Fri, May 8, 2020

COVID -19 and Other Threats to the Healthcare Sector

Kroll experts Keith Wojcieszek, Managing Director, Nicole Sette, Senior Vice President and Laurie Iacono, Senior Associate, and Andreas Chrysostomou, Managing Director in the Valuation Advisory Services practice of Duff & Phelps and Bruce Radke, Shareholder, Privacy and Cybersecurity practice co-chair at Polsinelli P.C., discussed the threats posed to the healthcare industry by cyber criminals and COVID-19 as bad actors seek to exploit the spread of the pandemic. 

This webcast driven by Kroll’s internal data and gathered intelligence highlight the latest trends and tactics deployed by cyber criminals. The panel will also share direct examples of compromise from dark web forums.

Webcast Replay: COVID-19 and Other Threats to the Healthcare Sector

This webcast covers:

  • Updates on real-time threats posed by COVID-19
  • A breakdown of the most targeted healthcare organizations by type, based on Kroll’s internal data 
  • The most effective compromise vectors and why they continue to be successful in 2020
  • Analysis of dark web landscape to identify value of healthcare data and potential risk of insider threats 
  • Real life case studies of phishing, third-party compromises and others to help healthcare professionals better prepare

Download Webcast Slides

Notable Passages From the Presentation

COVID-19 and the Healthcare Sector

With COVID-19 being at the forefront of every media outlet, it really tends to arm these criminals with ammunition they need to begin attacking vulnerable institutions and different organizations. For example, the World Health Organization (WHO) claimed cyber-attacks against them have doubled since early March, utilizing multiple methods of the monetary gain. Following the attack on WHO … Potential DDoS attack occurred on HHS, which is a health and human services organization, as well as possible misinformation campaign about the virus and Twitter through HHS. And then as you see right now to get really bad, these transnational criminals attacked one of the largest COVID-19 testing facilities in the Czech Republic, which forces to cancel operations, surgeries and really relocate these new patients to other hospitals. – Keith Wojcieszek

Not only are companies suffering from cyber incident, and are on a timer to stop the attack and to save their data, but now these criminals are also pressuring these victim companies to pay the ransom or they'll have their data exposed on the internet. Now, the group affiliated with the Maze ransomware not only encrypts your data, so you're unable to access it, but that actual traits is part of the attack. Now, at that point, they set this timer that you must pay by a certain day in time, or the posted for public download. Now, this data is posted on a website called Maze News, which is frequently updated with several new victims. Now, as we're reviewing this site we see there may be some hope though, which is revealing. I'm sorry, which is actually very, very good. – Keith Wojcieszek

Cyber Attacks Trends as Observed by Kroll

These trends are derived from Kroll's incident response case intakes, which we analyze on a monthly basis to sort of capture attack trends in real time as they're happening. Phishing is the leading attack sector across almost every sector, as well as the targeting of the healthcare sector as one of the single most targeted industries we're seeing in our Kroll cases. The next largest incident type was ransomware, followed by insider threats and the purple and unauthorized access and the light gray color there. Now, while we documented a wide variety of attacks, targeting healthcare in 2019, again, Kroll found that email compromise remained the number one vector for cyber intrusion consisting of 44% of Kroll's health healthcare intake cases. And while phishing has not changed as the leading attack vector over the years, the phisher's techniques in playbook continually do change. So for instance, last year saw various new and unique techniques as actors continue to evolve to avoid detection and prevention. – Nicole Sette

Within the hospital email compromise with the most observed threat against hospital systems. The hospitals are more often targeted because attackers are seeking to compromise the largest amount of victims all in one go. The cyber criminals really only have to compromise one employee's account which can then be used to infiltrate into entire staff across the hospital to gain potentially access to thousands of other employees. Now, when it comes to ransomware attacks hospitals are also a more lucrative target as they have this sense of urgency to remain operational at all times, as well as the funds to pay ransom demands. In terms of specialized clinics, which we see highlighted here in blue on this graph, these are orthopedics, chronic care, cosmetic surgery, etcetera. Now this is the most second frequently targeted discipline within the healthcare industry based on our case intake. – Nicole Sette

Legal and Regulatory Landscape

If you do have an incident, a breach, and you need to notify affected individuals, you may also have to notify state AGs and HHS. And dependent upon the nature and the size of the incident state regulators may institute an investigation. And the nature and kind of the scope of that incident varies from state to state, and obviously based upon the nature of the incident itself. So for example, in Massachusetts when you notify the Massachusetts AG, part of that notification requires you to state whether or not your organization has implemented a WISP, a written information security plan. Under Massachusetts law it requires organizations that own or licensed personal information of Massachusetts residents to implement a WISP. So this very well may have an extra territorial effect in the sense that you may be a New Jersey healthcare organization that have patients in Massachusetts or your patients may have moved to Massachusetts. – Bruce Radke

With regard to the FTC they have entered into numerous settlements with organizations that have had data breaches. But also they have been very much focused upon the types of representations in publicly facing privacy policies around what security measures and precautions that you have in place.That's been a particular area of focus for the FTC. And again, this is kind of a self-inflicted that you can certainly avoid. So, the recommendation is to go and look at your privacy policies and ensure that the statements that you're making with regard to your cyber security safeguards are accurate, and they don't overstate what those safeguards are and are clear enough such that they cannot be misconstrued by regulator. – Bruce Radke

Action Points

So, after going through all of the reality of cyberattack, the question that should come to mind at this point is, how do I not become a victim? And the answer to that is it's really just prepare. Prepare and keep on preparing. As an organization there are steps you should take to improve your cyber security posture, for sure.

But the biggest thing that everyone kind of needs to understand at this point is, you could have all of the technical preparation, technical solutions in place. But if you're not training your staff on a regular basis that's an issue. Especially now with staff working from home. – Keith Wojcieszek

One of the things to just consider if you have an incident as Keith mentioned, what do we do? And responding quickly, take your incident response plan, do your traditional tabletops and then also think about reaching out to your forensic firm like Kroll or legal counsel. In advance of an incident it's a great time to negotiate those terms and conditions, those MSAs, those engagement letters. And again, if you do get or dealing with an incident, it's just one less thing that you need to deal with when you're trying to put out the fire when the house is on fire. And secondly, candidly, you're in a much better position leverage wise to negotiate those terms and conditions with the law firms and other providers when you don't have a need. – Bruce Radke

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.


Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.

Data Breach Call Center Services

A notification letter can generate lots of questions for those affected by a data breach. Kroll’s call center services are provided by skilled representatives who know how to handle difficult questions and stand at the ready to serve your breached population.


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.