Cybercrime Surge Seen During COVID-19 Pandemic

By: Chris Hayhurst

March 24, 2021

A caution symbol hovers above a keyboard.

It’s time to give up on any lingering hope that healthcare’s cybercriminals might rest during COVID.

A growing number of reports from cybersecurity firms and other organizations show that cybercrimes, and especially ransomware attacks, have spiked in the industry since the pandemic began.

A recent sector analysis from CrowdStrike, for example, found the frequency of ransomware data-extortion attacks surged 580 percent over the course of 2020, from just five in the first three months of the year to 34 between last October and December. Another report, from Check Point Software Technologies, revealed a 45 percent increase in cyberattacks of all kinds between November 2020 and early 2021.

Last spring it was reported that Twisted Spider, the operators behind ransomware infections like Maze and Egregor, had promised not to attack healthcare organizations as they struggled to contain the coronavirus. Other hackers offered similar assurances, in some cases even suggesting they always steered clear of essential health services where lives were at stake. Few experts took those statements at face value, with most assuming it was only a matter of time before cybercrime groups returned to business as usual. The CrowdStrike analysis, and many others like it, now show those skeptics were right.

Twisted Spider, according to CrowdStrike, was responsible for at least 26 successful healthcare ransomware attacks in 2020. These and similar intrusions, and their worrying rates of success, eventually led the FBI, the Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) to coauthor a Joint Cybersecurity Advisory on the subject.

That report, released on October 28, focused on the malware programs TrickBot and BazarLoader, which operators spread via phishing campaigns containing links to malicious websites. But these were hardly the only threats healthcare systems had to deal with as the pandemic’s one-year anniversary neared. Among the hospitals and health systems in the United States that ultimately fell victim to cyberattacks in 2020: The University of Vermont Medical Center, Magellan Health, and Universal Health Services, which reportedly lost $67 million as a result of a September ransomware incident.

Risks and Recommendations

According to Axel Wirth, chief security strategist with MedCrypt, the CrowdStrike findings show that cybercriminals have identified healthcare as an industry offering a high return on investment. That combined with the realities of the pandemic has made the sector an irresistible target for exploitation.

Ransomware attackers in particular, Wirth notes, “have preyed on the pressure the healthcare system is under, which has allowed them to increase ransom payments while also increasing the likelihood that affected organizations will give in to demand.” Concerningly, he adds, there’s evidence that cyber adversaries are reinvesting a portion of their growing profits, using them to develop better hacking tools that may make them even more effective.

Wirth points to the fact that many health systems have “put security on the back burner” as they’ve diverted budgets to focus on fighting the pandemic. This effort, as successful as it’s been, has increased the attack surface for cybercriminals, who now have overflow clinics, new testing and vaccination sites, and remote-work and telehealth technologies to add to their list of potential targets.

Michelle Jump, global regulatory advisor at MedSec, agrees with Wirth that healthcare may have unintentionally let its guard down in its response to COVID. As regulations were softened to allow for more virtual visits, and as more hospital staff started working from home, the industry became more vulnerable, Jump says. “We saw a lot more people working outside the trust zone of their normal workspace. It was a situation that was just ripe for attack.”

Moving forward, Wirth and Jump agree, there are a number of things organizations can do right away to better protect themselves from cyberattacks. Jump, for her part, says she’s seen increased interest in network monitoring tools that can help identify potential risks, and in data-backup systems that would make data-extortion attacks less impactful. And Wirth suggests focusing on what he describes as the three components of a good security posture: people, processes, and technology. An underinvestment in any one of these three areas “can’t be compensated for via the other two,” he says.

Wirth also recommends that health systems take a “top-down” approach to their cybersecurity programs. “Executive management needs to lead on cybersecurity and make it a priority for corporate culture and budgets,” he says.

And finally, Wirth says, it could be helpful for organizations to learn to “think like an attacker….to understand the attackers’ economic and political motivation, and to match that against how they will view your organization as an opportunity.” Consider the value of your organization’s assets, he suggests, and “think about how that could be exploited and what you need to do to reduce risk.”