These are terrible times. The healthcare industry is challenged like never before and lives are upended for people across the world. Uncertainty and fear occupy our time more than they did only four months ago. But there is something we all can do to take back some control in what feels like chaotic times. Stay vigilant about cybersecurity and don’t let the hackers win.
Hackers and thieves who lurk on the internet are creative. When one tactic doesn’t work, they’ll figure out one that does. When a patch is developed, they will find a way around it. When people are busy, stressed, or fearful, criminals will find a way in.
The good news is that you can block them by taking a few simple steps. Follow HIPAA, do a Risk Analysis and follow the Risk Management Plan, and your risks are greatly reduced.
Criminals are Taking Advantage of COVID-19
COVID-19 has created new opportunities for hackers to profit. We last wrote about cybersecurity on March 11, focusing on the rise in ransomware. Since then, healthcare has seen more and more attacks, and home networks and have become a target.
The news reports began in mid-March, when the U.S. Department of Health and Human Services (HHS) was hit with a cyberattack. Fortunately, HHS’ security defenses detected and stopped the threat and hackers failed to get through.
Only the week before, the Champaign-Urbana Public Health District in Illinois was hit with a ransomware attack amid the agency’s efforts to respond to COVID-19. Good risk management, done in advance, helped the Health District avoid a disaster. About six months before it had moved email accounts, environmental health records, and electronic patient health information to the cloud. There was no need to pay a ransom.
With so many people working from home, there are added risks too with virtual private networks (VPNs) that connect home offices with an organization’s IT network. But this risk can be reduced.
In late March, Europol, a regional European law enforcement agency issued warnings about scams arising under the pandemic. The World Health Organization has been hit and OCR has been warning about COVID-19 fraud schemes.
New York Attorney General Warns of COVID-19 Scams
In mid-April, the Attorney General of New York issued a warning about scams. The scams range from bogus medical treatments, to false advertising for personal protective equipment, to sophisticated phishing attempts offering COVID-19 information. The attacks are hitting the wider public and targeting healthcare workers and providers.
“Individuals should remain vigilant when receiving emails or text messages received claiming to have information about COVID-19 – especially from organizations which they did not sign up to receive alerts from. Some phishing attempts may purport to be from a health authority like the World Health Organization, from someone that makes promises about miracle cures, or asks for donations or other actions. These types of emails may be phishing attempts, where an attacker sends you a message that looks innocent but may contain malware or a link designed to steal an account password.” From the New York State Office of the Attorney General
Learn to Recognize Spearphishing
As always, beware ANY email that comes from an outside source that includes links or attachments. Slow down, Think Before You Click, even on messages that appear to be from the CDC. Some phishing emails using “CDC” in its email address are fraudulent and contain a link to a PDF supposedly about treatment of COVID-19 but is actually a trap to open access to your network.
More advanced phishing techniques are even harder to detect. Spearphishing is a more targeted specific message that sounds familiar and more real. Hackers will use a name from your email contact list to send you an email. It appears not to be from an outside source. People are quicker to open links and attachments from someone they believe they know and when even the content sounds true.
While spearphishing is trickier, there are two defenses that fight back. One is basic malware protection that helps find and exclude hackers. The second is awareness and education. Provide your workforce with security awareness training, like the kind required by the HIPAA Security Rule. Review, repeat, review.
Stop Attacks on Virtual Private Networks
When organizations sent employees home to work starting in early March, a new risk opened. Hackers are looking for and finding vulnerabilities in telework setups.
On March 13, 2020 the Department of Homeland Security (DHS) issued an alert about Virtual Private Networks or VPNs. It was updated on April 15.
Read the one-page alert for a full explanation, but several key tips discussed are:
- Update and patch all software and all devices with the latest guidance
- Alert employees to phishing risks and review cybersecurity training
- Use Multi-Factor Authentication for all connections and strengthen passwords
Check on Your Business Associates
Business Associates in healthcare are vulnerable too. On Friday, April 17 a major IT consulting firm, Cognizant, was hit with ransomware. The attack came from Maze, an aggressive malware that emerged in 2019 and has been growing in strength. The FBI issued an alert privately to businesses in the United States in January, to warn them about Maze and provide tips about how to prevent attacks.
The lesson in healthcare is to stay on top of business associates. Your HIPAA compliance requires that you do “due diligence”, which simply means asking several key questions that include:
- Do you have up to date HIPAA policies and procedures?
- Have you completed a HIPAA Risk Analysis and do you follow a Risk Management Plan?
- When was your last comprehensive Risk Analysis?
- Execute a business associate agreement
Three Big Cybersecurity Risks (and what to do about them)
For all the risks, start with a HIPAA Risk Analysis. If you haven’t completed one, start now. If you have completed one, review and refresh it. Included in the Risk Management plan (from your Risk Analysis) is workforce security training. Employee awareness is the first building block for cybersecurity defense.
- Ransomware – Defend against ransomware with malware protection, patches and updates, and cybersecurity awareness among employees. The strongest guarantee against ransom demands is daily data backup to a remote and separate location, unconnected to your organization’s internal network. The FBI warns against paying ransom since it doesn’t prevent the loss of your data and it emboldens the criminals to do it again, to you or others. If it happens, immediately tell your lawyer, and let them guide you about next steps, including informing the FBI, DHS, and OCR.
- Spearphishing – Review phishing tactics and defenses with employees, review password protection policies, use multi-factor authentication for network connections.
- Business Associates – If you haven’t yet, do the due diligence HIPAA requires, make sure they have HIPAA policies and ask them questions, enter a business associate agreement.
HIPAA Risk Analysis is the Best Defense
All of the current cybersecurity risks of COVID-19 can be greatly reduced by completing a Risk Analysis – Risk Management plan. Now is the time.
The HIPAA E-Tool® has an easy to follow, step by step guide with interactive forms to complete everything needed in a fully compliant HIPAA Risk Analysis, including the NIST standards (from the National Institute of Standards and Technology). And if you have questions as you go through it, we are a phone call away.