Are Academic Healthcare Systems Top COVID-19 Attack Targets?University of California San Francisco Among Those Reportedly Hit by Ransomware
Educational institutions and healthcare sector entities both have been favorite targets of hackers during the coronavirus pandemic - but academic healthcare systems involved with COVID-19 research appear to be in the bullseye. Among the latest institutions reportedly hit is the University of California San Francisco.
See Also: Top 50 Security Threats
UCSF last week reportedly confirmed that it was a target of an "illegal intrusion," according to news outlet Bloomberg, which noted that the university declined to comment on the parts of its network impacted.
However, hackers from the ransomware group Netwalker on a dark website claimed credit for the UCSF attack, which appears to have involved files related to the university's various COVID-19 research work, Bloomberg reported.
UCSF did not immediately respond to an Information Security Media Group request for information about the reported cyberattack or the institution's COVID-19 activities. UCSF operates a medical center, children's hospital, dental center, as well as a large physician network. The institution's COVID-19-related activities reportedly range from antibody testing to clinical research for treatments.
The apparent incident at UCSF comes amid reports on spike in attacks - as well as attempted attacks - on universities and healthcare systems during the COVID-19 pandemic - and especially on academic healthcare organizations involved with coronavirus vaccination and treatment related work.
For instance, in March, EDA2 - an open source ransomware variant - targeted a Canadian government health organization that is engaged in the COVID-19 response efforts as well as Canadian universities that are conducting COVID-19 research (see Fresh COVID-19 Phishing Scams Try to Spread Malware: Report).
In the meantime, national security authorities and law enforcement agencies in the U.S., Canada U.K. have issued various warnings about attacks on research institutions and healthcare entities involved in COVID-19 research.
Last month the FBI and Cybersecurity and Infrastructure Security Agency issued an alert that hacking group linked with China's government were targeting U.S. research facilities and healthcare organizations that are conducting vaccines trials and testing treatments for COVID-19 (see U.S. Says China-Linked Hackers Targeting COVID-19 Researchers).
Universities, healthcare entities and especially academic healthcare systems have always been a target for intellectual property theft, but attacks and attempts on these organizations during COVID-19 are significantly spiking with COVID-19, says former healthcare CIO David Finn, an executive vice president at security consultancy CynergisTek.
"This should not have been a surprise to anyone - there have been warnings before and during the COVID-19 pandemic about this shift. Chaos is a friend of the attacker, and so what better time to unleash new threats, new attacks on a radically expanded attack surface with so much valuable intellectual property on the line," he says.
"Who wouldn't want to find the treatment or cure for coronavirus, particularly if you didn't have to do any work to produce it except steal it? You could jumpstart your own research or just sell it," he says.
Healthcare systems in general have been more of a target for the last several years, notes Cathie Brown, vice president of professional services at privacy and security consultancy Clearwater.
However, academic medical systems are typically more at risk because of the research and university elements of their environments, she says.
"Security is more complex for them because there is a need to maintain separate and disparate networks between the hospital/healthcare side and the research/academic side. With complexity comes the need for more highly skilled security resources. Non-academic healthcare systems have the benefit of being able to standardize security across the environment."
While Phil Curran, chief information assurance and privacy officer at Cooper University Health Care in Camden, New Jersey, agrees that university healthcare systems involved with COVID-19 research are more at risk for being targeted, but are not necessarily more vulnerable to these attacks than non-academic healthcare organizations or other institutions.
"We continue to see reports that any institution conducting COVID-19 research is being or will be targeted not only by hacking groups but also by nation-states - for example, China and Russia," he notes. "Creating a vaccine is going to be lucrative business so whomever is on the forefront ... will be subject to attack," he says.
For-profit criminal enterprises will attack any organization they believe will pay, whether academic or non-academic, notes Brett Callow, a threat analyst at security firm Emsisoft.
"There is no reason to believe that one sector is more at risk than the other," Callow says.
However, with that said, ransomware coupled with data exfiltration "is probably the most serious threat" facing academic healthcare organizations, he says.
"These double-whammy attacks provide actors both with additional leverage and the opportunity to monetize exfiltrated data should the target organization not pay - or, perhaps, even if it does pay," he says.
Some academic and university healthcare systems during the pandemic potentially have moved so fast with teleworking, telehealth and new technologies that security vulnerabilities have not been properly addressed, leaving institutions vulnerable to potential compromises, Brown says.
"Attackers may infiltrate the networks and lay dormant without detection for a long period of time while attention is directed to COVID-19. This can allow for more massive attacks that will show up later," she predicts.
But in the meantime, phishing remains the number one vector for successful attacks, including ransomware, Curran says.
"Attacks on Internet facing open ports, especially remote desktop protocol, are also a high risk. If entities are not training their employees or scanning their entire Internet IP address range, they are at a higher risk for successful attacks," he adds.
"The other concern we have is that ransomware groups like Maze are teaming up to extort their victims through shared data leak platforms, proliferating tactics and intelligence. We have also seen an increase of ransomware exfiltrating data and then extorting the entities."
Meanwhile the shift for many organizations - including universities, hospitals and academic healthcare systems - to a largely remote workforce has "not only expanded the attack surface, but they have moved it beyond the 'walls of the castle,'" Finn notes.
"We should now think of 'identity' as the perimeter. We can't control how people are coming into the organization - since we sent them away, but we absolutely need to know that the user coming in is actually that user," he notes.
Many ransomware attacks succeed "only because well-established best practices were not followed," Callow says. "Systems were not promptly patched, multi-factor authentication was not used everywhere it should be used, PowerShell was not disabled when not needed, admin rights were not limited, etc. Organizations can significantly reduce the likelihood of being successfully attacked - or, at least, the scope of attacks - by adhering to those best practices," he says.
Finn says threats are likely to grow during the COVID-19 pandemic - and all healthcare organizations need to be prepared for that.
"This is not a problem that will fix itself or just go away. It will increase until organizations take action - direct IT and security to secure access to and build protections around the users and data. That means not just saying words, but funding and staffing those changes," Finn says.
"I'm already growing weary of the expression 'new normal' as it applies to security," he says. "Organizations should be doing what we always should have been doing: Provide the appropriate controls to support the business and its changing operating model," he adds.
"Yes, the attacks, attackers, technology, processes, people will always change and yet it remains the obligation of boards and executive leadership to ensure that the controls are in place to support the business."