The Expanding COVID Attack Surface
How We Can Come Together to Defend Against Cyberattacks to Emerge Stronger
COVID-19 is a killer virus, with deadly outcomes every day that are profoundly impacting lives, economies and futures. While the worst of the pandemic is well known, the response from the heroic healthcare workers, companies and industries is also getting attention. Healthcare workers are clearly noted as essential and critical. As a result, they are being celebrated with daily claps emanating from windows of the world. And these workers and organizations are being targeted by groups looking to profit from or undermine their good works.
Healthcare is a wide and diverse label, going beyond hospitals and giant pharma companies to include the doctors and nurses, first responders of every stripe, supply chains and cleaning staffs and caterers. This sector includes scientists working on a vaccine, mashups working on track and trace, startups working on testing technology and municipal testing programs for the masses. And every healthcare employee, volunteer, company, nonprofit and non-governmental or governmental organization is now a high-value target.
Since the pandemic hit, we have real evidence of cyber targeting of the healthcare sector. In these last few months, we’ve seen:
- A Colorado hospital hit by ransomware
- The FBI calling out an increase in nation-state hackers targeting U.S. medical research and healthcare organizations
- The World Health Organization (WHO) experiencing a five-times increase in cyberattacks
- The U.S. Department of Health and Human Services (HHS) facing a new wave of cyberattack attempts
- Chinese company Huiying Medical breached in event for which attackers stole its COVID-related intellectual property including source code and valuable testing data
- Ambry Genetics was successfully hacked, potentially exposing more than 200,000 patient medical records
Meanwhile, the pace of response by those racing to deliver helpful services to constituents is introducing errors that can be equally crippling. An example of this is the U.S. Small Business Administration (SBA) rushing to launch a web portal designed to help companies apply for their share of over a trillion dollars in COVID relief. However, a security mistake related to that effort exposed nearly 8,000 applications, which included personal, corporate and credit information.
With trillions of dollars at stake and a geo-political push for supremacy of the post-COVID new normal, the attacks are increasingly well funded, well organized and well executed. Be they from foreign intelligence services or trans-national criminal gangs, these efforts are now targeting an expanded attack surface including employees working from home instead of from a secured office, a plethora of companies that only recently became top targets, an absence of a trusted supply chain and a time crunch that may cause a trade-off between security and timeliness. This combination has made for a dangerous scenario in our world today.
Given these realities, the healthcare sector and those that are healthcare-adjacent are advised to step up their defenses in at least three key areas.
The first is in security awareness. Organizations should take the time to plug into some of the great advice that is being made available both from the government in the form of the Cyber and Infrastructure Security Agency (CISA) and the private sector in the form of the Health Information Sharing and Analysis Center (H-ISAC). Helping staff understand their current threat environment as it relates to them, and providing actionable advice on recommended defenses, will go a long way in tightening our sector-wide defenses. This advice should be coming not only from security experts, but from healthcare leaders themselves, ranging from executives, administrators and top doctors that are influential in their environments.
The second area of stepped up defense is a renewed focus on patient privacy. Typically systems are built and deployed to meet the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While compliance is still important, the privacy bar should be raised to take into account a new normal that might involve testing an entire population, tracking and tracing citizens’ movements across time and sharing lists of patient results with a wide variety of partners which could include employers, neighbors, family and friends. These systems are being designed and tested right now, and must keep a strong focus on privacy well beyond simple compliance.
The third defensive area of focus must be a stronger network cyber defense. This is the time to embrace new thinking about cybersecurity. That includes concepts such as Zero Trust, architectures that are cloud-centric and mobile-driven, identity that leverages biometrics and FIDO2, networks that are software defined and defenses that are dynamic.
COVID-19 has reshaped our world, and the global healthcare sector is our first line of defense against this pandemic. It is the obligation of the rest of society – from governments to the security sector – to do what we can to protect them in our new normal.
Defending well today and together will make it possible to emerge stronger tomorrow.