Hospitals said to tighten email security in response to CEO spear phishing attempts
Some hospitals in Massachusetts reportedly received emails this past week claiming to be the U.S. Department of Health and Human Services seeking information about COVID-19 statistics – raising fears about spear phishing attempts aimed at top executives.
According to a report in the Boston Business Journal, UMass Memorial Health Care CEO Dr. Eric Dickson, Holyoke Medical Center CEO Spiros Hatiras and Signature Healthcare CEO Kim Hollon, among others, said they or staff members received such messages, triggering tighter email security protocols throughout the systems.
The suspicious emails came alongside warnings from the FBI, the HHS and the Cybersecurity and Infrastructure Security Agency about ramped-up attacks against the U.S. healthcare sector.
"Threats against the U.S. healthcare system continue to be a long-running issue, made undoubtedly worse as the COVID-19 pandemic's spread continues," said Kelvin Coleman, executive director at the National Cyber Security Alliance, in a statement to Healthcare IT News.
WHY IT MATTERS
In response to the messages and to the warning from the FBI, hospitals pivoted to increase security around emails. UMass Memorial placed inhibitors on any external links, along with sending protocols regarding scrubbing external emails, the Boston Business Journal reported.
Other hospitals had already ramped up filtering on external emails or blocked them altogether. Holyoke Medical Center temporarily shut down its email system entirely on Thursday, giving IT security teams time to comb through them for potentially dangerous attachments.
"Now we sequester all attachments, and they have to be checked before we open them," Hatiras told the Boston Business Journal. "It's a bit inconvenient, but it keeps us safe."
Although it's not clear who was behind this round of phishing emails, additional reporting from Slate notes that cyberattack campaigns that rely on Ryuk – the ransomware that appeared to take hundreds of Universal Health Services facilities offline in September – often contain links to Google Drive documents. By opening and "enabling" the documents, the victims then download malware.
"When combined with spam and phishing filters on company email systems, the majority of these attacks can be stopped before they start," said Topher Tebow, cybersecurity analyst at Necronis, in a statement to Healthcare IT News.
"Nevertheless, the timing of this wave of attacks couldn't be worse, as many places are going into their second or third wave of COVID-19 infections," Tebow continued.
THE LARGER TREND
The fall has seen a wave of cybercrime aimed at health systems across the country. In addition to the Universal Health Services attack, hospitals in New York, Oregon and Vermont have reported being targeted.
Experts say that, ideally, robust prevention practices in conjunction with employee training will keep systems safe. But there are a number of ways hospitals can respond to a cyber-crisis, including through documentation, containment and data backups.
"While there is no way to totally prevent the threat of ransomware, organizations can stop ransomware attempts from impacting their business by implementing a multilayered security approach to thwart future threats," said Anthony Chadd, senior vice president of security business development at Neustar.
The stakes are high. In September, a German woman died after a hospital's files were encrypted. The incident is believed to be the first ransomware-linked fatality.
ON THE RECORD
"In terms of best practices, effective security policies, training road maps for IT teams and the integration of proactive cybersecurity education initiatives into the public health workplace culture are all incredibly important for keeping threats at bay," said the NCSA's Coleman.
"Addressing the specific threat of ransomware, it's essential for facilities to regularly create backups of critical systems and files, and to house those offline from the network," he added.
"Simultaneously, healthcare and public health facilities should also be vigilant about upgrading and updating their legacy hardware and software, ensuring that all connected devices and applications have multi-factor authentication enabled, and that employees know how to identify and avoid malicious email links and attachments from possible phishing scams targeting their workforce."