May 11, 2020

COVID-19: Healthcare Institutions Beware!

As if healthcare institutions do not have enough to worry about!  The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of cyberattacks that target COVID-19 related information.

Bad actors are targeting organizations including healthcare institutions, pharmaceutical companies, academic institutions, medical research organizations, and local governments.  Bad actors are targeting these organizations likely to gather information related to COVID-19 and collect personally identifiable information, intellectual property, or intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.

These attacks are working to exploit weak or common passwords.  CISA and NCSC are actively investigating large-scale password spraying campaigns conducted by bad actors.  The actors will then “spray” the identified accounts with lists of commonly used passwords.  Password spraying is a common style of brute force attack where an attacker continues to try a single, commonly used password against several accounts in an attempt to gain access before trying a second, common password on every account, and so on.  These types of attacks are common, and unfortunately successful with a large set of users when there are commonly used passwords.

To combat this technique, NCSC published commonly used passwords for companies to review here.  Bad actors will continue to exploit COVID-19 as they seek additional intelligence related to this pandemic.  Covered entities need to be vigilant and ensure that VPN clients and infrastructure is updated.  Software versions must be kept up to date and training needs to continue on a regular basis to thwart these attacks.  Multi-factor authentication is also an excellent way to attempt to prevent these bad actors from accessing accounts.  For more information on this briefing, please see 

If you have any questions, please contact Carolyn Purwin Ryan, co-chair of the firm's Cybersecurity, Privacy and Data Protection practice group, at