Cybercriminals See Opportunity in Vulnerable Time

While individuals and organizations are focused on preventing the exponential spread of COVID-19 and adapting to the “new normal” of their work, opportunistic hackers are taking advantage of the disruption. Many financially-motivated cybercriminals are attacking hospitals and healthcare systems, whose vulnerabilities are heightened due to the stresses placed on them during this global health crisis.

An increase in phishing campaigns and other cyberattacks targeting the most critical organizations, individuals, and infrastructure in the middle of a pandemic is a major concern. Proper policies and precautions need to be put in place to ensure the security of this critical infrastructure as our health professionals move toward managing this crisis in such uncertain times.

  1. Hospitals should – on some level – be concerned about access controls being ignored as the need for expedient care rises. In under-staffed hospitals, retired doctors and nurses and professionals from other locations may be brought in to care for COVID-19 patients. Rather than setting them up with accounts and access to needed data, they may be sharing usernames and passwords with other workers. This reduces your ability to have fine grained access control or an audit trail in the event of a security or data breach. Patient care comes first, but IT staff need to be prepared to manage accounts in a secure and nonobtrusive way for new and temporary staff.
  2. Everyone in healthcare needs to be on guard for social engineering that uses pretexts surrounding the shortage of medical equipment and protective gear. Organizations are donating, selling, and manufacturing goods on short notice to healthcare organizations. It would be easy for criminals to pose as a party in such a transaction to get targeted staff to open malicious attachments as part of a cyberattack.
  3. Healthcare organizations should also be concerned about ransomware. A medical facility testing potential vaccines for the novel coronavirus was recently attacked by Maze ransomware (one of several groups that made an empty promise not to target healthcare facilities during the COVID-19 pandemic). This has disrupted vaccine research.

Outside of hospitals, administrative workers following CDC guidelines and exercising social distancing by working remotely are now at an increased risk for cyberattacks. Changes in security policy and procedure, out-of-date virtual private network (VPN) software, malicious emails, and endpoint security of employee laptops pose some of the greatest risks to telecommuters. The isolation of remote work allows bad actors to leverage news and information about the coronavirus in phishing email campaigns and other “social engineering” attacks.

As the pandemic continues, criminals will seek new opportunities to further exploit vulnerabilities. In a time of global uncertainty, this massive shift to a remote workforce underscores the need for individuals and organizations to protect their personal and professional data by practicing good cyber hygiene. Organizations should seek security testing of new infrastructure and configurations put in place to adapt to the new work environment created by the global crisis.

This can be a tall order with employees working at a stressed healthcare system. Outside cybersecurity support can alleviate some concerns, as can security products such as Threat Runner, which allows organizations to see how a real ransomware attack would impact their systems and business continuity.


Wes McGrew HeadshotWesley McGrew, PhD, serves as director of Cyber Operations for HORNE Cyber. Known for his work in offense-oriented network security, McGrew specializes in penetration testing, vulnerability analysis, reverse engineering of malicious software and network traffic analysis. He is the author of penetration testing and forensic tools used by many practitioners and is a frequent presenter at DEF CON and Black Hat USA. You can email him at
HORNE Cyber provides offense-oriented cybersecurity services for clients in the areas of digital forensics and incident response, advanced penetration testing, strategic advisory, ERP services, regulatory compliance and IT assurance. HORNE Cyber is a wholly owned subsidiary of HORNE LLP, an accounting and advisory firm. The Threat Runner product (found at is managed out of Nashville and supported by offices across the mid-Atlantic and Southeast. For more information on HORNE Cyber, visit