As the COVID-19 pandemic has forced organizations around the globe to shift to remote work, cyberattackers have taken advantage of vulnerabilities in the new IT environment to launch ransomware and phishing campaigns. The healthcare sector has been especially targeted. In the Asia-Pacific in particular, the healthcare sector is lacking in cybersecurity savvy, making global cybersecurity collaboration more important now than ever.
The COVID-19 crisis has created opportunities for both cyber criminals and ill-intentioned state actors to take advantage of already-stretched healthcare institutions. TrendMicro detected over 47,000 accesses to malicious coronavirus-related domains between January and March 2020, and the number of accesses jumped from by 3.6 times, from 9,497 in February to 34,197 in March, in concert with the global expansion of patients.
There are three reasons why organisations have become more vulnerable to cyber threats amidst the pandemic. First, people are spending more time online checking media reports (36 percent increase) and social media feeds (21 percent increase) out of a desire to keep up with the status of the disease around the world. Concerned people crave the latest information on the coronavirus pandemic. Consequences have included a drastic increase in the rate at which people click on phishing emails, from less than 5 percent before the outbreak to over 40 percent after the outbreak.
Second, the sudden shift to remote work has forced many businesses and organisations to adopt a new IT environment, sometimes without incorporating adequate cybersecurity safeguards. According to a Gartner survey of human resources leaders conducted in early April 2020, about half of organisations had 81 percent or more of their employees working from home during the pandemic, while another 15 percent reported that at least 61 percent of their employees were working from home. To accommodate newly-distributed workforces, more organisations have adopted the use of cloud-based collaboration tools such as Slack, Teams, WebEx and Zoom. US cybersecurity firm McAfee estimates that adoption of cloud services across all industries has risen by 50 percent during the pandemic. As use of these services has increased, so has their attractiveness as targets: McAfee also reported a 630 percent increase in external attacks on cloud services between January and April.
This is, of course, not an entirely new problem, as demonstrated by the 2019 Nippon Telegraph and Telephone (NTT) survey. Even prior to the pandemic, only 48 percent of organisations answered that all their critical data was stored and handled completely securely. Merely 52 percent of organisations had an incident response plan, and only 57 percent of those actually were familiar with the substance of the plan. The sudden change in the IT environment has weakened these already porous cyberdefences even further, and most organisations are less prepared than ever for potential cyberattacks.
Third, the recession triggered by the pandemic has negatively impacted cybersecurity budgets. Barracuda found that as of May 2020, 40 percent of global businesses has reduced their cybersecurity budgets as part of cost cutting to deal with the pandemic. While there are some exceptions – 46 percent of financial institutions said in May that they are likely to invest more in cybersecurity after the pandemic – global declines in sales are likely to lead to even less investment in cybersecurity, including training. In fact, 53% of CrowdStrike survey participants reported that their employer has not offered any additional cybersecurity training on remote work-related risks.
Impact on the Healthcare Sector
Cruelly, the healthcare sector, already strained by treating coronavirus patients and researching and developing medicines and vaccines to respond to the crisis, has been among those hardest hit by these attacks. The number of detected cyberattacks on hospitals skyrocketed by almost 60 percent between March and February 2020, the largest increase over the last 12 months. One prominent example was the March cyberattack on a Czech hospital serving as a centre of coronavirus testing and treating a coronavirus patient. The cyberattack forced the Brno University Hospital to shut down its entire IT network, cancel surgeries and re-route new acute patients to another hospital in the neighbourhood. In addition, since March 2020, ransomware has targeted healthcare and medical research facilities in France, the Czech Republic, Spain, Portugal, the UK and the US, at least.
In addition to cyberattacks aimed at disrupting hospital operations, cyber espionage operations have attempted to steal intellectual property (IP) on coronavirus treatments. The Canadian government admitted in May that a state actor launched a cyberattack with the aim of stealing intellectual property from a Canadian biopharmaceutical company in April 2020. The UK’s National Cyber Security Centre and the Cybersecurity and Infrastructure Security Agency under the US Department of Homeland Security published a joint advisory in May warning that state actors are targeting organisations involved in coronavirus-related research to gain “sensitive research data and intellectual property (IP) for commercial and state benefit“.
The international community has reacted strongly to this deplorable trend. In early April 2020, INTERPOL issued an advisory warning that cyber criminals are launching ransomware attacks on healthcare institutions. In late May 2020, United Nations Secretary-General Antonio Guterres acknowledged the growing number of cyberattacks on hospitals and voiced concern that these attacks “can cause further severe harm to civilians”. He also urged the Security Council to take action against such cyberattacks.
Situation in the Asia-Pacific
Although ransomware attacks on the Asia-Pacific healthcare sector have been rarely reported since the start of the coronavirus outbreak, the sector is not immune to these threats. The Indian government just acknowledged that their healthcare and educational sectors have been targeted by COVID-19-themed phishing attacks and malware, including ransomware. Other Asia-Pacific governments have issued alerts. When Japanese Minister for Economy, Trade, and Industry Hiroshi Kajiyama hosted a cybersecurity meeting with senior industry executives in April 2020, he referred to the ransomware attack on European medical institutions and urged Japanese industry to enhance their cybersecurity. The Philippines Department of Information and Communications Technology issued a “Cybersecurity Advisory on Hospitals and Healthcare Facilities” and encouraged medical institutions to back up data to prepare for a potential ransomware attack in March. When the Australian Signals Directorate and Australian Cyber Security Centre published an advisory about state-sponsored cyberattacks on the healthcare sector in May, they also encouraged medical institutions to make regular back-ups and also to patch vulnerabilities, block macros, and take other preventative measures.
