Healthcare and Cybersecurity During the Pandemic

Hospitals, along with other care and research facilities, are at the forefront of the global effort to fight COVID-19. As the Red Cross warned the U.N., “If hospitals cannot provide life-saving treatment in the middle of a health crisis […], whole communities will suffer.”

Unfortunately, while it was hoped that the critical healthcare sector would be spared by cybercriminals, that has not been the case. The pandemic has instead seen a steep rise in cyberattacks on the healthcare sector. And unlike with other industries, there isn’t the option for most healthcare employees to work remotely from home.

Why is healthcare at high risk?

  • Stressed infrastructure: Healthcare IT infrastructure is often complex, overburdened and reliant upon legacy systems that require specialized staff to maintain.
  • Rogue devices: To accommodate COVID-19 patients, healthcare facilities had to implement off-the-shelf remote monitoring technologies (including routers, cameras and sensors), often using risky default credentials and with insufficient due diligence.
  • Untested telehealth: Healthcare institutions may have adopted remote health applications and remote monitoring equipment without proper penetration testing and verification, potentially increasing the attack surface exponentially.
  • Third-party risks: It is difficult to ensure all connected third-party vendors, suppliers, service providers, government agencies, universities and NGOs maintain the same cybersecurity standards, a weakness that attackers often exploit.
  • Overburdened staff: Healthcare staff are already overburdened, leading to lax security habits such as leaving workstations unlocked when stepping away to treat patients.

How has the pandemic has increased that risk?

  • More attacks: At least 41 healthcare providers experienced ransomware attacks in the first half of 2020. One Fortune 500 healthcare organization was hit by Ryuk ransomware, which has impacted all of its U.S. sites.
  • Larger breaches: The number of records compromised in cyberattacks and data breaches is rising, according to HIPAA Journal: “Costs are also rising. An IBM study found that the average cost of a healthcare data breach stands at around $7.13 million globally and $8.6 million in the United States. This represents a 10.5% year-over-year increase.”
  • Patient casualties: One patient died in transit to another hospital, after a hospital in the city of Düsseldorf was unable to admit her because its systems had been knocked out by a cyberattack. This incident prompted a murder investigation by local authorities.
  • Hampering vaccine efforts: Vaccine research efforts have been hampered by data theft and ransomware.

What Can You Do?

While cyber-defense initiatives in Israel, the UK and worldwide are beginning to have an impact, it is still mostly up to the healthcare institutes themselves to fight off this offensive. Here are some fundamental actions that could immediately improve the cybersecurity posture of your healthcare facility.

  • Increase awareness and email security: Better awareness will reduce the chances of staff downloading suspicious documents or clicking suspicious links.
  • Protect internet-facing devices: Only necessary ports should be opened to the internet. Researchers found vulnerable RDP ports increase the likelihood of a successful ransomware attack by 37%, and certain hackers are specifically stealing and selling RDP credentials on the dark web.
  • Prevent credentials theft: Once inside, attacks spread across the network via readily available tools such as Mimikatz, which utilize aggressive password spraying and other credential-stealing techniques. Having robust passwords will reduce the chances of these succeeding.
  • Implement endpoint security:  Having an advanced endpoint security solution on all endpoints and servers is necessary for improving your healthcare organization’s cybersecurity resilience.

In medicine, it’s often said that an ounce of prevention is worth a pound of cure. This is true in cybersecurity as well. Healthcare institutions are bearing the brunt of cyberattacks during the COVID-19 pandemic. Fortunately, there are steps you can take to protect your organization. For a more in depth view on this topic, please read our executive brief, Healthcare Cybersecurity in the Pandemic.

Fake Election-related Document found spreading Malware

As the world watches for the outcome of the U.S. election and election night turns into election days, cybercriminals are riding the wave using social engineering tactics. The Sonicwall Capture Labs Research team has analyzed a malicious document befittingly named “ElectionInterference” which when opened will download additional malicious software.

Infection Cycle:

The file comes as a Microsoft Excel spreadsheet possibly via spam as an email attachment using the following filename:



Once executed, the victim will be instructed to enable editing and enable content.

When enabled the auto_open macro runs in the background. This is hidden within one of the sheets as seen in the screenshots below:

It will then create a directory and download a file from a remote server and save it as fiskat.exe in the newly created folder.

  • C:/Temp/temp2/fiskat.exe

This new Trojan will then be executed and perform malicious activities such as gathering data from the victim’s machine. During analysis, we have observed that it created a .dat file with some encrypted data.

It comes as no surprise that cybercriminals take advantage of a crisis, such as the growing number of malware observed using the pandemic or current events such as the BLM protests and now the U.S. Presidential election to spread malware.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Malspam.VBA (Trojan)
  • GAV: Qbot.A (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.






Capture Client 3.5: Built for Managing Tenants

With a near-100% mobile workforce, large enterprises, MSPs and MSSPs are finding managing and protecting employee endpoints to be difficult, costly and complex. SonicWall designed Capture Client 3.5 to make multi-tenant management easier, allowing you to create and deploy new tenants through the adoption of global baseline policies, while also offering customers the flexibility to build and deploy custom policies for specific tenants.

