Beyond the virus


The flow of COVID-19 related information has long reached the stage of a deafening roar, and at this point many of us are likely tuning it out, or have become numb to the throbbing. That doesn’t stop the virus nor the cyber-incidents spreading just as rapidly. Since we can’t stop the spread of the virus itself, let’s look at the cyber attacks.

The cyber attacks we’re seeing are targeted, sophisticated, and effective. They’re being perpetrated by Advanced Persistent Threat (APT) actors who have not been named. We know, however, from past APT actors, that they are typically run by nation states. The threat is so active and real, that last week agencies from the US and the UK issued a joint alert (Homeland Security’s CISA and the UK’s NCSC).

One of the key takeaways from that report is the importance of strong and unique passwords. A common tactic at present is an attack known as password spraying. This is where brute force attacks are used to test common passwords against thousands of email addresses. This attack is effective because it doesn’t trigger lockouts from multiple, rapid, failed login attempts. The defense against this is simple (albeit a pain if you aren’t using a password manager) – use a complex and unique password at each site, and enable two factor authentication if it’s offered. Since last Thursday was World Password Day (yes, that’s a thing), now would be a good time to change your simple and common passwords.

The second way you can protect yourself is to be on the lookout for Business Email Compromise (BEC) attacks. These have spiked dramatically recently, in part because we’re working from home. These attacks are seeking to re-route money – wire transfers, payroll checks, etc. Hackers will get onto your network, monitor your emails, and lie in wait for an opportunity to strike. When they strike, they create rules in your email system to reroute emails and replace them with fake ones. Sometimes they’ll use a misspelled name or company in the email address. In fact, if you’re paying attention to that alone, you’ll thwart the majority of BEC attacks. Particularly when money is involved, use phone verifications, but also look closely at the email address of the sender.

Finally, a comment about this crisis. I find it sadly ironic that the actions taken to save our healthcare system from being overwhelmed have instead resulted in pushing that same healthcare system to the brink of bankruptcy.

Many of our readers work in long term care and skilled nursing facilities. We know how difficult this time has been for you, your families, your residents, and their families. Our thoughts and prayers are with all of you as we hope to soon turn the corner on this virus and regain a semblance of our prior lives back.

Your mother was right all along – wash your hands. Happy Mother’s Day to all of our beloved mothers.

If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.

For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.