Healthcare organizations have long been the targets of hackers.
But amid the coronavirus pandemic, cybersecurity experts are raising the alarm about an increase in cyberattacks as hackers exploit the outbreak's disruption.
Among the top targets: government agencies critical to responding to the epidemic.
Hackers tried to breach the U.S. Department of Health and Human Services' (HHS) computer system Sunday night, both Bloomberg and ABC News reported. HHS Spokesperson Caitlin Oakley told FierceHealthcare the department became aware of a significant increase in activity on HHS cyberinfrastructure on Sunday.
The department is "fully operational" as it actively investigates the matter, Oakley said. HHS officials said there was no data breach.
"Early on while preparing and responding to COVID-19, HHS put extra protections in place. We are coordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure," Oakley said.
An Illinois public health department's website was hacked by ransomware last week. The Champaign-Urbana Public Health District serves about 200,000 people in central Illinois, and the website provides updated information about the coronavirus outbreak.
“The timing is horrible,” Administrator Julie Pryde told The News-Gazette.
The public health department immediately notified the FBI and the Department of Homeland Security and is working with a consulting firm to investigate what happened and restore the website, The News-Gazette reported.
Hackers also are capitalizing on people's fears and uncertainty about coronavirus to spread malware, cybersecurity experts say. There are cyberscams impersonating health authorities such as the U.S. Centers for Disease Control and Prevention and fake coronavirus tracker maps that infect people's computers with malware when opened.
"Phishing scams are rampant. Bad actors are seizing on the opportunity," said David Finn, executive vice president of strategic innovation at cybersecurity firm Cynergistek.
On top of these threats, many organizations are quickly setting up telecommute capabilities for employees who don't typically work from home. Hospitals and health systems also are setting up new technology tools such as chatbots and apps to help identify and triage coronavirus symptoms.
As organizations try to quickly set up these capabilities, security and privacy protocols might take a back seat, Finn said.
"If you short shrift your normal security and privacy protocols, it may create more problems down the line," he said.
Here are four strategies to help mitigate cyberrisks:
1. Practice good cyber "hygiene."
In the same way the public is reminded to do basic things like washing their hands for 20 seconds to reduce the spread of coronavirus, organizations also need to practice good cyber hygiene, Finn said.
Hospitals, health plans and technology vendors need to "double down" on cybersecurity best practices—have disaster recovery plans and make sure there are backups of critical data, said former National Security Agency official Marianne Bailey.
Focus on the basics such as ensuring software patches are up to date, utilizing effective asset management to know what devices are on your network and enabling identity management protocols such as multifactor authentication for all end users, said Bailey, who leads the cybersecurity practice at management consulting firm Guidehouse.
"People get lax, especially in times of emergency. This is not the time for shortcuts," she said.
Stephen Boyce, a principal consultant at the Crypsis Group, said organizations should limit attack vector avenues and ports of entry into their networks. Organizations also should review third-party vendors’ access to information systems, he said.
2. Communicate with employees about cyberrisks.
Healthcare systems should educate users on phishing and social engineering defense tactics.
"People are the biggest vulnerability," Bailey said. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) released guidance on defending against COVID-19 cyberscams. CISA recommends employees exercise caution in handling any email with a COVID-19-related subject line, attachment or hyperlink, and be wary of social media pleas, texts or calls related to COVID-19.
3. Consider a "zero trust" approach.
Zero Trust is a security concept based on the idea that organizations should not automatically trust anything inside or outside its perimeters. Using this approach, an organization verifies anything and everything trying to connect to its systems before granting access.
Healthcare organizations need to monitor who is accessing highly sensitive data and authenticate access, especially as more employees work remotely. Companies need to layer authentication and monitor their internal as well as external systems, cybersecurity experts say.
4. Don't put security on the back burner.
As hospitals are responding to the coronavirus outbreak on a daily and sometimes even hourly basis, IT leaders will need to set up new interfaces quickly.
"As organizations likely have to set up makeshift entry points, they might have to short circuit their normal security policies and processes because they are in a rush," said Ben Goodman, senior vice president at ForgeRock, an identity and access management software company.
"Once you create that endpoint, it's not one and done. Make sure that security comes behind you on Day Two to harden the security protections and then on Day Three they replace it with a more secure offering," he advised.
Once the coronavirus outbreak begins to subside, those new interfaces or points of entry into the system will need to be taken down to eliminate vulnerabilities, he added.