There are a large number and a highly coordinated series of cyber attacks targeting the healthcare sector. These campaigns are targeting both healthcare information technology as well as healthcare workers. One of the most capable vectors for these attacks is the use of disinformation. Aside from potentially creating operational disruptions, disinformation campaigns may create fear, uncertainty, and doubt (FUD) in your teams, colleagues, and family members. Further, the disinformation sources may be used as enticements, ultimately leading to the download of malware or other threats.
Two tools have been developed by NewsGuard, which we believe could be essential additions to your defensive toolset. We recommend you consider using these tools to reduce the risks associated with cyber disinformation campaigns.
NewsGuard COVID-19 Misinformation Tracking Center - This is an extremely easy-to-use and comprehensive resource that should be embraced by I.T., I.T. Security, Compliance, and User Education Teams. You can access the tracking center here: https://www.newsguardtech.com/covid-19-resources/.
NewsGuard COVID-19 Browser Plugin – This plugin is simple to install and provides end-users with a virtual "second set of eyes"that can alert them when interacting with sources of disinformation. The tool is available here: https://www.newsguardtech.com/free.
The tracking center and plugin are free, and we believe they are an essential set of resources in your cybersecurity defensive strategy.
The Sensato ISAO was informed by the Healthcare SectorCoordinating Council (HSCC) and the Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) of an extreme increase in cyber-attacks against the healthcare sector. These attacks include phishing attacks, attacks executed by text messaging to individual cell phones, ransomware attacks, and attacks against VPN and telehealth systems. These attacks can disrupt operations and cause misinformation that, in some cases, could impact patient safety.
The U.S. CERT alert has a non-exhaustive list of indicators of compromise (IOC), including domains, I.P. addresses, and other indicators. You should make sure that your systems immediately utilize these IOCs.
Education – Take time to advise your teams of these increased threats. The threats utilize incredibly well-crafted social engineering methods, including text messages. One attack via text was related to payroll payments and included a link. The user clicking the link on the phone then became compromised after receiving a message "due to high demand, our system cannot respond at this time." You should advise users not to interact with any COVID-19 request for donations, messages, websites regardless of the medium (e-Mail, Phone, Push Notification, Social Media).
End-Points – If users are working from home, you should ensure their systems are protected even if you are using VDI technology.
VPN Patching - Assure that you apply all patches to your VPN software for both clients and servers. Further assure that the underlying operating system is patched, including all "low" risk patches.
Mobile Device Security - Assure that end-users minimize the use of mobile devices accessing VPN or portals connected to hospital networks. If this is not possible due to telehealth initiatives, ask mobile devices users to ensure they have the latest operating system software. For Android users, they should deploy anti-virus software, such as McAfee, as well as only access apps from the Google Play Store and no other source.
E-Mail Safe words - We highly recommend that in coordination with your Executive Team and Office of Emergency Management (OEM), you add a"safe word" to all official communication coming from Executives,OEM, I.T. Security, and Helpdesk. The safe word can be one of your choosing.For example, we used "TACALERT:" in the subject line, followed by the subject. Advise users that if they do not see the "safe word" (in this case, TACALERT), the message is not an official communication. You can change the safe word and advise users not to share this with those outside your organization. This approach is simple, but a highly effective means of combating COVID-19 phishing attacks.
Vulnerability Assessment – Conduct a vulnerability assessment of your VPN and telehealth systems as soon as possible. These will help reduce the growing risk of threats and successful attacks by remediating the vulnerabilities listed in the vulnerability scan. Allowing your organization to identify and map out every asset throughout all computing environments, understand the cyber exposure of all assets, and understand the context to prioritize remediation will help determine which exposures to mitigate first.Assessments will also ensure you can calculate, compare, and communicate cyber exposure and maturity metrics to help reduce risk.