Healthcare cybersecurity during the COVID-19 pandemic: a threat too important to forget

A laptop depicting cybersecurity
By Saira Ghafur, Guy Martin, Niki O’Brien, Ivor Williams, Kelsey Flott and Ara Darzi, Institute of Global Health Innovation

As the global healthcare community has been consumed with managing the COVID-19 pandemic, a wave of cyber-attacks against healthcare organisations has emerged. Cybercriminals and hackers are upping the ante in creating more havoc and exploiting the fear and confusion that the COVID-19 pandemic has brought with it. The threat is global: Interpol even issued a warning signalling the need for healthcare organisations to be vigilant and aware of the heightened risk of cyber-attacks.

Increasing cybersecurity threats and their types

Organisations across health, social care and local government are experiencing increased cyber threats related to COVID-19; the scope of which has been varied. Phishing attacks, emails disguised as from a genuine source with the aim of tricking recipients into providing personal details or clicking on a link allowing attackers to steal credentials, have increased since the pandemic began. In a widely reported phishing attack, criminals disguised themselves as the World Health Organization (WHO) via email to steal money or sensitive information. The frequency of this style of attack has prompted the WHO to introduce new measures for warning potential victims.

Similarly, the well-known Johns Hopkins University COVID-19 tracking map was replicated by attackers on another domain to spread information-stealing malware. The distribution of malware (‘malicious software’) can be installed to steal, encrypt or delete data, or monitor and control the device. This makes such attacks a major threat to health and social care institutions.

In response to these attacks, the National Cyber Security Centre (NCSC) in the United Kingdom and the Cybersecurity and Infrastructure Security Agency (CISA) at the United States Department of Homeland Security (DHS) have jointly released advice. The NCSC report that they have found 555 malware distribution sites and 200 phishing sites associated with COVID-196, resulting in the launch of a central reporting service asking the public to report any dubious emails to report@phishing.gov.uk.

What are the main threats to healthcare during this pandemic?

There is a huge range of challenges that healthcare organisations are facing from a cybersecurity perspective. And certain factors make the health and social care systems more vulnerable during the COVID-19 crisis.

Healthcare staff have been redeployed within existing organisations or externally to help respond to the pandemic. This movement leads to risk in terms of maintaining adequate access controls to IT systems, and also in accidental errors due to working with unfamiliar systems. Staff may also be sharing passwords and smart cards in order to access systems to deliver safe patient care, leading to increased risks.

There has been a rapid introduction of new digital solutions to ensure that patients still have access to care. All new technologies have inherent risks of compromising systems. The video conferencing platform, Zoom, has seen a significant rise in users since the outset of the pandemic. But the increased traffic has also drawn attention to a number of security flaws that makes the platform vulnerable to attack by hackers.

Day-to-day cyber risks are likely pushed down the priority list. But it is essential that they not be forgotten. In the UK, Matthew Gould, NHSX CEO, delayed the requirements for frontline healthcare organisations to complete their Data Security and Protection Toolkit returns until later in 2020, so that teams can rightly focus on delivering essential cybersecurity services.

How can any potential cyber threats be mitigated?

Healthcare providers need to have adequately secured backup systems for internal and remote systems and devices. They must also ensure that an incident response and recovery plan is both in place and tested. There need to be contingency plans in place for organisations to manage business as usual and how to plan for a cyber-disaster response. The pressure on IT teams is increasing and there have been some examples of private sector security companies offering help to healthcare organisations and other critical sectors to provide additional capacity.

It is crucial that healthcare cybersecurity takes a pragmatic risk-based approach. Remote patient care needs to be enabled at scale and at pace. For rapid deployment of remote tools, it is imperative to ensure security is considered and tested throughout system development and operation. Every remote access system needs to be properly risk assessed, both from a business and technical standpoint to address any vulnerabilities.

Education for all healthcare staff

Anyone with access to patient records is a custodian of that data and should be aware of the following:

A cyber security infographic
Credit: Ivor Williams

Cybersecurity: More than an IT issue

Unfortunately, during this global health crisis, healthcare has been an attractive target for cybercriminals who have exploited the COVID-19 pandemic for their own objectives. As countries around the world seek to rapidly develop COVID-19 contact-tracing apps and introduce new digital systems to deliver patient care, security and privacy concerns must be accounted for from the outset.

Cybersecurity is a patient safety issue and needs to be considered by every member of the health and social care community as we respond to the pandemic.