Hospitals Hacked: Warner, Bipartisan Senators Urge Top Cybersecurity Officials to Protect Public Health Institutions from Foreign Adversaries and Cybercrime
Apr 21 2020
The bipartisan group of Senators wrote to the Cybersecurity and Infrastructure Security Agency (CISA) and United States Cyber Command after reports that Russia, China, Iran, North Korea, and criminal groups have launched hacking campaigns targeting the U.S. health care and medical research sectors in recent weeks. These malicious campaigns included ransomware attacks hitting hospitals, disinformation about health related to COVID-19, and spying on U.S. medical response and research.
“[O]ur country’s healthcare, public health, and research sectors are facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic,” wrote the Senators in a letter to CISA Director Christopher Krebs and Cyber Command Commander Paul Nakasone. “Disinformation, disabled computers, and disrupted communications due to ransomware, denial of service attacks, and intrusions means critical lost time and diverted resources. During this moment of national crisis, the cybersecurity and digital resilience of our healthcare, public health, and research sectors are literally matters of life-or-death.”
The Senators urged the agencies to make cyber threat information public to enable better defensive efforts, as well as raise public alarm and issue statements putting adversaries on notice. The Senators also called on the agencies to provide technical assistance to help states in their cybersecurity efforts, convene stakeholders in the medical sector to make sure they have the necessary resources, and engage in deterrence actions as necessary.
The full text of the letter is available here and copied below.
Dear Mr. Krebs and General Nakasone,
We write to raise our profound concerns that our country’s healthcare, public health, and research sectors are facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic. These hacking attempts pose an alarming risk of disrupting or undermining our public health response at this time of crisis. We write to urge the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with United States Cyber Command, and its partners to issue guidance to the health care sector, convene stakeholders, provide technical resources, and take necessary measures to deter our adversaries in response to these threats.
In recent weeks, Russian, Chinese, Iranian, and North Korean hacking operations have targeted the health care sector and used the coronavirus as a lure in their campaigns. In March, the cyber security firm FireEye reported that a Chinese hacking group, APT41, carried out one of the broadest hacking campaigns from China in recent years, beginning at the onset of the pandemic. According to researchers, APT41 is a sophisticated Chinese state sponsored group that specializes in espionage against healthcare, high-tech, and political interests. This latest campaign sought to exploit several recent vulnerabilities in commonplace networking equipment, cloud software, and office IT management tools—the same systems that we are now more reliant on for telework and telehealth during this pandemic. Included in the new Chinese espionage campaign are the healthcare and pharmaceutical nonprofits and companies bracing to respond to the coronavirus. APT41’s campaign also appears to reflect a broader escalation from Chinese groups in recent weeks.
China is not alone in exploiting the coronavirus pandemic against our interests. Russian, Iranian, and North Korean government hackers have reportedly targeted international health organizations and the public health institutions of U.S. allies. Additionally, the State Department has identified disinformation operations from Russia, Iran, and China that sought to spread false information about coronavirus to undermine the nation’s response to the pandemic. Unless we take forceful action to deny our adversaries success and deter them from further exploiting this crisis, we will be inviting further aggression from them and others.
The cybersecurity threat to our stretched and stressed medical and public health systems should not be ignored. Prior to the pandemic, hospitals had already struggled to defend themselves against an onslaught of ransomware and data breaches. Our hospitals are dependent on electronic health records, email, and internal networks that often heavily rely on legacy equipment. Even a minor technical issue with the email services of the Department of Health and Human Services meaningfully frustrated efforts to coordinate the federal government’s service. Disinformation, disabled computers, and disrupted communications due to ransomware, denial of service attacks, and intrusions means critical lost time and diverted resources. During this moment of national crisis, the cybersecurity and digital resilience of our healthcare, public health, and research sectors are literally matters of life-or-death.
The Cybersecurity and Infrastructure Security Agency and Cyber Command are on the frontlines of our response to cybersecurity threats to our critical infrastructure. Hospitals, medical researchers, and other health institutions need the expertise and resources your agencies have developed defending against these same sophisticated threats. We urge you to take all necessary measures to protect these institutions during the coronavirus pandemic, including:
1.) Provide private and public cyber threat intelligence information, such as indicators of compromise (IOCs), on attacks against the healthcare, public health, and research sectors, including malware and ransomware.
2.) Coordinate with the Department of Health and Human Services, the Federal Trade Commission, and the Federal Bureau of Investigation on efforts to increase public awareness on cyberespionage, cybercrime, and disinformation targeting employees and consumers, especially as increased telework poses new risks to companies.
3.) Provide threat assessments, resources, and additional guidance to the National Guard Bureau to ensure that personnel supporting state public health departments and other local emergency management agencies are prepared to defend critical infrastructure from cybersecurity breaches.
4.) Convene and consult partners in the healthcare, public health, and research sectors, including its government and private healthcare councils, on what resources and information are needed to reinforce efforts to defend healthcare IT systems, such as vulnerability detection tools and threat hunting.
5.) Consider issuing public statements regarding hacking operations and disinformation related to the coronavirus for public awareness and to put adversaries on notice, similar to the joint statement on election inference issued on March 2nd.
6.) Evaluate further necessary action to defend forward in order to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.
We stand ready to work with you to provide any further resources necessary in this effort. Thank you for your attention to this urgent matter.