Cyberthreats exploiting the COVID-19 epidemic at the expense of Spain’s health system

Phishing is on the rise in Spain, especially attacks exploiting the COVID-19 pandemic. GMV’s cyberthreats intelligence team is on the constant lookout for any malicious activity and has passed on a warning to Spain’s health system. Juan Ramón Gutiérrez, Head of Threat Intelligence explains that “Between 60% and 70% of threats use social engineering as their entry vector, taking advantage of human weakness and curiosity, need of information and fear of COVID-19 or an altruistic urge to help or find out more”.

Spain’s health system is an attractive target for cybercriminals. Health-service providers, pharmaceutical and insurance companies and health centers all harbor between them a host of data on people’s health, plus information on the development of new drugs. If stolen, this data could impinge directly on patient care, the privacy of clinical test participants, industrial propriety or even the professional-association membership number of a medicament-prescribing doctor, argues Juan Ramón Gutiérrez.

He likewise points out that, according to the figures of Trend Micro for the current year, “Spain ranks ninth in the main countries hosting COVID-19-related malicious URLs, used for phishing campaigns or for the purposes of cybercrime. GMV Cyberthreat Intelligence team’s monitoring figures show, as can be seen in the graph below, that “phishing is the commonest form of attack, hosted in emails, SMSs or WhatsApp messages”. This responds to the main aim of “stealing the data of patients or healthcare staff”.

Active Attacks

GMV’s Cyberthreat Intelligence team, reacting to the current coronavirus environment (high social demand for information on the issue, overworked health service, emotional vulnerability …) has detected several active phishing campaigns. These include the following: a hospital scam with malicious emails falsely telling the receiver that a friend or relative has tested positive for COVID-19 and they are urged to print an attached file and take it to the nearest health center; a ministry of employment scam, pretending to be the State Social Security and Work Inspection Organization (Organismo Estatal de Inspección de Trabajo y Seguridad Social: ITSS), where the malicious email informs companies of a false work inspectorate investigation, claiming that the company is infringing the law and taking advantage of the current lockdown as bait to fool the receivers. Likewise, due to the sheer number of people now teleworking, various teleconference firm scams have also been detected, with the wrongdoers pretending to be a firm like WebEx to steal credentials.

Total Asepsis

After analyzing the map of the state of cybersecurity in Spain’s health system, GMV’s experts have drawn the following conclusions: 1) the obsolescence of their technological equipment leaves the door open to threats exploiting vulnerabilities stemming from lack of support; 2) the current design of healthcare networks does not fit in with the new ICT-intensive scenario, whereby critical activities (digital diagnosis- and monitoring-equipment, data and historical record storage systems, appointment management services, surgeon agendas, transplants, etc) are all open doors to cybercriminals; 3) The coexistence in certain public access network centers (Wi-Fi) of personal healthcare-personnel equipment sets up indirect nexuses through which cybercriminals can obtain data for their illicit ends; 4) hackers might be able to penetrate any healthcare network nodes with malware capable of totally or partially interrupting a center’s normal activity (e.g., balking access to medical records, altering the configuration or losing access to electro-medicine equipment or, simply, disrupting the appointments system of a hospital’s external consultation system).

Juan Ramón Gutiérrez goes on: “if the main aim of all healthcare personnel is patient-protecting asepsis, taking in both persons and healthcare material, then in any globalized and totally digitized society, there would also be an obvious concomitant need for “asepsis” too in the healthcare information systems”. This is especially the case, he argues, “in the current moments of healthcare crisis that increase the vulnerability to attacks of various types”. Various horror scenarios present themselves. What would happen if a hacking attack managed to alter a surgeon’s equipment in mid-operation? Or if cancer-treatment receiving patents’ medical records were lost or if ICU nursing databases dealing with patients’ daily medication needs were rendered inaccessible by an attack?

To head off such situations, GMV’s Cyberthreat Intelligence team insists, among other measures, on the importance of the company’s top-down “concentration on prevention rather than merely detection: Reinforcing teleworking cyber-protection measures, such as secure VPNs or web filtering; ensuring proper updating and patch-application management; monitoring own and third-party vulnerabilities and implementing multifactor authentication by means of SMS, Google Authenticator or any other method”.

On an individual level it is necessary “to show extreme caution when receiving emails, SMSs or WhatsApps from unknown senders. In particular, never click on links or phrases like “click here” even if the message in question seems completely normal. Install applications in the computer or handhelds only when they are official or come from a recognized source, such as Google Play or Apple App Store and keep the computer and handhelds updated”.

To deal with any cyberthreats GMV runs a Computer Emergency Response Team (CERT) to offer its clients monitoring services of infrastructure, auditing, code analysis for security validation in the application development lifecycle, cyber-intelligence services to identify threats before they can be used against targets, forensic services for post-mortem attack analysis and compliance- and consultancy-services.