing healthcare are primarily focused on people rather than infrastructure.
While network controls and protections are essential, they are never infallible. All organisations must assume that attacks will reach users. This assumption effectively makes your people your last line of defence. And you must equip them as such.
This is only possible through comprehensive and ongoing security awareness training. Start by instilling the basics. Instruct all users to refer only to official sources for information. Better still, they should only ever navigate to these websites by carefully typing the address into their browser.
Ensure users are also aware of the tell-tale signs of malicious messaging such as time-sensitive requests or instructions to enter personal information or credentials. Spelling and grammatical errors are also a common giveaway.
Now more than ever, user awareness training must also be in-context, based on current, real-world cyber campaigns. Proofpoint’s recent Healthcare Threat Landscape Report identified three common COVID-19 campaign examples, detailing the most impersonated government and industry bodies, common messaging, and the threat actors behind each attack.
While COVID-19-themed threats may not be around forever, targeted healthcare cyber attack methods certainly will be. Whatever tomorrow’s lure, it’s vital that your cybersecurity team has this level of insight into the latest attackers and their methods.
Protecting your people
Though its legacy will likely stretch on for years to come, the current coronavirus pandemic will eventually pass. Unfortunately, malicious interest in the healthcare industry is unlikely to pass with it.
Troves of data, much of it highly personal, along with a dire need for uninterrupted service, and traditionally poor security controls will leave it in the sights of cybercriminals for a long time yet.
To successfully stave off this interest, healthcare organisations must implement a robust and adaptive cyber attack defence built for today but ready for tomorrow. With a foundation of company-wide cybersecurity awareness, this should also comprise the latest security controls, best practice, and protections.
Any effective, multi-layered defence must include a Zero Trust solution capable of securely connecting your people to your data and your networks, robust email security including DMARC authentication, isolation technology to assess and remove risky links and content, and total visibility into your logs to detect insider threats and other suspicious activity.
A vaccine may eventually spell the end of COVID-19, but there’s no silver bullet in the world of cybersecurity. The threat landscape will continue to evolve at pace. Your cyber defence strategy must evolve with it.
Article by Ryan Witt, Healthcare Cybersecurity Leader, Proofpoint