7 minute read 13 May 2020
woman wearing headphones messaging on laptop

COVID-19: How healthcare providers can stay vigilant to cyber threats

By EY Global

Ernst & Young Global Ltd.

7 minute read 13 May 2020

As COVID-19 creates new cover for threat actors, we take a look at what healthcare providers need to do now, next and beyond.

The cybersecurity risks to healthcare sector continue to evolve, creating the potential for new avenues of business impact and disruption. Cyber criminals are opportunistically attacking healthcare networks under real or perceived pressure with a variety of direct and indirect attacks, including distributed denial of service (DDoS),1 ransomware and patient health information (PHI) theft. These attacks are impacting healthcare providers of varying sizes and locations, including hospitals, clinical labs, health agencies, and COVID-19 vaccine test centers.2 These and other examples are proof that financially motivated cyber criminals seek only to maximize profit when it comes to launching cyber-attacks and crippling businesses, regardless of victims’ size, locations, or roles in defending the world against a global pandemic.

The current paradigm shift to a mostly remote workforce across all industries poses a disturbing long-term risk. In the healthcare industry, technology and business leaders need to begin actively addressing these risks to protect the industry from harm while taking a long-term perspective to ensure this critical industry is resilient to information security threats.

Now: current cyber threats to healthcare industry

Cyber criminals are adapting operations to exploit widespread fear and uncertainty related to the COVID-19 pandemic.3

A large number of health institutions report an increase in network traffic as they continue to respond to the COVID-19 pandemic outbreak. Recently, the U.S. Department of Health and Human Services (HHS) experienced an attempted DDoS attack; due to its large, resilient infrastructure, this had minimal impact on the agency’s operations.4 DDoS attacks could severely impact a mid-sized hospital with lesser defensive capabilities, halting or diminishing its operations. The ramifications of such an attack during the current pandemic could be catastrophic.

In addition, ransomware continues to be one of the most severe threats facing the healthcare industry.5 Even though some prominent cybercrime groups have “promised” not to target healthcare entities, ransomware attacks on hospitals and labs working on COVID-19 vaccines have continued.6 These actors conduct widespread scans of the internet for vulnerable enterprise assets, such as unpatched Virtual Private Network (VPN) servers or assets with Remote Desktop Protocol (RDP) exposed. If found, the actors may use publicly available exploits or credentials from third-party leaks to gain access to the network, ultimately finding sensitive information, stealing it and encrypting it with ransomware. This could prevent providers from accessing information about their patients’ medical histories, the dosages of drugs that patients require, or other critical information until the ransom is paid – or until the actors decide to punish the providers by publicly leaking the information. 

Given the publicity around COVID-19 and the heightened focus on healthcare from actors and defenders alike, EY teams have observed increased interest in healthcare-nexus credentials. Multiple underground forum members have begun offering “healthcare cred bundles” for sale; although many of these are likely repackaged from prior third-party breaches, actors will likely incorporate these credential bundles into password-spraying and brute-forcing operations. Interest in healthcare credentials are expected to remain high and these types of operations to continue in high-volume for the foreseeable future as the crisis continues to unfold.

Cyber criminals continue to launch online attacks – phishing for enterprise credentials, data theft malware, and ransomware – that attempt to leverage on COVID-19 pandemic fears.

As many healthcare workers are feeling greater fear and uncertainty over the virus, they fall victims to cyber-attacks in search of COVID-19-related medical equipment, prevention instructions, and vaccines. Much like other ongoing attacks, the credentials harvested during this time of increased activity may not be used for weeks or months to launch an attack on the organization. As a result, technology leaders need to be ever vigilant in their efforts to educate and protect users and their enterprise credentials in the current state and even more so in the future. 

Next and beyond: future cyber threats 

Due to leaders across the globe issuing stay-at-home orders to their constituents, the Work From Home (WFH )/teleworking population has dramatically increased, and the healthcare industry has responded by expanding remote access to care via telemedicine. 

Historically, telemedicine has faced challenges with incidents of fraud due to fraudulent Medicare billing.7 The current rapid expansion of telemedicine solutions may create issues by potentially exposing PHI and running afoul of Health Insurance Portability and Accountability Act (HIPAA) compliance. Increased reliance on and use of telemedicine may also lead to endpoint protection issues for users’ devices and increased security risks if methods to encrypt communications are not in place.8

The sweeping pay cuts and furloughs across the health sector could result in disgruntled employees becoming insider threats that may compromise the confidentiality and integrity of sensitive health information.

