With all the attention being paid to COVID-19 today, it’s easy to lose track of other vital priorities.
Cybersecurity and vigilance are more important than ever. The Coronavirus public health crisis is making cybersecurity more challenging because fear is one of the most tempting hooks in phishing and ransomware. Beware emails, texts or phone calls or that promise help or use threats related to COVID-19.
Don’t click, reply or forward texts or emails. Hang up.
Ransomware Grew in 2019
Last year, before COVID-19 was in the news, ransomware was on the rise. Some studies show that ransomware in healthcare grew by 350% in the fourth quarter of 2019. This was a huge increase, but not entirely unexpected, given the increases year after year. Hackers are entrepreneurs and when successful, they ramp up and find new opportunities for profit.
Although the growth in ransomware was not unexpected, Coronavirus took the world by surprise. Now the combination is creating a dangerous environment for healthcare. Healthcare is more vulnerable during a crisis. Remember also, that since 2016, the Office for Civil Rights (OCR), the agency responsible for enforcing HIPAA, declares that a ransomware attack that encrypts protected health information (PHI) is presumed to be a breach requiring a HIPAA breach risk assessment.
Ransomware and Cybersecurity in 2020
COVID-19 Fear
On March 9, 2020, the U.S. Secret Service (in the Department of Homeland Security) issued a COVID-19 (Coronavirus) phishing alert.
“Criminals are opportunists, and as seen in the past, any major news event can become an opportunity for groups or individuals with malicious intentions. The Coronavirus is no different.”
The Secret Service warns of three trending fraudulent schemes:
- Phishing: by far, this is the most dangerous and costly to healthcare, and it’s the pathway in for ransomware.
- Social Engineering: on various legitimate social media sites, using psychology to exploit charitable sentiment and persuade people to donate money to fake causes.
- Non-delivery of items in demand: posing as a medical supply company, criminals will obtain payment but never deliver the scarce items everyone is looking for, like masks or hand sanitizer.
Phishing
The headlines every day bring new schemes. Yesterday we learned that hackers have sent insurance, healthcare, and pharmaceutical companies false HIV test results in malicious emails in hopes of luring victims into an emotional response, a good example of social engineering in phishing.
The Secret Service describes other new emails circulating that appear to be from legitimate medical or health organizations. They contain attachments that supposedly offer more guidance, but once opened, malware infects the users’ computers.
Some emails are spreading fake information with or without attachments – supposedly from reputable health organizations, e.g., “the Stanford hospital board”, or “Johns Hopkins research” and they contain urban legends – hearsay and rumor – and are harmful because they distract from what is true and what really matters. A popular false claim this week is that drinking water every 15 minutes helps fight coronavirus. It’s not true. Resist “special advice” and stick to sources you trust and can verify.
Quick Tips from the Secret Service:
- Phishing Emails/Social Engineering – Avoid opening attachments and clicking on links within emails from senders you do not recognize. These attachments can contain malicious content, such as ransomware, that can infect your device and steal your information. Be leery of emails or phone calls requesting account information or requesting you to verify your account. Legitimate businesses will never call you or email you directly for this information.
- Always independently verify any requested information originates from a legitimate source.
- Visit websites by inputting the domain name yourself. Business use encryption, Secure Socket Layer (SSL). Certificate “errors” can be a warning sign that something is not right with the website.
The HIPAA E-Tool® Helps You Manage Risks
Today’s public health crisis requires smart solutions. We can help you manage your biggest challenges in cybersecurity, because the best defense against cybercrime is strong HIPAA compliance, including Risk Analysis-Risk Management.
We stay up-to-date and can help with all the risks and dangers you need to avoid. The HIPAA E-Tool® has an interactive Risk Analysis-Risk Management module and workforce training in cybersecurity.
Call us if you have questions.