Wednesday, March 3, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

COVID-19: Cybersecurity Risks for Health Care and Research Institutions are Heightened

Organizations on the Front Lines are at Greater Risk of Cyberattack

by Ivan Boatner
June 2, 2020
in Cybersecurity, Featured
doctor locking one virtual lock in a lineup of open padlocks

Baker Donelson’s Ivan Boatner examines the increased threat of a cyberattack on COVID-19 health care providers, as well as the preventative measures the industry can take to mitigate the risk.

The health care industry and research organizations searching for vaccines and/or improved treatment protocols are on the front lines of the battle against COVID-19. There are obvious inherent risks to treating COVID-19 patients and performing research on infectious diseases – exposure to the virus chief among them. Another risk for COVID-19 health care providers and researchers that has been exacerbated by the COVID-19 crisis is the threat of cyberattack.

The United States Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) recently issued an alert warning that malicious cyber actors are targeting health care and other essential services related to COVID-19. According to the CISA and NCSC alert, health care providers, pharmaceutical companies, academia, medical research organizations and local governments face heightened risks. CISA and NCSC report observing advanced persistent threat (APT) actors scanning external websites and probing for vulnerabilities in unpatched software.

On May 13, 2020, the Federal Bureau of Investigation (FBI) and CISA issued a more specific warning to COVID-19-related research entities that malicious cyber actors associated with the People’s Republic of China (PRC) have been observed targeting U.S. organizations conducting COVID-19-related research. The FBI and CISA announcement indicates that these “actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments and testing from networks and personnel affiliated with COVID-19-related research.”

The FBI announcement advises organizations engaged in COVID-19 research to “maintain dedicated cybersecurity and insider threat practices to prevent surreptitious review or theft of COVID-19-related material.” Implementing effective cybersecurity and insider threat policies and procedures was a necessity before the pandemic. It is even more critical now – particularly for those whose involvement in response and research related to the virus has been covered by the media. The time for heightened vigilance is now.

CISA and NCSC are actively investigating password spraying by APT actors against health care organizations. Password spraying involves the use of commonly used passwords until a single user’s account is breached. Once a single compromise occurs, the malicious actors will obtain access to other systems where the same password is used. In addition, once in, the bad actors can attempt to move laterally through the system and attack additional users.

The recent CISA and NCSC guidance recommends several preventive measures to mitigate the likelihood of a password spraying attack:

  • Review password policies to ensure they align with the latest NIST guidelines and deter the use of easy-to-guess passwords.
  • Review IT helpdesk password management related to initial passwords, password resets for user lockouts and shared accounts.
  • Use additional assistance and tools to help detect and prevent password spray attacks.
  • Require the use and protection of strong passwords.
  • Use multi-factor authentication (MFA).
  • Review MFA settings to ensure coverage over all active, internet-facing protocols.
  • Implement an effective password administration system.
  • Update VPNs, network infrastructure devices and devices being used to remote into work environments with the latest software patches and configurations.
  • Protect the management interfaces of your critical operational systems.
  • Establish a security-monitoring capability.
  • Review and refresh your incident management processes.
  • Use modern systems and software.
  • Invest in preventing malware-based attacks.

Although not the focus of this article, the May 13, 2020, FBI and CISA announcement stresses the importance of insider threat programs in protecting an organization’s cyber systems. An insider threat program will make it more likely that users who have been exhibiting unusual behavior or activity will be identified and their access to cyber systems suspended. A discussion of CISA guidance regarding insider threat programs is available here. Establishing an insider threat program for a health care provider, university or other research institution engaged in COVID-19 response or research would have lasting effects – like protecting patients and intellectual property – after the threat of COVID-19 passes.


Tags: Coronavirus/COVID-19cyber crimehealth care
Previous Post

OSHA Walks Back Guidance on Recordable COVID-19 Cases

Next Post

Employee Satisfaction and the Impact on Corporate Fraud

Ivan Boatner

Ivan Boatner is of counsel in Baker Donelson’s Knoxville and Washington, D.C. offices and is a member of the firm’s Government Enforcement and Investigations Group.

Related Posts

The facade of the SEC in Washington, D.C.

Prepare Now to Comply with SEC’s Updated MD&A and Related Financial Disclosure Requirements

March 3, 2021
Illustration representing a facial recognition technology scan of a face.

Facial Recognition Technology in the Workplace: Employers Use It, Workers Hate It, Regulation Is Coming for It

March 3, 2021
A director contemplates information at her desk.

Key Concerns for Directors in 2021: Recovery from COVID-19 Is Top Priority

March 2, 2021
woman looking at horizon from mountain top

What’s on the Horizon for Anti-Corruption Enforcement?

February 25, 2021
Next Post
businessmen holding red balloons with various emoji faces

Employee Satisfaction and the Impact on Corporate Fraud

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Addressing systemic racism in the workplace SAI Global
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights