As the COVID-19 pandemic took hold across the United States, life changed for millions of Americans. Social distancing, lockdown orders, quarantines and remote work became the norm. What many thought were going to be temporary adjustments in their daily routines have turned into the “new normal.” Organizations’ business continuity plans that typically focused on short-term disruptions to business—hurricane, power outage, fire etc.—are being fully exercised, and new chapters are being added as workforces continue long-term telework arrangements in an effort to contain the spread of the coronavirus. New remote access services have been applied quickly, and healthcare practices have accelerated the implementation of telehealth services.
In adherence to the adage Never let a good crisis go to waste, cyberthreat actors are attempting to capitalize on the global concern over the novel coronavirus by crafting phishing and malware-laden emails. These emails are sent in an attempt to direct recipients to malicious websites or to deliver malware and push the recipients to reveal sensitive information or donate to fraudulent causes.
Additionally, there has been a significant increase in attacks and reconnaissance activity against organizations’ networks, systems and web applications—in particular, in the healthcare sector. One notable example of this malicious activity is highlighted by the recent announcement by the U.S. Department of Justice of charges against two Chinese nationals for their roles in a global computer intrusion campaign targeting intellectual property and confidential business information, including COVID-19 research.¹
The following provides some best practices for mitigating cybersecurity risks that have been introduced or aggravated as a result of operating in this new normal.
“Email continues to be the number one threat vector, as hacking a human is easier than hacking a computer.”
Email continues to be the number one threat vector, as hacking a human is easier than hacking a computer. The thirst for solid information regarding all aspects of COVID-19 continues as new information and findings are produced daily. As a result, individuals are likely to open unsolicited emails, click on links or even open attachments with COVID-19 themes. Threat actors prey on this normal human behavior.
Since March 2020, the number of ransomware infections resulting in disruptive operational impacts and significant financial losses has increased. Often, the infection vector is a malicious email attachment or link that a recipient opened or clicked. To combat these email attacks, consider the following email security best practices:
- Be cautious with all emails you receive, even from seemingly legitimate senders, including business associates, co-workers, friends and family. Malicious actors often use advanced techniques to make emails appear to originate from senders you recognize.
- Ensure an email’s “sender name” corresponds to the correct email address to identify common email spoofing tactics.
- Avoid opening emails, downloading attachments or clicking on suspicious links sent from unknown or untrusted sources.
- Verify unexpected attachments or links from known senders by contacting them via another method of communication.
- Be skeptical of emails written with a sense of urgency and requesting an immediate response.
Telework Program Fundamentals
At many organizations, telework programs have been in place for years—whether as part of the organizations’ everyday work programs or as a component of their business continuity plans. For those organizations, policies, educational programs, technologies and support services for the remote workforce are well established.
However, organizations for which teleworking is new have some security work to do. Defining expectations is a good starting point. Start with a policy that addresses the scope of the telework program and establishes roles and responsibilities, eligibility to telework (not all jobs can be performed remotely), work hours and paid time off, the suitability of the alternate workplace and its related safety requirements, responsibility for equipment and supplies, operating costs and expenses, and requirements for physical and information security.
In traditional network virtual private networks (VPNs), individuals use VPN client software to establish a secure connection to an organization’s internal network. However, not all remote users need access to the internal network if all they really need is remote access to a web application hosted within the organization’s network. Organizations should consider providing access to internal web applications via a portal through which remote users can authenticate. Similarly, SaaS applications hosted in the cloud and virtualized applications hosted on premise are often good options for limiting remote access to only what is necessary for remote users to access. Organizations should scope VPN access accordingly to ensure the principle of least privilege is maintained.
Regardless of what remote access method you offer, multifactor authentication (MFA) should be mandatory. If you allow remote devices to connect to your internal network, consider implementing a Network Access Control (NAC) solution and ensure remote network access is monitored.
Organization-owned vs. Personal Devices
Many SaaS and virtualized applications may be securely accessed by remote users using their personal devices if certain security controls are implemented. Again, MFA should be mandatory for remote access to any application, network or service your organization provides to teleworkers.
In addition, organizations should implement controls to ensure sensitive files and information are not downloaded or stored on personal devices or personal cloud storage services. Sensitive data should be stored only on organizationally controlled devices or authorized cloud storage services. Cloud service providers often offer conditional access controls to prevent data from being downloaded to unauthorized devices. IT departments should enforce these controls. For cloud services that do not provide the option to restrict the download of sensitive data, organizations should implement a Cloud Access Security Broker (CASB) solution that provides these security controls.
Regardless of whether devices are personally or organizationally owned, they are exposed to numerous risks when connecting to networks that are not controlled by the organization. Thus, implementing strong security controls is paramount. They include controls that lock down the device—strong authentication, hardening the operating system and applying the principle of least functionality to limit the services, ports and protocols to only those that are necessary.
Protective technologies should be implemented, including antivirus and antimalware software, endpoint detection and response software, web content filtering software, host-based firewalls, device and file encryption, and the latest security patches.
With a remote workforce, IT departments must meet the challenges of providing support, pushing security updates and providing continuous monitoring and incident reporting and response services for remote devices and users.
Video Teleconference (VTC) Security
To enable communications with remote workers, organizations have turned to conference calling services and video teleconference services and apps. These services provide a common dial-in number and conference code for employees to connect to a call. The services also provide a special host code for the organizer of the conference call to use. The host code should not be shared with anyone, as it could allow unauthorized individuals to gain access to confidential conference calls or even set up their own conference calls, thus running up unauthorized charges. In addition, before discussing any confidential or sensitive information, conference call hosts should confirm that all callers who have dialed in to the call are invited attendees.
It is one thing to be scammed, but telehealth breaches can result in much more serious impacts on patient care and health. Therefore, all of the best practices above are applicable to healthcare professionals and patients when they use telehealth services. Additional layers of protection should be implemented commensurate with the risk and the impacts should a breach occur.
Organizations using telehealth services should implement advanced controls, including identity proofing and multifactor authentication to verify and authenticate legitimate healthcare professionals and patients have logged into the system.
The organization must ensure that there is end-to-end encryption employing strong cryptography to protect communications in transit and data at rest.
For healthcare practices: Before procuring a telehealth platform or service, organizations should obtain references and require independent audits of the service’s cybersecurity controls.
For patients: Just as you would question any treatment plan, patients should not hesitate to question their healthcare provider regarding their telehealth safeguards.
Just like brushing your teeth will help prevent tooth decay, and washing your hands will help prevent contracting a virus, practicing good cyber hygiene is essential to mitigating cybersecurity risks. Each day, new vulnerabilities are found in software and hardware, and vendors provide security patches and updates to remediate those vulnerabilities.
Since the coronavirus outbreak, a number of critical vulnerabilities have been found and exploited by threat actors. Thus, it is essential to apply patches and updates as soon as possible after they are released and to use only vendor-supported software and hardware.
Whether the information you receive is sent via email, text message, social media or the web, be aware that the amount of misinformation and fake news propagated via these media continues to increase. This misinformation includes conspiracy theories related to the causes of the virus and fraudulent information about vaccines, treatments, cures etc. Individuals are advised not to believe everything they read on the Internet and instead, rely on reputable sources for information, not only about COVID-19 but also all topics of interest.
The New Jersey Office of Homeland Security and Preparedness has published a fact sheet to help the public distinguish between facts and rumors or disinformation regarding the novel coronavirus, SARS-CoV-2, that causes COVID-19. Readers can access this page at: www.njhomelandsecurity.gov/covid19.
Users are the first line of defense against any cyber threats. Whether you’re an individual, a medical practice owner or an employee of an organization, being aware of the latest threats, trends and best practices to protect you and your systems is critical. In 2015, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) was established as the central State civilian interface for coordinating cybersecurity information sharing, performing cybersecurity threat analysis and promoting shared and real-time situational awareness between and among the public and private sectors. More information about the NJCCIC’s services and cybersecurity best practices can be found on the NJCCIC website at www.cyber.nj.gov.