Notably, there were several ransomware incidents within the healthcare sector in Asia even before the outbreak. In 2017, two major Indonesian hospitals in Jakarta were hit. One of them lost access to almost all of their computers, as well as patient medication records and billing, at least temporarily. In 2018, a Japanese hospital faced a ransomware attack, which encrypted its electric medical records system. Since the hospital had not backed up the data, it took five months to recover the system fully. They did not pay the ransom and continued to treat patients by using hard copies of patients’ medical records. They later discovered that either a hospital employee or a contractor connected their IT system to the Internet in violation of the hospital’s cybersecurity policy, leading to the ransomware infection.
A Wake-Up Call?
The cybersecurity maturity level of the healthcare sector is lower than that of other sectors – and has been for some time, according to threat assessments. According to NTT’s 2020 Global Threat Intelligence Report, the global cybersecurity maturity level of the healthcare sector is only 1.12, compared to levels of 1.64 and 1.86 for the technology and financial sectors, respectively. This rating reflects the used of informal and ad-hoc processes, tools, and metrics in the sector’s cybersecurity. On a scale of 0 to 5.99, both the technology and financial sectors aspire to reach a level of 3.42, while the healthcare sector is aiming for 3.15, which would mean having defined and consistent maturity across processes, tools, and reporting metrics.
Alarmingly, the Asia-Pacific healthcare sector’s level is the lowest of the healthcare sector in any region, at only 0.45, compared to 1.24 in the Americas, 0.88 in Europe, and 1.56 in the Middle East and Africa (MEA). This indicates that within the Asia-Pacific region, healthcare cybersecurity is practically non-existent in terms of processes, tools, and metrics. The Asia-Pacific region hopes to increase its score by almost threefold, to 3.13, which is higher than Europe’s target of 2.33 but lower than the targets of 3.61 set in the Americas and of 3.85 in MEA.
These score gaps indicate that cybersecurity is not prioritised on the boardroom agenda and that leadership is not involved in strengthening cybersecurity to protect patients and employees in the healthcare sector. Medical institutions, particularly in the Asia-Pacific region, are less interested in cybersecurity than those in other regions. This makes it challenging for them to adequately prevent, detect, or respond to cyber threats.
Asian Contribution to the Global Response
The current global crisis is impacting both the physical and digital health of people. The Asia-Pacific region is already playing an important role in fighting the healthcare crisis. Malaysia is the largest global producer of medical gloves. Japanese medical institutions are researching and developing coronavirus medicines and a vaccine. Taiwan donated 10 million masks to countries affected by coronavirus. Now it is time for Asia to deal with the related cybersecurity crisis.
Cyber espionage or ransomware attacks would inflict heavy damage not only on the Asia-Pacific region itself but also on its partner countries. Thus, two actions need to be taken to address the global and regional cybersecurity challenge to the healthcare sector. First, more cybersecurity companies need to join the movement to offer free or discounted cybersecurity tools or services to healthcare organisations. For example, CoveWare and Emsisoft recently formed a partnership to provide free support to coronavirus healthcare providers targeted by ransomware. From April to August, NTT is also offering free incident response and remediation services to hospitals in North America, Europe, the UK, Ireland, South Africa, Kenya, Saudi Arabia, UAE, Australia, New Zealand, Malaysia, and Singapore.
Second, national Computer Emergency and Response Teams and law enforcement should work closely with the cybersecurity volunteer groups launched after the outbreak. These groups were created to share cyber threat intelligence, provide incident response support to affected organisations including hospitals, and take down malicious domains in collaboration with law enforcement. The Cyber Threat Intelligence League and COVID-19 Cyber Threat Coalition have been operating since the early stages of the pandemic. As cyber threats to healthcare grow, these volunteer organisations need more support from cyber defenders and governments to prevent and mitigate damages caused by cyberattacks.
It is commendable that around the globe, cybersecurity experts have stood up to fight cyber threats during the COVID-19 pandemic and economic downturn. As the cyber threat landscape is quickly evolving to take advantage of weak links, global collaboration between the industry and governments has become more important than ever. Sharing collective cybersecurity expertise is the only way to overcome this unprecedented crisis and to prepare for the second and third waves of the pandemic.
About the Author
Mihoko Matsubara is Chief Cybersecurity Strategist, NTT Corporation, Tokyo, being responsible for cybersecurity thought leadership. She previously worked at the Japanese Ministry of Defense before her MA at the Johns Hopkins School of Advanced International Studies in Washington DC on Fulbright. She served on Japanese government’s cybersecurity R&D policy committee between 2014 and 2018. Mihoko published a book on cybersecurity in Japanese from the Shinchosha Publishing Co., Ltd in 2019. She is Adjunct Fellow at the Pacific Forum, Honolulu, and Associate Fellow at the Henry Jackson Society, London.