Original Release Date: 4/8/2020
As the healthcare sector ramps up operations to manage the influx of COVID-19 cases, major organizational and networked system changes may leave them vulnerable to cyberattacks. Cyber-criminals are already targeting healthcare organizations—specifically hospitals—with phishing campaigns, ransomware, and other malicious acts that can adversely impact health information technology, medical response, and patient safety. As cases of the virus began to increase in the US, so too did the amount of email-based phishing campaigns referencing COVID-19. As the healthcare sector is consumed with COVID-19 management and response, cyber-criminals are using this to their advantage.
Facilities treating COVID-19 patients, testing potential vaccines, and other virus-testing labs have been the targets of ransomware attacks throughout the pandemic, further complicating their efforts to ensure public health and safety. Recent ransomware incidents include an Illinois Public Health District website, a Czech hospital, and a medical testing facility in the UK. These facilities are attractive targets for cyber-criminals as their services are vital now more than ever, which may indicate an increased likelihood to pay a ransom if impacted. Past ransom amounts in ransomware attacks against healthcare systems have been in the hundreds of thousands to millions of dollars.
Recently implemented or expanded medical systems, equipment, and medical internet-of-things (IoT) devices connected to healthcare facility networks may increase the organization’s attack surface. In addition to inherent threats to patient safety and care, compromised medical IoT devices can also be used to launch further attacks against other systems, thereby amplifying the damages. As healthcare facilities rapidly make changes to their infrastructure, they are advised to exercise due care and extreme vigilance, as successful cyberattacks will exacerbate their current challenges.
To reduce the cybersecurity risk to healthcare organizations, the NJCCIC recommends the following best practices for users and administrators:
• Reinforce security awareness principles and cybersecurity best practices for password security, email and Internet use, and incident reporting.
• Ensure all default passwords are changed to strong passwords for all devices and systems.
• Enable multi-factor authentication as technically and operationally feasible.
• Harden systems and devices by disabling all unnecessary ports, protocols, and services, limiting functionality to only what is required.
• Maintain all hardware and software at the latest vendor-supported security patch levels.
• Deploy anti-malware software on all endpoints capable of running anti-malware software.
• Apply the principle of least privilege, limiting access to the minimal level users require to carry out their duties and responsibilities.
• Implement network segmentation, keeping IoT devices separate from other critical systems and networks.
• Continuously monitor all system, network, application, and user activity for suspicious or anomalous behavior.
• Establish a comprehensive business continuity program that includes a data backup plan in which multiple copies of backups are stored off the network and in a separate and secure location.
For additional information, please see the following resources:
• Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
• NJCCIC Ransomware: Risk Mitigation Strategies and Ransomware Threat Profile
• Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA): The Internet of Things: Impact on Public Safety Communications
• New Jersey Office of Homeland Security and Preparedness COVID-19 Rumor Control and Disinformation Updates (Cyber Alerts)
• Network of ‘Things’ (NIST Special Publication 800-183)
• State of New Jersey Statewide Information Security Manual
• CISA: Stop. Think. Connect.
The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form by clicking here.
Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions.