Thwarting cyber attacks on the health sector in the midst of COVID-19
by Mars Cacacho, Senior Security Engineer
2 September 2021
Aside from their prime mandate, being at the frontline defending against the dreaded COVID-19 virus, healthcare institutions should not let their guard down when it comes to cyber attacks.
The effect of COVID-19 on healthcare organisations
Since the outbreak of COVID-19, there have been extraordinary phishing attempts across medical institutions which have tried luring personnel into spilling both personal and sensitive information. Phishing links embedded in spam emails are becoming increasingly well-crafted and even utilise surveys which entice frontline workers with gift vouchers. Unfortunately, there are also links with disturbing health-related fake news and misinformation which lead to website clickjacks.
Attackers go as far as creating tailored, shortened URL links that include “NHS” or hospital names for easier clickbait. Moreover, non-system administrators receive emails with malicious links leading to phishing landing pages, which evidently harvest Microsoft Exchange logins, email credentials, and other confidential information.
As per Radware’s DDoS Attack Report for Q1 2021, adversaries initially focused on biotech and pharmaceutical organisations. Distributed denial of service (DDoS) attacks towards hospitals increased during the second half of Q1. While DDoS attacks typically affect public assets, backend infrastructure attacks frequently occur in broad daylight, pummelling websites and online information systems, thereby directly impacting operations both on-site and for those working from home. We have also seen that even contact tracing applications have been trojanised.
Alarmingly, health workers are constantly sprayed and spammed with emails containing compromised domains which are tagged by security companies as droppers of ransomware variants. Along with this, the ghost and lessons of WannaCry continue to haunt us. Lately with the surge of ransomware attacks, there’s an innovative, new attack vector – insider threats, or employees deliberately convinced by malware gangs to “cooperate” in deploying ransomware attacks across their workplace for a hefty bounty.
Have cyber criminals decided to finally give healthcare workers a break?
During the start of the pandemic, Lawrence Abrams, the creator of Bleeping Computer, reached out to the cyber crime groups behind the operation of some of the most prolific and dangerous ransomware threats with a simple question (perhaps thinking of humanitarian rules of engagement during war) – will they continue to target health and medical organisations during the COVID-19 pandemic?
At the end of 2020’s first half, Corvus Insurance VP for Smart Breach Response Lauren Winchester released a security report on healthcare entities which showed that despite the steady rise of ransomware attacks in recent years, attacks on healthcare organisations have actually stalled in 2020 amidst the pandemic. The data was a positive manifestation, and possible affirmation, of claims by ransomware groups that they would evade attacks toward health institutions during COVID-19.
Confidence in this said assurance may have possibly relaxed these organisations’ security defences because by the end of 2020, there was an unprecedented rise in cyber attacks on healthcare institutions and systems. 2021 got even worse. Let us be reminded of InfoSec’s rule of thumb – zero trust.
Three months ago, Ireland’s Health Service Executive (HSE) was hit by a major ransomware attack which caused a massive shutdown of its IT systems. An attack this detrimental placed thousands of lives at stake (on top of those who were already intubated and fighting for every breath) and perhaps caused its chiefs to immediately consider submitting to the ransom demands without a second thought.
Cliché as it is, security is only as good as its weakest link – the users
Since users are always the weakest link in any cyber security strategy, the health sector should find time to remind its workforce of the basics of online health to prevent malware outbreaks that could cripple their busier than ever operations.
Another thing to note is prevention will always be better than the cure. Public health professionals should know this well.
With the array of attack methods and techniques, let alone living off the land attacks, maintaining a good security posture by having layered security will always be the best defence.