A joint Alert from the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre (NCSC) warns of new cyber attacks targeting COVID-19-related information.
Notably, these attacks succeed when system users have weak or common passwords. NCSC published frequently found passwords here, many of which are used by cyber criminals to gain access networks that contain sensitive research and health care information. The Alert warns that cyber criminals have been using “password spraying”, a style of attack in which the attacker tries a common password across many user accounts one time, before moving on to another common password. By switching among common passwords, the attacker avoids account lockouts.
The HIPAA Security Rules require covered entities and business associates to “protect against any reasonably anticipated threats or hazards to the security” of protected health information and to implement “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” needed to protect against threats. While workforce training on password management is “addressable”, rather than “required” under the Security Rules, covered entities, business associates and any other entities that maintain COVID-19-related information would be smart to remind users to pick strong passwords. How about “SkunkSprayStinksStealsSensitiveData2!?”