Cybersecurity in times of coronavirus: advice for the healthcare sector

With the coronavirus crisis in full flood, healthcare institutions run an increased risk of being targeted with various forms of cybercrime. In recent weeks, there has been a noticeable increase in ransomware attacks specifically targeting hospitals.  

1: Tackling cybercrime: how to protect your organization

Cybercriminals have eagerly taken advantage of ‘the new normal’: a world in lockdown where an unprecedented number of teleworkers and a heavily overburdened healthcare sector have had to continue to perform under enormous pressure.  

Now that the infection peak seems to be behind us, we are starting to relax lockdown measures – albeit very gradually and with many exceptions. As the government works on these exit plans it remains important not to relax our vigilance when it comes to cybersecurity. 

And although IT departments now have a little more breathing space to review, test and adjust the last-minute solutions they have had to set up over the past few weeks, the pressure is still on for them as well. 

In the next few days we will be launching a series of articles in which we will take a closer look at the security threats the healthcare sector is facing. We’ll offer a number of helpful tips and checklists that IT departments can use in the fight against cybercrime, both during and after the current coronavirus crisis. Of course, other sectors or industries may benefit from them as well. 

 Let’s start by mapping out the ‘threat landscape’. 

The threat landscape in times of coronavirus

In grote lijnen, valt het threat landscape uiteen in vier blokken:

We can roughly divide the threat landscape into four sections.

  1. Ransomware attacks as a result of: 
    • phishing or other email traffic that uses social engineering techniques to extract sensitive information from the recipient
    • apps or websites that pretend to provide information about the virus and its spread in order to install malware/ransomware 
    • exploitation of vulnerabilities in existing network infrastructure, such as gateways and VPNs 
  1. Accidental installation of insecure and privacy-unfriendly tools or shadow IT for teleworking, teleconsulting or teleconferencing 
  2. Unauthorized physical access to restricted areas. During the current crisis, this can happen because there is a reduced staff presence in certain areas or an increased presence of new, temporary, unknown and/or unrecognizable caregivers
  3. Threats from inside, such as:
    • Accidental human errors due to the rapid introduction of new procedures, tools, technology, responsibilities, tasks, etc. 
    • Intentional human errors and/or theft of private data due to increased work pressure, stress, dissatisfaction, etc.  

In this blog post, we’ll elaborate on the first of these issues: ransomware, providing IT departments with a guidance and examples to help raise awareness among end users. We know from experience that heightened awareness leads to a lower number of incidents. Many of these instructions may seem obvious, and they should be. But we all know that most incidents are caused by easily avoidable errors, ignorance or carelessness. The following guidance can help employees to be extra vigilant at all times.


Informing your employees about ransomware 

What exactly is ransomware

Ransomware is a form of malware. It is malicious software that is used to hack computer files or entire networks. The files on those computers and networks are either encrypted (crypto locker ransomware) or blocked (screen locker ransomware) until a ransom is paid. The ransom is often demanded in bitcoin, which is virtually untraceable, and has to be paid before a certain date.

How can ransomware affect your company?

Ransomware attacks often start with a phishing mail. This is an email from a sender who pretends to be someone else, e.g. the employer, a bank employee, etc. These emails often contain hyperlinks that lead the victim to a fake website, which is usually an expert copy of the original website. The purpose of phishing is to extract sensitive information, such as logins and passwords for accounts on company networks. The victim is asked to sign into the fake website with his/her login and password. Once they have this data, cybercriminals can then log into computers and systems in your network and map it, look for vulnerabilities, install malware, and perform other actions that will lead to an eventual ransomware attack.