The projected losses have resulted in temporary furloughs of many health system employees, pay cuts and adjustments of working hours. The decision to eliminate elective surgeries and outpatient visits is likely the right decision in terms of protecting the safety of patients and staff, and also preserving limited PPE (personal protective equipment) but it has led to significant reductions in revenues.9 The sweeping pay cuts and furloughs across the health sector could result in disgruntled employees becoming insider threats that may compromise the confidentiality and integrity of sensitive health information.

Another potential area of concern due to COVID-19 is the prescription drug supply and the medical supply chain serving healthcare organizations. Experts are questioning whether the current supply of certain prescription drugs is adequate for the potential expansion of demand due to the COVID-19 pandemic.10 Currently, the Food and Drug Administration (FDA) is monitoring the medical product supply chain, asking suppliers to evaluate their entire supply chain from active ingredients to finished products.11 Similarly, the Federal Bureau of Investigation (FBI) is warning consumers and potential purchasers to be vigilant and on the lookout for fraudulent medical sales of personal protective equipment (PPE).12 To enhance network and IT security, healthcare sector organizations can proactively review and implement best practices by Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.13

Healthcare sector enterprises must employ multi-faceted risk mitigations

It is critical for healthcare delivery organizations to stay vigilant and fully understand how to identify potential threats to their networks. As we receive more updates on the developments of COVID-19, it is widely anticipated that cyber criminals will increase their attempts to launch more attacks against the healthcare industry because healthcare Information Technology (IT) infrastructure and remote work capabilities are stressed and security is often not optimal. Organizations should take a multi-pronged approach to managing risks over the short and long term. Recommendations and considerations as we continue to adjust to the present reality include the following:


  • Due to the increase of teleworkers, evaluate your enterprise remote connectivity and authentication (i.e. Remote Desktop, VPN, WebEx, etc.) capabilities.
  • With increased threat actor activity targeting healthcare industry remote workers, apply all available security updates for VPN and firewall configurations.
  • Encourage remote workers to update and patch their personal devices that share the same network with their enterprise assets.
  • Advise employees to control access to home Wi-Fi networks by using strong passwords and avoid default factory passwords.
  • Review current email security controls with consideration of current remote work force posture.
  • Set group policies to allow enterprise assets deployed remotely to only access PHI without the ability of saving it locally or ensure that encryption is enabled first.
  • Provide links to official resources for pandemic-related information to avoid the spread of disinformation within your organization.
  • Establish formal and transparent channels for corporate messaging to highlight what the enterprise is doing to address this pandemic.
  • Assume each VPN connection (or reconnection) is potentially “compromised,” as users’ home networks (or those of their neighbors) could contain compromised personal devices.


  • Test the ability to recover from your backups in a timely manner with a keen eye to ensure your organization is backing up all the data it needs in a format that is accessible yet secure to prevent both explicit or inadvertent tampering or corruption. In the event of a ransomware attack, data security and availability are vital.
  • Assess and implement new security analytics models to account for privileged activity and use of new administrative tools and services that could reveal threat actor activity within the network.
  • Review your external Incident Response (IR) provider and consider an additional external provider if a more appropriate response time is needed.
  • Process HR changes as quickly as possible and reduce access to employees with status changes in prompt manner.
  • Provide security operations with lists of furloughed, pay reduced and terminated employees so that they can create alerts for those accounts performing actions while on furlough, which could indicate insider activity or threat actors with compromised credentials.
  • For protection against DDoS attacks, consider using behavioral detection-based tools that learn normal users’ behavior, and block network traffic that does not conform to the normal behavior.


  • Consider deploying data loss prevention (DLP) to endpoint devices to restrict actions like saving, copying or transmitting sensitive data without disabling overall functionality.
  • Update and test your IR and Disaster Recovery (DR) plans to ensure they are applicable to the current state of your workforce.
  • Review, update and recommunicate employee cybersecurity training. Ensure to highlight the latest threats to your organization and employees.

Lead through the COVID-19 crisis

We have a clear view of the critical questions and new answers required for effective business continuity and resilience.


Contact us for immediate support

Gain access to our help with crisis management, business continuity and enterprise resilience.




As healthcare-related industry adapts to changing workspace needs in the face of the pandemic, we highlight the risk factors to watch out for to help healthcare sector remains cyber resilient.

About this article

By EY Global

Ernst & Young Global Ltd.