Hello. Hackers are going after hospitals and other medical facilities during the coronavirus pandemic. In United Nations meetings over the past few months, more governments described health care as a type of critical infrastructure that should be specially protected from cyberattacks, WSJ Pro’s Catherine Stupp writes in her latest Brussels Report analysis.
Other news: War games identify holes in companies’ crisis response plans; Tribune Publishing angers staff with cybersecurity test; and federal agency hit in cyber-espionage attack.
Weekend reading: Privacy laws hinder U.S. business; Supreme Court review of 34-year-old hacking law; and former NS8 CEO arrested.
“You don’t want to do discovery learning at the point of crisis.”
— Fernando Maymi, director of professional services at IronNet Cybersecurity, on the need for companies to conduct war games
Brussels Report: Governments’ Concerns Rise About Pandemic Cyberattacks on Health Care
By Catherine Stupp
A surge in cyberattacks on medical facilities during the pandemic has alarmed national governments. The potential consequences were highlighted last week with the death of a woman after she was turned away from a German hospital that had been struck by ransomware.
Hackers are targeting the sector with a variety of attacks that could have damaging effects. For example, espionage campaigns could derail vaccine trials if hackers access confidential information, even if the data isn’t manipulated, said Dapo Akande, professor of public international law at the University of Oxford.
Many countries already designate health care as a critical infrastructure sector. In some places, that means companies are required to implement certain cybersecurity measures and report attacks to authorities and can receive government assistance or information about threats.
Elsewhere, health care isn’t deemed critical infrastructure. Kubo Macak, a legal adviser at the International Committee of the Red Cross, advocates stronger protections for health care. “If coronavirus testing has to stop because computers freeze or are under ransomware or [denial-of-service cyberattacks] and can’t function properly for days or weeks, that can have serious repercussions for patients,” he said.
Read the full analysis.
More Cyber News
War games: Some companies are taking role-playing to a new level when it comes to mitigating risks that could disrupt a business. The drills can be designed to help companies work through multiple types of external threats, The Wall Street Journal reports. Emily Stapf, cybersecurity, privacy and forensics integrated solutions leader at PwC, described a tabletop exercise crafted for a pharmaceutical firm at the behest of its board. The objective was to make sure the company was prepared for operational disruptions, made all the more important in the wake of the pandemic. C-suite executives and heads of business units were presented with a scenario in which a distribution center was impaired after a ransomware attack.
Eyes opened: In the exercise, Ms. Stapf says, shipments didn’t go out, customers called to complain, trucks got backed up, employees struggled to communicate with each other and the situation quickly became a public-relations nightmare. The snowball effect was eye-opening for the executives, as there was no backup plan in place. After the exercise, the company adopted immediate network and system changes to make sure every center was segmented so a similar attack couldn’t spread, Ms. Stapf says. The company also clarified who was accountable for making real-time communications decisions, she says.
angers staff with cybersecurity test. Employees of the publisher received email messages promising surprise bonuses of up to $10,000. The false emails were part of a test from Tribune to see who could be tricked to click on links that could have unleashed malware, the Washington Post reports. Such phishing-simulation exercises are common at companies, but this one upset Tribune employees, some of whom complained on social media. The company has furloughed staff and cut pay in recent months. “In retrospect, the topic of the email was misleading and insensitive, and the company apologizes for its use,” a spokesman said.
Federal agency hit in cyber-espionage attack. Hackers conducted reconnaissance inside the networks of an unnamed federal agency, the U.S. Cybersecurity and Infrastructure Security Agency said Thursday. The agency’s intrusion-detection system identified the activity and the attack has been stopped, ThreatPost reports. CISA described some technical details of the attack, including that the perpetrators used valid credentials for Microsoft Office systems to plant “multi-stage malware that evaded the affected agency’s anti-malware protection.”
Regulators Warn U.S. Could Fall Behind Without Privacy Standard
Supreme Court Review of Hacking Law Puts Cybersecurity Researchers on Alert
Former Head of Cyber-Fraud-Detection Startup NS8 Arrested on Fraud Charges