The Doctor’s Advocate | First Quarter 2021

Healthcare Cybersecurity During COVID-19 and Beyond: How to Protect Your Practice

Kevin Casey, JD, CIPP/US, Assistant Vice President Claims, TDC Specialty Underwriters, Part of the TDC Group

Cybercriminals are constantly refining and improving their tactics and techniques in search of ever-increasing returns. While the schemes perpetrated by cybercriminals have evolved, over the years they have consistently targeted and victimized the vulnerable healthcare industry.

Cybercrime impacts organizations of all sizes across every industry, but healthcare is the most frequent target.1 The COVID-19 pandemic has provided additional opportunities for cybercriminals, given the shift to remote (and often less secure) work environments. The two largest threats facing the healthcare industry today are business email compromise (BEC) and cyber extortion (ransomware).

What Is Business Email Compromise?

BEC is a catchall designation for a variety of schemes that involve a threat actor gaining access to an email account. In 2014, less than 5,000 BEC complaints were filed with the Internet Crime Complaint Center (IC3), resulting in approximately $200 million in reported losses. In 2019, IC3 received over 22,000 BEC complaints, resulting in reported losses of $1.6 billion. Today, healthcare entities are a primary target for these types of attacks because (1) they are known to store large amounts of protected health information (PHI) and personally identifiable information (PII) that can be monetized, (2) they regularly conduct financial transactions online, and (3) they may not have sophisticated controls in place for added protection.

The structures of BEC schemes depend on the threat actor’s goal. In most cases, a threat actor is looking for immediate financial gain. A relatively straightforward scheme involves stealing PHI/PII to sell on the “dark web” or other underground criminal forums. The goal is to steal data and remain undetected.

How Threat Actors Access Your System

A BEC typically begins when an email user receives a phishing email. The phishing email may come from a legitimate user who has been compromised or from a spoofed email account or website. (Note: Spoofing involves making slight variations to a legitimate address to trick the recipient.)

A phishing email is made to look like it comes from a trusted sender and is intended to trick a victim into providing confidential information. With BEC phishing emails, the goal is getting a victim’s login credentials. Once the threat actor has compromised an email account, options are limited only by the imagination. Threat actors will take steps to hide their activities and prevent detection for as long as possible and monitor the email account for the information they need.

Threat actors often use online resources to select their victims. Smaller medical practices with websites that identify the office manager and provide contact information are particularly inviting targets.

With the onset of the COVID-19 pandemic, healthcare entities scrambled to procure personal protective equipment (PPE) and other vital medical equipment. Threat actors took advantage of this chaos by introducing phishing campaigns that impersonated regional health authorities, provided fake vaccination information, offered purchase or delivery of PPE, and targeted employees with spoofed messages from their human resources department.2

Healthcare entities need to be prepared with steps to prevent BEC incidents by taking nontechnical actions, such as training staff and providing general information on phishing tactics. Organizations should also implement policies and procedures to verify financial transactions over a particular dollar amount and implement multifactor authentication to protect email accounts.

Theft of PHI/PII

For healthcare entities, a BEC can also be the source of a data breach. The cost of a data breach is difficult to quantify, given the lack of detailed and transparent data (despite IC3’s best efforts). Healthcare data breaches are, however, consistently recognized as the costliest type of data breach.

In one reported incident, a threat actor spoofed an email from a senior staff member at a New York rehabilitation and nursing facility. The spoofed email was sent to an employee who did not recognize the email was fraudulent. The employee believed that the email was legitimate and provided the threat actor with PHI belonging to 674 patients.3

Additionally, any PHI/PII stored within the email account is at risk of compromise. It is not uncommon for covered entities to unknowingly store PHI/PII belonging to many patients in a single email attachment.

While a forensic investigation may be utilized to potentially rule out a data breach, too often covered entities have not enabled the necessary settings to investigate what data was accessed. The U.S. Department of Health and Human Services requires covered entities to perform a risk assessment to determine whether there is a low probability of PHI compromise to rule out a data breach. The risk assessment must be thorough, completed in good faith, and reach conclusions that are reasonable, given the circumstances.

The Evolution of Ransomware

BEC can also be the launching point for a devastating ransomware attack that compromises a business’s computer network. The attacker then encrypts data on the network, and the encrypted data are unusable and unrecoverable until the victim pays a ransom to get the decryption key.

Ransomware has long plagued the healthcare industry, but recent developments in ransomware sophistication and tactics are concerning. In 2019, 966 U.S. entities publicly reported they were impacted by ransomware at a cost in excess of $7.5 billion.4 The reports undoubtedly underestimate the number of victims and costs associated with the attacks, given the nefarious nature of the attacks and lack of uniform reporting. One survey of 5,000 IT professionals found that 51 percent of organizations were impacted by ransomware, and 73 percent of attacks were successful.5

Additionally, ransomware attacks are driving exponential growth in cybercrime; this is in large part due to new trends such as ransomware as a service (RaaS). Cyberattackers have an easy way to launch a cyber-extortion business with virtually no technical expertise required. The sophisticated attacks have driven the average ransom payment from less than $5,000 in 2018 to over $233,000 in 2020.6


Prior to November 2019, the majority of ransomware attacks were focused only on encrypting data to extort a ransom payment. Now, to increase the likelihood of receiving a ransom payment, threat actors have begun exfiltrating data prior to encryption to create the threat of doxing. Doxing is the act of stealing a ransomware victim’s data and threatening to publish and/or sell it on the dark web. After gaining access to a network, threat actors exfiltrate the data and identify and delete (or encrypt) any backups before taking steps to encrypt data on the network.

As with BEC, an entity can take a number of steps to protect itself from a ransomware attack. The Cybersecurity and Infrastructure Security Agency’s Alert (AA20-302A), “Ransomware Activity Targeting the Healthcare and Public Health Sector,” recommends the following steps:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for healthcare organization–owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Require the use of longer passphrases.
  • Use multifactor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Implement application and remote access allow listing to only authorize systems to execute programs known and permitted by the established security policy.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets such as patient database servers, medical records, and telehealth and telework infrastructure; create backups of these systems; and house the backups offline from the network.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and antimalware solutions to automatically update; conduct regular scans.


The government has dramatically increased its involvement, support, and enforcement of data protection rules as a result of the increasingly complex cyber threats facing the healthcare industry. It is, however, ultimately the responsibility of each organization to protect itself. Healthcare organizations must not only acknowledge that they are being targeted, but they must also take meaningful steps to prepare for and respond to a cyber incident. Cybercriminals will continue to adapt their techniques to evade detection and stay ahead of law enforcement. In turn, the healthcare industry must also adapt and evolve.


  1. NetDiligence. Cyber claims study: 2020 report.
  2. FBI warns of advance fee and BEC schemes related to procurement of PPE and other supplies during COVID-19 pandemic [press release]. Washington, DC: FBI National Press Office; April 13, 2020.
  3. Coble S. Fake exec tricks New York City medical center into sharing patient info. Infosecurity Magazine. January 30, 2020.
  4. The state of ransomware in the US: report and statistics 2019. Emsisoft Malware Lab Posted December 12, 2019.
  5. Sophos. The state of ransomware 2020. Published May 17, 2020.
  6. Ransomware demands continue to rise as data exfiltration becomes common, and Maze subdues. Coveware Posted November 4, 2020.

The Doctor’s Advocate is published by The Doctors Company to advise and inform its members about loss prevention and insurance issues.

The guidelines suggested in this newsletter are not rules, do not constitute legal advice, and do not ensure a successful outcome. They attempt to define principles of practice for providing appropriate care. The principles are not inclusive of all proper methods of care nor exclusive of other methods reasonably directed at obtaining the same results.

The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

The Doctor’s Advocate is published quarterly by Corporate Communications, The Doctors Company. Letters and articles, to be edited and published at the editor’s discretion, are welcome. The views expressed are those of the letter writer and do not necessarily reflect the opinion or official policy of The Doctors Company. Please sign your letters, and address them to the editor.