As if the health care industry wasn’t dealing with enough stress and disruption right now, it’s also getting hammered with cyberattacks such as spear phishing and ransomware. Our new study found an alarming 83 per cent of Hong Kong health care organisations had already had at least one cybersecurity scare since shifting to a remote working model during the pandemic and 67 per cent of them said their employees reported an increase in email phishing attacks. It is not surprising that cybercriminals are targeting health care organisations, which are critical to our physical well-being and economic sustainability and recovery throughout the Covid-19 pandemic . Although some criminal groups have promised to avoid targeting health care organisations during the Covid-19 crisis, most are still willing to attack. The World Health Organization has also reported a fivefold increase in cyberattacks in April directed at its staff and email scams targeting the public at large. The worldwide response to Covid-19 has criminals trying harder to get into networks. Any information on a possible cure or vaccine would be of great interest to private buyers and other governments. Research labs, testing facilities, hospitals and the WHO are just some of the targets we’ve seen so far. The health care industry has been a favourite target for years because criminals have multiple ways to monetise the attack, and disruption of IT services can slow operations to a fatal pace. Criminals are betting that a ransom will be paid, especially during emergencies when normal operations require greater urgency. Exposure of protected or personal health information (PHI) and electronic health records (EHR) can be devastating to organisations and individuals. Criminals who exfiltrate data from the organisation can then threaten to publish it if a ransom is not paid. PHI and EHR are valuable to other criminals and can be sold for a higher price than a credit card or social security number. Criminals can also keep these records for their own identity-theft schemes. Health care may always be a target, but health care organisations don’t have to be a victim. With proper systems and processes in place, companies can protect themselves against cyberattacks and mitigate the risk of data breach with highly sensitive patient data. Considering the evolving cyber threats, health care organisations must evaluate data protection strategies and implement adequate protection and controls to enhance the privacy and security standard. James Forbes-May, vice-president, Barracuda Networks Asia Pacific