In proof that some people can and will take advantage of anything, cyberattacks in the healthcare sector have increased as the world battles a pandemic.
On May 26, the CyberPeace Institute released a letter, calling on “the world’s governments to take immediate and decisive action to stop all cyberattacks on hospitals, healthcare and medical research facilities, as well as on medical personnel and international public health organizations.” The letter was a response to an increase in such attacks, which targeted medical facilities on the frontlines of the Covid-19 response, endangering lives of patients and threatening the most sensitive data. NATO has also condemned the attacks.
Patients, Institutions, and Research at Risk
The attacks are varied. As ZDNet reports, coronavirus research has become a popular target for hackers, some with state support. A joint advisory from the US and UK highlights the threat and explains that “Advanced Persistent Threat” groups have targeted organizations that include “healthcare bodies, pharmaceutical companies, academia, medical research organisations, and local government” to collect personal data and research.
Worse, some attacks don’t just go after patient data. They have the potential to threaten the lives of patients themselves as things like pacemakers and insulin pumps go online.
The attacks have also increased. We’ve already reported on how the pandemic has led to the rise of new scams.) The same holds true for attacks that target health and health-adjacent institutions. In fact, at the end of April, the World Health Organization reported that it had seen five times the number of cyberattacks and public scams since the pandemic began.
Lance Whitney at TechRepublic makes the point that healthcare organizations often operate on clunky, old systems that are vulnerable to exploits. That, combined with increased attacks, due to the value of the sensitive data they hold, is a dangerous combination.
It has been widely reported that hospitals have been targeted for ransomware attacks during the pandemic. In short, these types of attacks use malware that blocks or otherwise “holds ransom” data until a fee is paid to release (or not release) the information being held hostage. Hospitals have sensitive, valuable data that needs to remain private and accessible to those that need it. It can be literally a matter of life and death, which makes it more likely that the cash-rich institutions will pay the ransom fee.
And what happens when they don’t pony up the cash to the bad guys? ExecuPhram, a pharmaceutical research company, was a victim that didn’t pay to unlock their own data. Not only were they forced to rebuild from backup servers, the hackers published all the data that they had extracted before they locked it. It was a situation that cost the company time, money, and the trust of its clients.
Tips for Staying out of Danger
There are a few lessons to be learned here, even if you aren’t part of the medical industry.
Fight Phishing and Authenticate Users with Digital Certificates
For one thing, these attacks have also targeted patients – not just the hospitals that help them. Covid-19 has brought out some pretty disturbing phishing scams that take advantage of people’s need for money or their overwhelmed desire for information about the pandemic. Even when everything is extremely stressful and feels urgent, it’s never a waste of time to verify that emails are coming from the institutions that they claim to be from – like insurance companies and hospital groups. (We’ve outlined a few ways to avoid phishing scams already, and you can check those tips out here.)
S/MIME, Document Signing and Client Certificates from SSL.com are one way to fight phishing directly. Digitally-signed emails (and documents) affirm that they come from the people and places that they claim to come from. For institutions that want to add an additional secure authentication factor for remote workers and other users, we’ve also explained how to configure client authentication certificates in web browsers.
Update and Secure Systems and Software
As large medical and medical-adjacent institutions are learning, it’s important to make sure that you are not running old, obsolete versions of software or operating systems that hackers know how to exploit. All of the updates that might seem like a pain to install could save you a lot of pain in the future – oftentimes they include valuable security patches. The software that you have researched enough to trust with your data is doing the work for you. Let it.
One of the key mistakes that hospitals have made is running high-tech cutting-edge software on obsolete and vulnerable operating systems. In March, Fortune reported that “As many as 83% of Internet-connected medical imaging devices – from mammography machines to MRI machines – are vulnerable.” Why? Because Microsoft has dropped support for the Windows 7 operating system that many of the machines run on. One expert likened the security gap to having a “permanently broken window” on the side of your house and hoping that thieves don’t come in.
Remember: you are only secure as your most-vulnerable software. You can have all the million-dollar equipment in the world, and something as basic as a phishing attack can give the bad guys the keys to your patients’ data, or lead to a ransomware attack that holds everything hostage for a pretty penny.
And, finally, you never know what is going to make you attractive to cyberattackers. In most of our eyes the Covid-19 pandemic has given us an appreciation for medical research and medical workers. But others have viewed the global tragedy as an opportunity. Are your systems ready for a huge influx of attention and the bad attention that can come with it? It’s hard to tell when that might come.
For that reason, it’s best to always be prepared. Businesses that operate at all online (which is now probably all of them?) can take steps to make sure that their sites are secure from the client- as well as the business-side. SSL/TLS Certificates allow visitors to know they are visiting the right site and that it is secure, and we’ve laid out the best practices for how to do that. And again, for companies that have remote workers or others that require a way to access sensitive data online, it’s worth checking out client authentication certificates that ensure only approved people can access information by verifying individual identities and keeping any creeps out.