key: cord-1006740-5elpvxhw authors: Muthuppalaniappan, Menaka; Stevenson, Kerrie title: Healthcare Cyber-Attacks and the COVID-19 Pandemic: An Urgent Threat to Global Health date: 2020-09-27 journal: Int J Qual Health Care DOI: 10.1093/intqhc/mzaa117 sha: ddf6bffe2b77ddd77970b32ef400941adf84df27 doc_id: 1006740 cord_uid: 5elpvxhw The Coronavirus Disease 2019 (COVID-19) pandemic has resulted in widespread disruption to the healthcare industry. Alongside complex issues relating to ensuring sufficient healthcare capacity and resourcing, healthcare organisations and universities are now also facing heightened cyber-security threats in the midst of the pandemic. Since the outbreak began various healthcare providers and academic institutions across the world have been targeted in a variety of complex and coordinatized cyber-attacks. International and national regulatory bodies have stressed the urgent need for healthcare providers and universities to protect themselves against cyber-attacks during COVID-19, recognising that a growing number of cyber-criminals are seeking to capitalise on the vulnerabilities of the healthcare sector during this period. This includes a desire to steal intellectual property such as data relating to COVID-19 vaccine development, modelling and experimental therapeutics. It is therefore essential that healthcare providers and universities ensure they are informed, protected and prepared to respond to any cyber-threat. This article outlines key COVID-19 cyber-security principles for both healthcare organisations and academic institutions. In April 2020, the International Criminal Police Organisation (INTERPOL) published a report cautioning a global increase in the prevalence of cyber-attacks relating to the Coronavirus Disease 2019 (COVID-19) pandemic [1] . These attacks are targeting individuals as well as public and private companies, including those in the healthcare industry. Alongside many others, the healthcare industry has been severely impacted by COVID-19 due to significantly increased demand for clinical care, medical equipment and health technology. With the industry's increasing reliance on information technology (IT) to deliver patient care, to model the disease, create a vaccine, and in healthcare governance, it's unsurprising that cyber-criminals are capitalising on the crisis. Over the past months these vulnerabilities have been exploited globally; (1) a cyberattack that halted the network of a Czech hospital in March, (2) This resulted in significant diagnostic delays regionally that adversely impacted patient care. In recent weeks, Interpol have also reported hospitals and universities being threatened with being held ransom by cyber-criminals [2] . 5 Alongside frontline health services, other parts of the healthcare industry supply chain are also vulnerable to attacks, including medical manufacturers working to meet the overwhelming global demand for COVID-19 essential goods. Increasingly, intellectual property belonging to research institutions working on novel treatments, diagnostics, and vaccines are being targeted. Early in May 2020, the UK's National Cyber-Security Centre (NCSC) announced a significant increase in cyber-attacks perpetrated by hostile states and cyber-criminals targeting British universities and institutions working on COVID-19 research [3] . In response to this and other attacks, the UK's Health Secretary gave the UK's intelligence service access and oversight to the NHS IT network in May. Unfortunately, healthcare organisations and universities often lack resources to protect against cyber-attacks and can be badly affected by the cost and long-term impacts of security breaches. The 2018 WannaCry ransomware attack which affected an estimated 40% of global healthcare institutions cost the UK's National Health Service an estimated £92 million due to a combination of ransoms paid and activity cancelled [4] . As such, in both this as well as in future pandemics, it is imperative that healthcare organisations and academic institutions are actively working to prevent and mitigate the impact of these attacks. Crucial to any mitigating action is investment in modern IT infrastructure with effective patch management and malware protection in both healthcare and academic settings [5] . Alongside this, institutions should ensure all staff are aware of 6 common cyber-attacks including; (1) luring victims into downloading malicious apps, (2) phishing emails disguised as official outbreak updates which distribute malware via attachments or links, and (3) embedded spyware or malware in publicly available interactive COVID-19 maps and websites [5] . Secondly, good 'cyber-hygiene' should be incorporated into everyday working patterns for staff. This includes; (1) use of strong passwords, (2) avoiding opening unknown emails and links, (3) enablement of firewall protection at work and home, and (4) delivery of effective staff training [6] . Healthcare institutions should be aware that they face additional risks in the context of any cyber-attack and ensure these are appropriately managed [6] . Underinvestment in cyber-security in healthcare institutions means some are particularly vulnerable to ransomware