Senators Call for CISA and U.S. Cyber Command to Issue Healthcare-specific Cybersecurity Guidance

A bipartisan group of Senators has written to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and U.S. Cyber Command requesting healthcare-specific cybersecurity guidance on how to deal with coronavirus and COVID-19-related threats.

Richard Blumenthal, (D-CT), Mark Warner (D-VA), Tom Cotton (R-AR), David Perdue (R-GA), and Edward J. Markey (D-MA) penned the letter in response to the escalating cyber espionage and cybercriminal activity targeting the healthcare, public health, and research sectors during the COVID-19 pandemic.

The letter cites a report from cybersecurity firm FireEye which identified a major campaign being conducted by the Chinese hacking group, APT41, targeting the healthcare sector. The hacking group is exploiting vulnerabilities in networking equipment, cloud software and IT management tools to gain access to healthcare networks – The same systems that are now being used by telecommuting workers for providing telehealth during the pandemic. Several other threat groups with links to China have also stepped up their attacks and are using COVID-19-themed campaigns on U.S. targets.

Threat actors in Russia, Iran, and North Korea have also been conducting attacks on international health organizations and public health institutions of U.S. allies. There have also been several misinformation campaigns that have been linked to Russia, Iran, and China which are attempting to derail the response of the United States to the pandemic.

The healthcare industry was already struggling to defend against attacks from nation state hackers and cybercriminal gangs before the SARS-CoV-2 pandemic. Healthcare organizations are now stretched and stressed due to the COVID-19 pandemic and the situation is now critical. If the cyberattacks succeed, there is a major risk of disruption of the public health response.

Hospitals are dependent on electronic data such as electronic medical records, email, and their internal networks, many of which are heavily reliant on legacy equipment. Any attack that causes disruption will see resources diverted and critical time lost. Even a relatively minor attack has potential to cause major disruption. As an example, the Senators cited an attack on the Department of Health and Human Services. A relatively minor technical issue was experienced with email, but it was enough to hamper the efforts of the HHS to coordinate the federal government’s service.

Ransomware attacks that take EHRs out of action have even greater potential to cause disruption, and the consequences of these attacks can be grave. “During this moment of national crisis, the cybersecurity and digital resilience of our healthcare, public health, and research sectors are literally matters of life-or-death,” wrote the Senators.

The Senators have called for the two agencies to use the expertise and resources that have been developed to defend against these threats and to take the necessary measures to protect the healthcare industry during the coronavirus pandemic.

The Senators have requested private and public cyber threat intelligence such as indicators of compromise from attacks on the healthcare, public health, and research sectors to be broadly shared to help network defenders block the attacks. They have also requested the agencies coordinate with the HHS, Federal Trade Commission (FTC), and Federal Bureau of Investigation (FBI) to help increase awareness of cyberespionage, cybercrime, and disinformation campaigns.

The Senators have asked for the National Guard Bureau to be provided with threat assessments, resources, and additional guidance to support personnel supporting state public health departments and local emergency management agencies to ensure they have the information they need to defend critical infrastructure from cybersecurity breaches.

The agencies have been asked to consult with partners in the private healthcare, public health, and research sectors on the resources and information needed to improve defenses against attacks, such as vulnerability detection tools and threat hunting.

To counter the disinformation campaigns that are being conducted, the Senators have asked the agencies to consider issuing public statements “to put advisories on notice”, similar to the joint statement issued in relation to election interference on March 2nd.

Finally, they asked the agencies to evaluate further necessary action to defend forward to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.