News & Resources

Publications & Media

CISA Issues Guidance on Heightened Health Care Cybersecurity Threats Amid COVID-19

Health & Life Sciences Meghan O’Connor, Sarah Erdmann

Scientist Protecting Data Via Encryption App

As we all prepare to bid 2020 farewell, there are some things that we will not be leaving behind as we enter 2021 – like our best cybersecurity practices, which remain critically important in light of the continuing cybersecurity challenges during the COVID-19 pandemic and expected challenges as vaccine distribution is underway. The health care industry and public health sector will remain an attractive target for cybercriminals in the new year.

This week, the U.S. Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) released guidance and best practice recommendations related to maintaining effective cybersecurity as the COVID-19 pandemic continues. CISA noted that disruptive ransomware and other malicious cyberattacks significantly reduce patient care and can contribute to patient mortality.

Specifically, HHS and CISA provided two infographics based on key cybersecurity insights: (1) COVID-19 Cyber Security Impacts and (2) Cybersecurity Challenges to Healthcare Sector- Independent Of and Due To COVID-19. Both infographics provide a summary of how cybercriminals are exploiting vulnerabilities in the health care sector, particularly during the COVID-19 pandemic. For example, HHS and CISA report that since January 2020, 35,364 takedown notices have been issued for malicious COVID-19 websites, and Google reported in April 2020 that it blocked 18 million daily malware and phishing emails. These, and other examples outlined by CISA, provide context for just how common cybersecurity threats are.

CISA also provided a list of cybersecurity challenges that the health care industry faces, including a rapidly growing (and evolving) technical landscape, overworked and undertrained staff, competing operational priorities, inconsistent cyber hygiene, budgetary constraints, highly valuable target data, rapid shift to entirely remote work to limit spread of disease, etc. We recommend entities in the health care industry use this list as an internal "checklist" for data security and incident response programs, including to identify areas that may be a high vulnerability area and where it may be most beneficial to direct additional resources and efforts to improving cybersecurity safeguards. HHS and CISA also provide the following recommended steps toward securing data and infrastructure:

  • Implement regular network scanning and patching cycles.
  • Leverage email banners, user training, and other tools to reduce risk of phishing.
  • Develop and practice incident response plans in a remote environment, including data backup and recovery.
  • Modernize technologies where feasible—and segment those end-of-life technologies that cannot be modernized. IT modernization through removal of End of Life (EOL) systems and devices will help reduce the risk of introducing permanent vulnerabilities into networks.

For additional questions on this legal alert or on your data privacy and security program generally, contact your Quarles & Brady attorney or: