Q&A: Protecting Public Health Cybersecurity in a Pandemic
Stanley Mierzwa, the managing assistant director of the Kean University Center for Cybersecurity and a Kean lecturer, has written extensively on cyber threats and vulnerabilities in the public health sector during the COVID-19 pandemic. His latest paper, on adding cybersecurity assessment technology to public health research efforts globally, will be published this month. On October 29, he will present at the National CyberWatch Center’s webcast on Situational & Cybersecurity Awareness for Public Health Researchers, which won the center’s 2020 Innovations in Cybersecurity Education Award.
Q. Why is the public health sector more vulnerable to cyberattacks during the COVID-19 pandemic?
Smartphone and other devices have made it easy to access technology-based healthcare solutions, which have increased in number during this time of social distancing and quarantine. Think about your own smartphone. Chances are you have an app that fits the description of a digital health solution, commonly known as mHealth (mobile health), eHealth (electronic health) and telehealth.
Also, many global public health organizations in the form of nonprofits and nongovernmental organizations (NGOs) are pursuing research activities or are involved in the response on the humanitarian relief side. The United States Agency for International Development (USAID) alone has made available over $900 million to help governments internationally in helping to respond on the ground to COVID-19.
With all of this additional activity and available resources, cyberattacks have increased. In a recent survey of cybersecurity professionals, 63% reported an increase in cyberattacks as a result of the pandemic situation. A security report from Intertrust on global mHealth apps found that out of 100 publicly available mHealth apps assessed, 71% had at least one high-level vulnerability. These vulnerabilities provide avenues for cybercriminals to take advantage. We clearly need to do better with minimizing security risks when introducing these technology solutions.
Q. What kinds of attacks are happening?
Cybercriminals and scammers are taking advantage of the situation and leveraging the COVID-19 pandemic to steal information and money. Early on in the pandemic, they quickly circulated fake Centers for Disease Control and Prevention (CDC) emails. These emails included links that would deliver malware to devices to potentially steal personal information. Pandemic threat actors also posed as or used phishing emails claiming fake cures and vaccines, fake testing kits, general financial relief and charitable contributions.
Larger intergovernmental organizations such as the World Health Organization (WHO) reported that they were receiving a dramatic uptick in the number of cyberattacks against staff and attacks targeted against the general public via scam and phishing emails. Other larger NGOs have been targeted throughout the pandemic, including Mercy Corps and the International Red Cross and Red Crescent Societies, with an increase in cyberattacks.
Q. What can we do to protect ourselves?
The more we involve and integrate technology tools into our daily lives, the more there is a potential for cyberattacks. All of us are being asked to utilize or download apps, use web-based tools to complete surveys and stay in touch with public health and medical community information, and receive virtual health assessments. I am not suggesting we cease this activity altogether, but we need to be more aware of potential threats and scams. I’ve gotten in the habit of minimizing the number of apps installed on my devices to those that are most necessary, in the interest of reducing the possibility of cyber threats.
We maintain a webpage on our Center for Cybersecurity website dedicated to updated resources and information about threats, including threats related to the COVID-19 pandemic.
Q. The Kean Center for Cybersecurity has a seven-step protection process for organizations in the public health sector relying on technology. What is your approach?
Through continued interest and development, members of our Kean University Center for Cybersecurity have proposed a framework that can be followed for a step-by-step process in performing cybersecurity risk assessments in global public health efforts involving technology. It is a targeted approach that goes through the lifecycle of technology development; includes all key stakeholders, not just information technology personnel; looks at both the protection of people and assets as well as the delivery of services; and then takes a systematic approach to addressing any concerns.
Q. What do you see going forward?
Given the ongoing COVID-19 global public health challenge, the public health research community and the general public need to be aware that cybercriminals will continue to discover new tactics to take advantage of the situation. Being aware of cybersecurity alerts is crucial, and public health organizations need to invest to mitigate risks that can emerge when implementing or using digital health solutions.
As I like to say to Kean University students in my cybersecurity courses, “Think more critically about cybersecurity in your daily life through greater situational awareness.”