Alert AA20-099A: COVID-19 Exploited by Malicious Cyber Actors (Apr. 8, 2020)
Available at https://www.us-cert.gov/ncas/alerts/aa20-099a
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint alert with the U.K. National Cyber Security Centre (NCSC) to provide information about cybercriminals’ exploitation of the COVID-19 pandemic for cyberattacks. The alert notes that a surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations. Both agencies have identified COVID-19-related scams and phishing attacks brought by malicious actors masquerading as trusted entities. Phishing attacks, which may be brought either through emails or messaging services, often seek to steal a user’s credentials or trick a recipient into opening an attachment or clicking on a link to download a malicious file. In addition, malicious actors seek to exploit the increased use of popular communications platforms (such as Zoom or Microsoft Teams) by sending phishing emails that incorporate the platforms’ names into spoofed filenames and by hijacking teleconferences and online meeting classrooms that were set up without security controls or with unpatched versions of the platforms’ software.
After outlining the threats and vulnerabilities, the alert provides guidance in several areas. Phishing guidance for individuals identifies red flags to help spot a phishing email: the sender purports to be an official or authority figure; there is a limited time to respond; the message triggers an emotion, such as panic, fear, or hope; and something in short supply is offered. Guidance for organizations suggests splitting phishing mitigation into four layers: making it difficult for attackers to reach users; helping users identify phishing emails; protecting the organization from the effects of undetected phishing emails; and responding quickly to incidents. Tips for securing communications platforms include requiring passwords for access to meetings; providing meeting links directly to invited participants; managing screensharing options; ensuring users have updated applications; and addressing physical and information security in telework policies and procedures.
EBIA Comment: Although this guidance is not directed specifically at health plan sponsors and advisors, those who work with group health plans should be familiar with much of this information in conjunction with HIPAA compliance programs. In fact, HHS recently provided HIPAA-specific guidance on telehealth communications platforms (see our Checkpoint article). However, HIPAA is not the only compliance concern for employee benefit plan sponsors and their service providers. Although there is no definitive guidance, many professionals believe that ERISA requires plan fiduciaries to manage cybersecurity risks. And the IRS also has issued extensive cybersecurity guidance (see our Checkpoint article) as well as an alert about the need for additional security measures due to COVID-19-related scams. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIX.E (“Developing Your Security Program”) and XXX (“Core Security Requirements”). You may also be interested in our upcoming webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (live on 5/14/20).
Contributing Editors: EBIA Staff.