Healthcare organizations are strained due to the ongoing COVID-19 pandemic, and sophisticated hacking groups are treating this unfortunate situation as an opportunity to initiate malicious cyber campaigns.
These malicious campaigns have recently been exposed by security agencies in the United States and United Kingdom, with the National Cyber Security Centre (NCSC) and the Cybersecurity and Infrastructure Security Agency (CISA) releasing an official statement last week.
The Hackers’ Target
Though this report was released just last week, it’s clear that hackers wasted no time in targeting healthcare workers and COVID-19 researchers. Early in April, it was revealed that hackers gained access to sensitive information after targeting a California-based biotechnology firm working to learn about the coronavirus. Unfortunately, there have been other victims.
What are these hacking groups after? Predictably, they are after bulk personal information as well as intellectual property and intelligence.
These attacks are being characterized as advanced persistent threats (APT), which are covert attacks on computer networks that allow the hackers to maintain unauthorized and undetected access for a significant period of time.
How to Protect Your Healthcare Organization
Most of these malicious campaigns come in the form of password spraying, which is the use of common passwords to attempt to access each account on a network. All it takes is a few accounts using common/simple passwords for a hacking group to gain access.
Luckily, there are several steps healthcare organizations can take to mitigate the risk of a cyberattack:
- Promote Cybersecurity Awareness
Cybersecurity awareness should be a standard aspect of company-wide COVID-19 updates. Discussing awareness and current or possible cybersecurity threats with your entire organization is an important first step. COVID-19 phishing campaigns are common, and it’s important for healthcare workers to be able to identify and report these types of scams.
Encourage employees to use vigilance when checking emails, especially from outside sources. Additionally, suggest that staff access necessary websites directly instead of relying on embedded email links.
- Create New Password Standards
Since many of these hacker groups are targeting common passwords, make sure each employee understands what these common words or phrases are. Updating password requirements to include three random words can greatly improve password security and lessen the risk of a successful malicious attack.
- Two-Factor Authentication
Two-factor authentication is essential to maintaining password security these days. This means requiring additional verification beyond the standard email address and password. Two-factor authentication can come in a variety of forms, including security questions and randomly generated codes sent by email, text message, or phone call.
With two-factor authentication in place, hackers will not be able to employ the “password spraying” method and employees will be notified by any attempted logins.