Checklist

The list below offers a number of tips to help employees detect scams:

    1. Check sender and email address
      Check if the name of the sender of the email matches the email address belonging to that person.
      COVID-19 case study: Recently there have been several hackers sending emails in which they pose as employees of the World Health Organization (WHO). The WHO has issued an official alert stating that all staff at the WHO have an email address with the format: ‘name@who.int'. The WHO does not send emails from other domains such as @who.com, @who.org, @who-safety.org etc. However, smart hackers have found a way to bypass this issue and send phishing mails from a @who.int address. Being vigilant means looking at the bigger picture, and screening emails for other suspicious elements, as mentioned below.
    1. Be careful with attachments
      Don’t open attachments in emails from senders you don’t know. And don’t forget to make sure you have the most recent version of your antivirus software on your private laptop or device. If you don’t want to pay for software, there are several free alternatives that offer basic protection.
      COVID-19 case study: This scam sends its victims an email from a local hospital informing them that they may be infected and need to be tested. They are asked to print out an Excel attachment and take it with them to the hospital. When the Excel file is opened, they are prompted to enable macros; these trigger the installation of malware.
    1. Check hyperlink URLs before clicking them
      Don’t click on hyperlinks in emails from senders you don’t know. You can check a URL by hovering over it with your mouse cursor. If it doesn’t match the URL you expect to see, it might be phishing. Fake websites usually look perfectly authentic down to the smallest details (logo, colours, font, etc.), with only the URL being fake.
      COVID-19 case study: This scam routes recipients of a fake DHL shipping mail to a ‘Help Fight Coronavirus’ website featuring the logos of the WHO and the United Nations along with a ‘make a donation’ button, through which the FireBird RAT Trojan is spread. The website looks pretty reliable, but the URL is definitely suspicious (unfoundation.website).
    2. Make sure you use the right channel for sensitive information
      Don’t give out confidential information via channels through which you wouldn’t expect to provide such information – e.g. login and password via chat, WhatsApp, e-mail, etc. This doesn’t only happen online. Phone scams are also very common. When in doubt, always contact suspicious senders (for example their IT or HR department)!
      COVID-19 case study: People working from home are prompted by email to read about ‘new business procedures’ relating to coronavirus on a fake but well-designed OneDrive page. Both the unusual writing style and the fact that the update has to be read via OneDrive are suspicious, especially if this type of information is normally never communicated via this channel. In this case the hackers are interested in your OneDrive login information.
    3. Be alert for incorrect language and a different communication style
      Pay attention to the language used in the message: a generic email address, vague language, spelling mistakes, and a tone that does not feel completely ‘right’ or is different from the usual way of communicating... these can all point to phishing.
      COVID-19 case study : See the example above under item 4. Phishing emails often contain grammatical errors and typos, such as in this scam, featuring a so-called WHO email (‘fever,coughcshortness of breath’).
    4. Screen COVID-19-related mobile apps before you download them
      Use your common sense before downloading COVID-19-related mobile apps. Some of them spread fake news in an attempt to lure you to a website that then installs malware on your smartphone, and encrypts it until you pay.
      COVID-19 case study: There are several mobile apps out there that claim to warn people when they are near an infected person. Usually these apps can only be downloaded from a website, and not from the App/Play Store. These apps install malware, e.g. CovidLock: ransomware that locks smartphones and accesses your password/data unless a ransom fee is paid in bitcoin.
    5. Stay calm and use your common sense
      As we said at the beginning of this article: it’s a sad fact that cybercriminals are exploiting this crisis and the pressure and stress people are faced with. You should always screen emails that are coronavirus related and that exploit human emotions (fear, desire for information, self-preservation, helpfulness, etc.). Examples include:
        • cancellations due to coronavirus (hotel, aeroplane, conference, holiday, etc.) where you have to enter sensitive information
        • extremely urgent requests ‘before it's too late’ (to get tested, to sign up somewhere etc.)

No matter how difficult it is, try not to react too quickly or let yourself be pressurized into doing something. If you have any doubts about an email, contact the travel agency, your helpdesk or IT department, HR department, etc. by phone.

What to do if you have received a phishing mail?

If you suspect you have received a phishing email, be sure to contact your IT department and/or helpdesk immediately. Some web clients allow you to report phishing directly using a ‘report phishing’ button. Be sure to wait to delete the email until you have reported it. If you have clicked on a suspicious hyperlink by accident: close your browser, disconnect the network connection and switch off your PC completely before contacting your IT department or helpdesk.

Would you like to know more about phishing? 

https://coronavirusphishing.com/
https://fraudwatchinternational.com/active-scam-incidents/
https://github.com/MishcondeReya/Covid-19-CTI