Confidentiality, Privacy and Security

COVID Phishing Attacks...The list of themes is growing

  • 1.  COVID Phishing Attacks...The list of themes is growing

    Posted 08-15-2020 10:54
    No doubt the COVID-19 pandemic has given additional opportunities for hackers to use "COVID" themes in phishing attacks in their attempts to catch people off guard or to prey on their fears or anxieties.  Some of the themes that are coming up more often are listed below.  Just sharing for those who are doing security awareness training.

    • COVID information and updates from local, State, Fed government entities
    • COVID information and updates from the CDC 
    • COVID vaccination news and where to get info on "available" vaccinations
    • Bank loan forgiveness programs for those economically impacted by COVID
    • Short term disability programs for those affected by COVID
    • Unemployment benefits available to those affected by COVID
    • Student loan forgiveness programs related to loss of income due to COVID
    • Free COVID testing at a testing site near you

    I'm sure over time the list will grow.  My takeaway...if you get an email AT WORK addressed to your work email address about COVID which didn't come from within your organization...probably not a good idea to click on any links, in my opinion.  Also, check what process you have to alert IT of the email as it can help IT take steps to prevent others from getting the email and possibly causing a data security incident.

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------


  • 2.  RE: COVID Phishing Attacks...The list of themes is growing

    Posted 29 days ago
    Thank you Frank.

    We have sent memos and email reminders in addition to continuing to educate those who attend new employee orientation.  We also test periodically by sending a test email to see who all clicks on the tricky link from within and use it as an education opportunity.  However, i'm curious to know what other entities are doing to educate their workforce.  Maybe there are some new or creative ideas?

    ------------------------------
    Ashley F.
    ------------------------------



  • 3.  RE: COVID Phishing Attacks...The list of themes is growing

    Posted 29 days ago
    Hi Ashley,

    I would recommend considering some 'tabletop exercises' (more below), and I'm also including below some other educational and informational cybersecurity resources, some of which are tailored specifically to the healthcare sector and are focused on phishing.

    DHS Cyber Tabletop Exercise (TTX) for the Healthcare Industry --> https://www.hsdl.org/?abstract&did=789781
    (This is a zip file that contains a package of materials intended to assist healthcare organizations in planning and organizing a cyber tabletop exercise (TTX). This TTX is an unclassified, adaptable exercise developed through a partnership with the U.S. Department of Health and Human Services (HHS), the National Health Information Sharing & Analysis Center (H-ISAC), subject matter experts from the private sector Healthcare Industry, and DHS NCSD.)

    There are also a number of great resources located here from ASPR/TRACIE -->  https://asprtracie.hhs.gov/technical-resources/86/cybersecurity/0

    The MITRE Cyber Exercise Playbook --> https://www.mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise-playbook.pdf

    For a shorter exercise, you could also use the "15-minute tabletop exercise:
    https://cybersecurity.wa.gov/sites/default/files/public/OCS_content/Trainingexercises/021%2015-Minute%20Workgroup%20Tabletop%20Exercise.pdf

    Additional cybersecurity tabletop exercises  ---> https://cybersecurity.wa.gov/tabletop-exercises from the Washington State Office of Cybersecurity.

    H-ISAC (h-isac.org) also provides some extremely informative videos about varying aspects of cybersecurity that are just for the healthcare industry, which include guidance on how to improve your organizational cyber hygiene.  In regard specifically to phishing, the first video in their free library, which addresses how to increase staff understanding and awareness of ways to protect your organization against e-mail–based cyberattacks, such as phishing and ransomware, as well as effective ways to provide staff with training on and awareness of phishing e-mails.  H-ISAC brings together many different HIM and HIT professionals across the healthcare industry to share and collaborate on preventing and defending against cybercrime and malicious cyber activity.  
    https://h-isac.org/health-industry-cybersecurity-practices/

    (About the H-ISAC videos:  The 405(d) Aligning Health Care Industry Security Practices initiative, along with the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) publication for which these videos are related too, were produced in partnership with the Healthcare & Public Health Sector Coordinating Council (HSCC))


    Finally, if you haven't seen already, I worked with Errol Weiss of H-ISAC on a webinar that AHIMA just released earlier this month.  There are a lot of best-practices and additional cybersecurity-related resources that can be used by organizations that are recommended by H-ISAC, as well as other additional resources included for education and awareness.  The registration link can be found at the bottom of the article for https://journal.ahima.org/better-together/ (full disclosure: this is a piece I worked with Errol Weiss, CSO of H-ISAC to complete), but I am also including the registration link below.  Hope this helps!

    Free Cybersecurity Webinar from AHIMA, featuring Errol Weiss, CSO, H-ISAC --> Access an on-demand webinar on how healthcare organizations can identify and mitigate cybersecurity threats, especially during the COVID-19 pandemic: "Cybersecurity & Health-ISAC's Response to the COVID-19 Pandemic"
    https://event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&referrer=&eventid=2519592&sessionid=1&key=55BA2AA3384042C5818AEA5EF515ECC2&regTag=&sourcepage=register



    ------------------------------
    A. Andrews Dean, CPHIMS, CHPS, CHDA, CPHI, CPPM, CPC
    AHIMA-Approved Data Analytics Trainer / AHIP PAHM & PHIAS
    Health IT Regulatory Affairs & Healthcare Compliance Consultant
    ------------------------------