Managing Cyber Risk for Research and Higher Education Institutions During COVID-19 Pandemic
Research Institutions & Higher Education Data Privacy & Cybersecurity Article Series 04/28/20 Meghan C. O'Connor, Stephen J. Gardner, Sarah A. Erdmann
With the attention on COVID-19 prevention, treatment and research, as well as remote work and remote learning, research and higher education institutions are at the forefront of almost every aspect of testing, treatment, research, and education relating to the COVID-19 pandemic, both in the public sector and in managing their own internal efforts. Having rapidly migrated to remote learning and operations with an increased remote workforce, institutions are addressing these unique security and privacy risks (as discussed in more detail in Part One of this series). In addition, one of the areas of ongoing research at universities and other research centers is COVID-19, and that research often involves partnering with hospitals and academic medical centers, private biotech companies, and other research institutions.
A number of risk factors surround this work from a privacy and security standpoint: a remote workforce, the urgency of COVID-19 clinical testing, care and research (e.g., testing, acute care, and telemedicine), a typical "collaborative" and "open" attitude toward research that always accompanies academic research, reliance on existing and new service providers, and increasing COVID-19-related frauds. All of these risk factors offer a unique cross-section of heightened cybersecurity risk for research and higher education institutions during this time. For example, our firm has assisted clients in vetting potential research collaboration offers and technology transactions that had indicators of fraud, ultimately proven to not be legitimate, or were not what they initially seemed.
Universities and other research centers can take steps now to remain proactive, manage risk, and keep cybersecurity programs functioning during this time:
- Understand Increased COVID-19-Related Threats and Risk
- Practice Good Security Hygiene and Focus on Employee Engagement
- Streamline Access to Information from Reliable Sources
- Manage Vendor Risk
- Monitor and Evolve Administrative, Physical, and Technical Safeguards to Support Business Continuity and Future Needs
Understand Increased COVID-19-Related Threats and Risk
Increased threats come from a variety of sources, including phishing campaigns, ransomware attacks, targeted attacks against the health and life sciences industry, bad actors posing as potential collaborators, licensees, government officials or public health organizations, and increased risk from a remote workforce. Threat actors play on public fears and viral news stories to trick individuals into providing sensitive information, donating to fraudulent charities, or inadvertently spreading malicious software disguised as important news alerts, COVID-19 monitoring, or pleas for donations. For example, with every news item regarding potential breakthroughs in new treatments or diagnoses, bad actors play upon those news items through new targeted or broad phishing campaigns that seem to include legitimate and topical information.
Earlier this month, HHS Office for Civil Rights (OCR), the U.S. Department of Homeland Security (DHS), and the United Kingdom’s National Cyber Security Centre (NCSC) also issued an alert summarizing attacks being used to exploit COVID-19:
- Advanced persistent threat (APT) groups are masquerading as trusted entities, like the government impersonators described here or CDC or WHO representatives, to send COVID-19-related phishing messages. These cybercriminals may be using “coronavirus” or “COVID-19” in the subject line of an email or even register new domain names containing words related to coronavirus or COVID-19 to prey on individual’s curiosity and concern about the pandemic.
- These phishing attempts are being sent via email but also text messages (SMS) and through malicious applications, e.g., a malicious Android app that states it can provide a real-time coronavirus outbreak tracker but instead tricks the user into providing administrative access to install “CovidLock” ransomware on the device.
- Cybercriminals are deploying a variety of ransomware and other malware, in most cases using an email that persuades the victim to open an attachment or download a malicious file from a linked website. Upon opening, the malware is executed, compromising the individual’s device.
- Since many organizations have moved their workforce to teleworking, new networks—VPNs and IT infrastructure—are being used, which have led cybercriminals to exploit vulnerabilities of remote working tools and software. For example, attackers have been able to hijack teleconferences that have been set up without security controls (e.g., passwords) or with unpatched versions of the communications platform software.
As noted in Part One of this series, relatively untrained or inexperienced employees and contractors are now accessing data and systems remotely using unsecure internet connections and external IP addresses. Along with this increased remote workforce comes increased additional access points to your institution, and identifying inappropriate access becomes harder.
Jonathan Krebs reported in March that cybercriminals have been disseminating websites and emails designed to look like the Johns Hopkins University’s interactive COVID-19 dashboard. These links contain accurate information, but credential-harvesting malware is embedded in a download required for access. Johns Hopkins University released a statement noting that the map on the University’s website is safe to use.
Microsoft issued a warning to health care entities in particular of the increased risk to the industry from threat actors taking advantage of the COVID-19 pandemic with ransomware attacks. According to Microsoft, “[D]uring this time of crisis, as organizations have moved to a remote workforce, ransomware operators have found a practical target: network devices like gateway and virtual private network (VPN) appliances. Unfortunately, one sector that’s particularly exposed to these attacks is healthcare.”
The HHS OCR, DHS, and NCSC alerts make clear that cybercriminals are targeting individuals, small and medium enterprises, and large organizations—no one is immune.
Despite the heightened risk of cyber exposure, institutions can take proactive steps to check the efficacy of their cybersecurity programs and implement mitigation steps to manage risk.
Practice Good Security Hygiene and Focus on Employee Engagement
Vigilance, diligence, and basic security hygiene in your workforce training materials are effective ways to manage cyber risk. A distracted and stressed workforce is less likely to employ appropriate vigilance. Now is a time to focus on employee engagement, as they implement your cybersecurity program on a daily basis. This is a prime opportunity to remind your faculty, clinicians, employees and contractors of appropriate precautions and diligence, including:
- Understand how to spot social engineering and phishing attacks, including well-crafted and sophisticated messages and spoofed emails. Consider the following in assessing the email’s validity:
- Authority – Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want. Be wary of generic greetings and senders you do not know.
