The Coronavirus (COVID-19) pandemic and the growing concerns and fears it presents for people and healthcare providers in every state throughout the U.S. enables cyber-criminals to use people’s concerns to trick them into opening phishing emails that launch malicious ransomware, access healthcare providers’ systems, and steal individuals’ personal information. Because of the public’s fears and their desire to learn the latest information regarding COVID-19, some individuals have inadvertently been lax regarding phishing e-mails and attachments sent out by cyber-criminals pretending to be high-level government agencies and medical research facilities, like the National Institutes of Health (NIH), Centers for Disease Control and Prevention (CDC), or the World Health Organization (WHO).
Attackers attach items they identify as “test results” or “special alerts” to emails. Some of the fake messages give the impression of being official-looking letters and reports, often with official-looking government logos, mailing addresses, phone numbers, and fax numbers. They appear to contain warnings about the COVID-19 threat to get the recipient to open the document. Another scheme being used appears to come from the individual’s employer and seems to contain information about the organization to get the recipient to open the email and unleash malware. Cyber-criminals use all of these approaches to steal personal information or gain access and control of a computer system. (Robert Kusserow’s March 18, 2020 Alert from Strategic Management Services)
Compliance Perspective
Failure to prevent cyber-criminals from taking advantage of fears and concerns surrounding the COVID-19 pandemic may allow them to gain access to the computer systems of healthcare providers and lock-out access to critical healthcare information, demand ransom payments, and steal personal information of residents and staff. This may be considered a violation of the Health Insurance Portability and Accountability Act of 1996’s (HIPAA) Privacy Rule.
Discussion Points
- Review policies and procedures regarding HIPAA’s Privacy Rule and the need to configure email servers to block zipped or other files that may be malicious.
- Train staff to be aware of the schemes using Coronavirus communications and the importance of not clicking on email links/attachments or responding to inquiries.
- Periodically audit to test email recipients’ understanding of the need to be on guard against malicious attacks.
FOR MORE INFORMATION ON THIS TOPIC: UNDERSTANDING AND PREVENTING RANSOMWARE, APTs, AND ZERO DAY EXPLOIT ATTACKS