attacks, particularly during the COVID-19 pandemic. Cyber-criminals can shut down devices, servers or whole networks and demand a ransom to rectify the encryption. This may cause disruption to patient records, imaging and surgical services, medical devices and appointment systems. As medical devices become increasingly 'connected', cyber-criminals may hack devices such as cardiac pacemakers [7] . Healthcare institutions should remember that any cyber-security breach can result in disclosure of personally identifiable medical information and can severely interrupt clinical services, including emergency or lifesaving care, potentially resulting in loss of life. Institutions should be prepared to handle the short-and long-term impacts of any attack, bearing in mind the economic and legal implications, and must have robust business continuity plans in place. Alongside this, they should establish a 'security culture' amongst staff by ensuring cyber-security training for all employees. A highly trained and responsive cybersecurity team should be readily available, and organisations should ensure 7 meticulous auditing of who is accessing health record systems. All mobile devices containing personal medical information should be protected with encryption, and software should not be installed by staff without prior consent. Staff working on remote devices should be enabled to connect to a virtual private network (VPN) to maintain a secure connection over unsecured internet infrastructure [8] . Academic institutions also face a series of unique threats including disclosure of secure research data or confidential patient trial data. This may be particularly dangerous for medical academic institutions involved in the development of highly coveted COVID-19 vaccines or novel treatments. State-sponsored espionage may aim to access trial information and exploit any imminent commercial opportunities. COVID-19 has also raised the public profile of many individual researchers meaning some are at risk of being personally targeted by hackers seeking to gather sensitive data relating to medical trials [9] . Universities should ensure all staff and students are familiar with key cyber-security principles, as well as where to report any suspicious activity. The diverse nature of users accessing university networks means it is challenging to ensure access is only available when necessary, but this is key to ensuring attackers are not able to regularly use authentic user credentials to access the network. Staff and students accessing the internal network on remote devices on campus or at home should connect to a VPN. This ensures secure and encrypted access to the internal network which vastly reduces the risk of a security breach. University networks often contain a collection of smaller networks which serve departments, laboratories and individual faculties. When maintained with minimal oversight, these networks are vulnerable to breaches. However, when managed well 8 these smaller networks can be used to store sensitive data and apply a higher level of protection without impacting the accessibility of the whole network [10] . Both healthcare and academic organisations should urgently assess the risks presented by a cyber-attack in the context of COVID-19 and develop a detailed incident response plan, remembering that attacks are likely to interrupt all aspects of delivery including current supply chains. In the event of an attack, organisations will need substantial support to respond effectively including forensic services, data breach expertise, and enhanced public relations capabilities [6] . This pandemic has significantly affected healthcare delivery globally and is likely to do so for the foreseeable future. In the scramble to strengthen frontline medical services and find new treatments, healthcare organisations and academic institutions must not neglect the imminent threat of cyber-criminality; lives, novel treatments and a vaccine could depend upon it. Preventing crime and protecting police: INTERPOL's COVID-19 Global Threat Assessment. International Criminal Police Organisation INTERPOL launches awareness campaign on COVID-19 cyberthreats. International Criminal Police Organisation Hostile states trying to steal coronavirus research and WannaCry is Still Unmanageable Pandemic profiteering: how criminals exploit the COVID-19 crisis. European Union Agency for Law Enforcement Cooperation Healthcare Information Security: Best Practices for Healthcare. Information Security Institute Cybersecurity: How can it be improved in healthcare? University of Illinois Transforming Healthcare Cybersecurity from Reactive to Proactive: Current Status and Future Recommendations State Hackers Target UK Universities s for COVID19 Vaccine Research The cyber threat to Universities: Assessing the cyber security threat to UK Universities There are no acknowledgments. Both authors contributed equally to the manuscript. MM is an insurance broker working for Marsh JLT Specialty that advises on cyberrisk insurance to organisations in Asia. She previously held a similar role in JLT Specialty, London. KS has no conflicts of interest to declare. No new data were generated or analysed in support of this research.