- Urgency – Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences. In our experience, bad actors have even tried proposing urgent in-person meetings or data sharing toward setting up a new research collaboration, using legitimate sounding technical information about a new technology.
- Emotion – Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.
- Scarcity – Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.
- Understand appropriate responses to unsolicited emails:
- Do not open attachments in unsolicited emails (for more, review U.S. Department of Homeland Security Cyber and Infrastructure Security Agency (CISA) guidance on email attachments).
- Do not click on links in unsolicited emails.
- Do not provide personal or financial information in response to an online solicitation or unsolicited email.
- Limit internal confusion and efficacy of spoofed emails with communication to employees about how the IT department and institutional leadership will and will not communicate with remote employees (e.g., user emails requesting credentials, wire card transfer requests, etc.).
- Identify central points of contact for requesting wire transfers, check requests, etc. to limit internal confusion.
- Use trusted sources like legitimate government websites for COVID-19 information.
- Do not donate to charities without verifying authenticity (review Federal Trade Commission guidance on charity scams).
- Do not download unauthorized or unsupported software on institution or personal devices used to work from home.
- Update software and settings of home devices used for remote work (e.g., updating home Wi-Fi routers to the latest firmware and using strong Wi-Fi passwords).
Streamline Communication from Reliable Sources
Individuals and institutions should remain vigilant and regularly review guidance and alerts published by trusted sources. Especially in the case of faculty and academic researchers who are accustomed to free collaboration and the exchange of ideas to promote scientific advancement, easily digestible reminders are key.
With non-centralized functions, institutions should also develop an enterprise strategy and decision-making protocol in order to provide consistent messages to employees and contractors. Institutions should use this opportunity to send consistent updates to employees and contractors with identified or common cybersecurity questions or any new changes from standard operations (e.g., downloading from the network, print from home, secure communication platforms).
If possible, an internal landing page with reliable and updated information (e.g., correct contact information and links to a resource enter) should also be made available to avoid employees and contractors turning to unreliable websites for COVID-19 updates.
Manage Vendor Risk
With a shift to an increased remote workforce, institutions also become increasingly reliant on vendors and service providers, including IT software and services. Vendors are critical to an institution’s cybersecurity program, as they can help reduce risk and/or increase security incident liability. Now is an appropriate time to review short- and long-term needs with these service providers.
Confirm which service providers are key to your institution's continuity, emergency operations, and incident management plans. Consider the vendors that host critical data, including any patient, research, and employee data. When considering redundancies and backup capabilities, consider whether vendors provide appropriate reliability and which service providers support critical functions.
Service providers may not be able to maintain standard operations in the current environment (e.g., vendors’ ability to meet response time SLAs, maintain all data access to on-site at their facilities, potential use of new subcontractors). Institutions should work with key service providers to ensure access to critical services can continue in accordance with legally required security standards and allow for the health and safety of workforce members. This will require coordination and may require evolving standards as the situation unfolds.
Review contractual terms with key vendors. Some of these contracts may have automatically renewed without adequate or industry standard privacy and cybersecurity terms or insurance terms. Consider whether contractual updates are appropriate to limit the vendor’s access to institution data, strengthen security safeguards or notification obligations, or adjust SLAs to support current needs.
Institutions are also engaging new vendors to support new needs in the current environment. While contract negotiation is abbreviated, security diligence should not be ignored, particularly if new vendors will access mission critical or high risk systems or data (e.g., COVID-19 patient or high profile research data).
Monitor and Evolve Administrative, Physical, and Technical Safeguards
Pay attention to legal requirements for administrative, physical, and technical safeguards and industry standards, including key safeguards to support the institution in the current environment:
- Security monitoring solutions may indicate increased false positives as employees and contractors access institution systems remotely. Institutions may see an increased demand for additional security support to monitor, filter, and respond to false positives and actual incidents. Remain particularly vigilant in monitoring unauthorized access and exfiltration hidden among increased employee activities.
- Review role-based access and user authentication to ensure current designations are appropriate or update as necessary to limit access to appropriate authorized employees.
- Enable multi-factor authentication (MFA) and remind remote employees of the importance of MFA.
- Maintain robust encryption (at motion and at rest) and educate employees regarding secure email options via VPN.
- Remain up to date on patches, updates, and security fixes but remain cognizant of timing of releases to disrupt work as little as possible.
- Additional safeguards are outlined in Part One of this series.
In addition to technical safeguards, it is likely that standard administrative safeguards and policies are not fully appropriate for the COVID-19 pandemic. This is an opportunity to review and revise policies, risk management strategies, and historical tabletop exercises to consider priority updates to support incident response capabilities. Consider drafting a temporary COVID-19 policy outlining exceptions to usual and customary practices (e.g., remote access, transmission of data, print at home) and confirming that applicable legal requirements (e.g., HIPAA, PCI DSS, state law, CCPA) are still met.
Take note of what is working and not working so you can build appropriate updates into your cybersecurity and institution's continuity program going forward. Also consider whether existing insurance coverage is adequate for changes you are making to address the pandemic response.
More Articles Upcoming in this Series
As the COVID-19 situation continues to unfold, Quarles & Brady will continue to monitor data privacy and cybersecurity considerations and opportunities for research and higher education institutions and provide additional guidance in future articles.
For questions on best practices to enhance existing privacy and cybersecurity remote work policies and procedures, contact your Quarles & Brady attorney, or: