The outbreak of the COVID-19 pandemic changed our lives drastically as it impacts our health system, our economy and our daily interactions. But in addition to these persistent threats, the virus created an environment in which cybercriminals thrive.
While some leading cybercrime groups – such as the DoppelPaymer and the Maze cybercrime groups – seem to have promised not to attack health and medical organisations during the COVID-19 crisis, many cybercriminals have been quick to benefit from the current crisis.
According to Europol’s report “Pandemic profiteering: how criminals exploit the COVID-19 crisis”, the number of cyberattacks against organisations and individuals is significant and is expected to increase.
Cybercriminals swiftly took advantage of the increasing amount of time that people spend online and the increasing number of employees that telework due to extensive quarantine measures imposed by EU Member States to prevent the spread of the COVID-19 virus. They have used this crisis to carry out social engineering attacks, namely phishing emails through spam campaigns and more targeted attempts such as business email compromise (BEC).
Meanwhile, more and more hospitals, research hubs and medical centres are being targeted by several cyberattacks. Yet, the vast majority of these attacks are (a) ransomware attacks: these imply encrypting all files on an organisation’s system and demanding a large ransom fee to restore and unlock the files or (b) DDoS attacks: they make an organisation’s system unavailable by overwhelming it with traffic from multiple sources.
Recent examples are the ransomware attack on the system of the University Hospital of Brno in Czech Republic – a major COVID-19 testing hub, the DDoS attack on the US Health and Human Services Department’s system and the failed DDoS attack on a group of hospitals in Paris.
Considering that the number of cyberattacks are expected to increase further, it is needless to say that organisations must be well-prepared for them.
Make therefore sure that your organisation is ready to act swiftly and correctly once a cyberattack occurs. Your organisation must at least implement:
Next to that, if a cyberattack occurs, you must simultaneously comply with numerous legal and contractual incident reporting obligations and you must notify the same incident to several authorities and/or third parties.
A breach of security may trigger the application of the incident notification obligations introduced by the NIS Directive and the implementing legislation thereof in the EU Member States, in particular the ones that are relevant for your organisation’s business.
The aim hereof is to boost the overall level of cybersecurity in the EU. Hence, certain service providers must notify, the competent authority or the Computer Security Incident Response Team (CSIRT) without undue delay of a security incident.
This is in particular the case for:
Whenever security breach has led to a personal data breach, the notification obligations of the GDPR may apply. A personal data breach is defined as the accidental or unlawful destruction, loss or alteration, unauthorised disclosure of, or access to, personal data processed.
To the extent that you are a controller, you must notify:
To the extent that you are a processor, you must notify your controller without undue delay.
Our team has created a cybersecurity series:
Do you need immediate assistance? Call our cybersecurity hotline.