Extensive interviews with a global base of IT administrators revealed the need to quickly create, configure and enforce global policies and compliance based on user group, device and location. Respondents also wanted us to produce effective patch and version management that would allow them to quickly see whether endpoint security products were up to date, what versions were installed, and the extent of unpatched vulnerabilities across each tenant. We were also tasked with updating the Capture Client platform to deliver timely alerts and remediation processes to ease operational costs and ensure customer service levels.

With Capture Client 3.5, we wanted to see our enterprise customers and managed services providers gain greater visibility into endpoint devices. Via a quick snapshot of the health of all tenants, administrators can instantly see infections and vulnerabilities. This reduces the need to dig down into each tenant to see each of these possible issues, making management easier. We’ve also made it easy for administrators to see what versions of Capture Client is installed across endpoints.

Digging down reveals what devices are online, what content is accessed, what is blocked, and what web pages or users cause the most alerts. This offers a great deal of useful insight, such as who has games installed, who is hitting violations of the company’s Internet usage policies, or if a certain new productivity-wasting website is impacting team performance or affecting your bandwidth.

Capture Client 3.5 also offers admins a greater degree of control through a new concept called Scope of operations. Scope allows administrators to granularly pick their context of visibility and control — not only across tenants, but also for groups within tenants, or across all their tenants for a more high-level view. This generates a number of different opportunities for multi-tenant operations:

  • Flexible version management can immediately push agents out to all tenants or roll out in batches to better control field issues.
  • When new threats are detected, administrators can quickly add new definitions to all tenants via the inheritance feature, which pulls from the global policy set by the enterprise or managed service provider.
  • As mentioned before, if a website is dominating bandwidth or impacting performance, one can amend content filtering policies on the fly across all tenants.

Here’s a quick look at how policy operations are more flexible in Capture Client 3.5:

To see if Capture Client is right for your organization, please read our solution brief, What Administrators Need to Look for When Buying an Endpoint Security Solution.

SonicWall NSM 2.1: Centralized Firewall Management Just Got Better

Recently, I published a blog introducing our fresh new SaaS-based centralized firewall manager, SonicWall Network Security Manager (NSM) version 2.0. If you haven’t yet read it, I encourage you to do so; it highlights the many powerful features you need for comprehensive firewall management.

Today, however, NSM is getting even better. We’re thrilled to announce the availability of NSM version 2.1, which adds several new enterprise management capabilities, along with various options for NSM on-premises deployment to help your SOC run with greater control and ease.

The NSM design leverages a unified code base, meaning the same management features are standard on both SaaS and on-prem NSM implementation. Your user experience will be identical. The learning curve is zero. Firewall environments are administered exactly the same way for SaaS-based NSM and the on-premises NSM command console. To fix the many ongoing firewall management challenges that customers face every day, the solution leverages a user-centric workflow approach capable of:

  • Helping admins find what they need, get to where they want to work, and complete tasks in far fewer screens and clicks
  • Onboarding new firewalls without being physically on-site
  • Managing firewall operations effortlessly, with total visibility and control
  • Reducing the number of management silos
  • Establishing consistent security measures, and more

New features offered in NSM version 2.1 add tools and capabilities for facilitating and accomplishing your essential day-to-day management tasks. Within NSM 2.1, you’ll notice a number of new capabilities, including:

  • Role-Based Access Control lets you apply the least-privilege principle to assigning a granular level of firewall management access based on a user’s role and responsibilities. You can designate users as administrators, specialist users or watchers depending on which best aligns with his or her roles and access permissions as defined in your internal security controls.
  • Golden Template allows you to convert a device config that is your principle config into a template that can be applied consistently across devices, device groups or tenants.
  • Approval Workflow helps you roll out sanctioned security policies through a controlled and auditable process. Once a firewall policy is configured and validated, it goes to designated stakeholders for approval before the policy is committed and deployed. The entire process conforms with change management policy and compliance regulations of enterprises, as well as federal requirements. You’ll gain confidence that the right firewall policies get pushed at the right time.
  • NSM On-Prem-specific features now include the added security of two-factor authentication (2FA) before granting access to the system console, as well as Intelligent Platform Monitoring (IPM), which monitors and alerts admins regarding the health and status of the NSM system. IPM helps you proactively remediate critical system conditions as they arise and assures the NSM runs reliably and performs optimally.

Flexible deployment with SaaS, virtual or IaaS options

You can deploy NSM in various ways to best suit your operation, regulatory and budgetary requirements.

For a maintenance-free experience, NSM is available as a SaaS offering hosted by SonicWall Cloud and accessible over the internet. You can scale on-demand while lowering your operational cost, as there’s no hardware and software to deploy; no maintenance schedule; no software customization, configurations or upgrades; no downtime; and no depreciation or retirement costs. All of these expenses are removed and replaced with one low, predictable yearly subscription cost.

For high-performance total system control and compliance, you can opt to deploy NSM as a virtual appliance in a private cloud (VMWare, Microsoft Hyper-V or KVM) or in Microsoft Azure public cloud environments. These give you all the operational and economic benefits of virtualization, including system scalability and agility, speed of system provisioning, simple management, and cost reduction.

To learn more about NSM, visit, or contact sales for a free trial.