On May 21, the Federal Bureau of Investigation’s (FBI’s) Cyber Division released an FBI Flash warning recipients that nation-state cyber actors are targeting domestic universities, research institutes and private companies conducting COVID-19 related research.1 This is not the first of such warnings. On May 13, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a public service announcement regarding the People’s Republic of China targeting COVID-19 research organizations. On May 5, the Department of Homeland Security, CISA and the United Kingdom’s National Cyber Security Centre issued a joint alert that advanced persistent threat groups are actively targeting organizations involved in both national and international COVID-19 responses, including health care bodies, pharmaceutical companies and medical research organizations.
The U.S. medical and pharmaceutical industries have long been targets of cyber espionage, but the current health crisis substantially raises the threat for a variety of reasons. The most obvious reason is the value of COVID-19 related research, whether related to a vaccine or otherwise. Last month, President Trump used the threat of such espionage to prohibit Chinese graduate students from attending U.S. research institutions.2 Less obvious is the risk that companies may let their guard down during these unprecedented times. Remote working conditions often create weak links in security, and time constraints may put security concerns on the backburner while more pressing matters take priority. The inability to properly train employees in a work-from-home environment also is a risk.
Companies may have proper security controls in place to protect their sensitive information under normal conditions, but those controls may not account for the current threat level. In the midst of COVID-19, the frequency and sophistication of threats are greater than usual. The types of protection that the current working environment requires may be different or higher than normal. The individuals responsible for implementing and overseeing the security controls may not be as vigilant as under normal conditions. All these factors may require companies to review their security protocols and ensure that they are adequately protected against the current threat level. In fact, we have recently published two articles alerting clients to the risk of heightened scams during the COVID-19 pandemic.3
On May 16, the Healthcare and Public Health Sector Coordinating Council released a white paper advising the health care industry of the risks of a security breach and recommending a framework for implementing proper security controls, including both passive and active measures. It recommends a comprehensive five-step process as follows:
-
continuously identify the sensitive information that requires protection
-
implement an “asset management program”
-
use active “asset discovery and information classification tools”
-
-
assign and periodically update the value and ownership of the sensitive information
-
establish comprehensive compliance requirements
- ...
