There’s no question that we’re all a bit on edge these days. We’re facing and coping with a host of unknowns wrapped up in what we call COVID-19. Some of these unknowns are innocuous: “Will I run out of toilet paper?” Some are logistical: “When will my kids go back to school?” “When will we as a nation return to business-as-usual?” And perhaps others are ontological: “What if I get sick and don’t recover?”
These and other questions are weighing on my own mind. But as a former CISO in the healthcare sector, I admittedly have a few more rattling in my head: Will we look back at this event and emerge successful in managing the cyber risks while all the chaos was going on? And what did we learn that will take us to a new level of understanding in how to protect our environments during any future crises?
In my own executive experience, I have always found that every crisis produced winners and losers, and while some of the events were difficult to get though, most found a silver lining. I believe this one will as well. I am confident that we will adapt to new norms, and that we will realize that fighting the fight moving forward will need to be a team sport in favor of singles play.
On the other hand, I think our adversaries have also had winners and losers — with their edge being the element of surprise. You see in cyberspace’s inherently unsettling underbelly, there’s something about precarious times that exposes new opportunities for the bad actors to potentially exploit. They know that workers in any department, as well as security teams, are off responding to areas outside their normal job duties. They capitalize on distraction — and at times even confusion. It is during such situations that they see greater opportunity, knowing our ability to maintain diligent focus on security items is compromised.
A physical world analogy of this “state of the state” might be the sudden closure of a subway entrance in NYC at five o’clock in the evening. Thousands of people cramming the steps of the entrance as they have done for years are now bundling together in a temporary state of confusion. To the pickpocket, this scene represents the ultimate dream. And so it is for our adversaries.
The reality we’re facing is that it doesn’t matter if it is a pandemic as we’re experiencing now or any event that challenges and strains the “norm.” At every turn, the adversaries are ready to seize the opportunity. Recessions, military conflict, earthquakes, political and diplomatic changes, and even major sporting events, to name a few. Will this current event be different from those?
Time will tell for sure, but the following is a snapshot of what we have seen thus far and my own perspective on what we should be looking out for. My intent is not to cover the full scope of threats to healthcare as a sector, but to address the items that may be more prominent.
We can expect the following workplace changes as a result of COVID-19:
- Knowledge workers and security teams working remotely may not have access to the same security protections as at their office location
- Remote workers are also addressing family concerns at home
- Scarcity of resources for family members could induce anxiety
- Financial markets downturn weigh heavily on workers minds
- Overall confidence is shaken
- A good part of the day may be spent following news feeds and websites for updated information
These elements may generate distraction, leading to opportunities for attack groups to:
- Escalate phishing attacks targeted at remote workers for the purpose of executing malicious code for data exfiltration, and ransomware
- Create and market new domains targeting the same workers
- Exploit vulnerabilities in newly deployed products for remote workforce
- Generate fear and confusion by attacking authoritative sources such as the World Health Organization, US Department of Health and Human Services, etc.
- Gain access data from all of the above to launch data manipulation schemes, shaking confidence in outcomes of testing or other metrics-based results
For example, the following cyber attacks already have surfaced directly in relation to the COVID-19 crisis:
- APT Group attacks the World Health Organization https://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN
- Additional attack on the WHO and Hospitals https://www.healthcareitnews.com/news/who-coronavirus-testing-lab-hit-hackers-opportunistic-attacks-ramp
- Fraudsters preying on the confusion and fear of the general public https://www.cnbc.com/2020/03/23/coronavirus-fraudsters-prey-on-fear-with-fake-products-email-scams.html
- Security risks associated with remote workers https://www.cnn.com/2020/03/20/tech/telework-security/index.html
Strengthening healthcare cybersecurity
True, we are in uncharted territory with COVID-19, but the security actions CISOs and security teams take now can ward off these highly organized hackers in this instance of distraction and chaos.
Overall, we must adopt a Zero Trust mentality, assuming that some level of incidents is imminent. Then the focus should turn to:
- CISO’s and Executive Teams must repeatedly communicate this risks associated with changing environments as the human still represents the greatest vulnerability
- Monitoring the external threat environment (e.g., network, social engineering, fake news, data exfiltration);
- Sharing events both seen on the network and professionally amongst industry peers;
- Escalating threat hunting;
- Coordinating daily communication with the Executive Team;
- Testing the security of remote access and workforce, including awareness to all and, in particular, to executives;
- Ensuring all remote access is leveraged through VPN and MFA;
- Fine tuning detection of, or assigning a higher risk to, insider threats — both malicious and uni-intentional given that there are more people working remotely right now; and
- Making sure IT is paying attention to patching.
- Contacting trusted security vendors to determine their ability to assist should the company or organization experience a significant event (that is, assess where you are in their priority order);
- Monitoring State and Local EOC's for any changes that impact the ability of your team to perform their stated functions. This includes being empathetic to those that have personal commitments as caregivers or who are ill to ensure for their safety and well-being; and
- Placing on hold current projects that do not directly address network or endpoint security.
Collective Defense for healthcare
And there’s more. The U.S. Cyberspace Solarium Commission recently called for a collaborative approach to cybersecurity in general:
“The U.S. government and industry ... must arrive at a new social contract of shared responsibility to secure the nation in cyberspace. This ‘collective defense’ in cyberspace requires that the public and private sectors work from a place of truly shared situational awareness and that each leverages its unique comparative advantages for the common defense.”
We can answer this call to action now by adopting this Collective Defense stance across the healthcare sector, enhancing existing threat intelligence platforms and H-ISAC participation to detect unknown threats and sharing threat knowledge in real time.
Just as we take immediate and collective action with other kinds of disaster response, we must do the same in this particular moment of time. The silver lining will be stronger defense and greater resilience across the sector, no matter what event is driving the adversaries’ bold cyber offense.
See how IronNet is participating in the C5 Capital Cyber Alliance to Defend our Healthcare.