Health groups vulnerable to cyberattacks as coronavirus crisis ramps up

Hackers are zeroing in on government health agencies and hospitals, who are already struggling to keep pace with the coronavirus pandemic, as a way to make money and cause disruptions in the midst of a global crisis.

These concerns were highlighted Monday when Bloomberg News reported that the Department of Health and Human Services (HHS), one of the agencies on the front lines of the outbreak, had been breached by hackers. 

A spokesperson for HHS subsequently told The Hill that the agency “became aware of a significant increase in activity on HHS cyber infrastructure and are fully operational as we actively investigate the matter.” 

HHS Secretary Alex Azar played down the incident further, saying at a White House press conference on Monday that there was “no penetration into our networks” and “no degradation of our ability to function or serve our important mission here.”

HHS has not been alone in facing a potential breach as concerns around the spread of the coronavirus ramped up.

Last week, the Champaign-Urbana Public Health District in Illinois had its website taken down by hackers. While officials were able to reboot the website by Friday, the disruption made it difficult to provide accurate information to around 200,000 in the district.

Outside the U.S., the second-largest hospital in the Czech Republic, which is responsible for running tests for coronavirus, was hit by a cyberattack last week that according to CyberScoop took out some computer systems and delayed operations. 

Both the district health agency and the hospital were hit by ransomware attacks, a type of intrusion in which hackers lock up a system and demand payment to give the user access again, though with no guarantee they will get their data back. 

These types of attacks have been increasingly rampant across the U.S. over the past year, crippling local governments including Baltimore and New Orleans, along with school districts and public libraries. But they can be particularly pernicious for hospitals, where unlocking a network can mean the difference between life and death for patients in some situations, making healthcare groups a tempting target for hackers. 

John Riggi, the senior advisor for cybersecurity and risk at the American Hospital Association (AHA) – a group that represents more than 5,000 healthcare groups – told The Hill that he was “very concerned” about the potential for hackers to take advantage of the coronavirus crisis to target desperate healthcare centers. 

“Ransomware attacks definitely could pose a potential threat to public health and safety and interrupt care delivery and patient care operations,” Riggi said. “A ransomware attack on a hospital is a direct threat to health and safety.”

Riggi, who spent 30 years at the FBI prior to his current role, noted that previous attacks on hospitals have led to elective surgeries being canceled and ambulances rerouted to other hospitals. He emphasized that an attack like this during the coronavirus crisis would “cross the line” from an economic crime to one that threatened public safety. 

“I think the government can do a lot in terms of actually focusing more attention on the cyber attackers and disrupting them overseas,” Riggi said. 

Sen. Mark Warner (D-Va.) is one member of the government that has taken notice of concerns around vulnerabilities at hospitals and other healthcare centers. In 2019, Warner sent letters to health groups including the AHA asking what more the federal government could do to reduce cyberattacks. 

“As I emphasized in a series of letters to federal regulators and industry associations last year, I have had grave concerns with the cybersecurity posture of the health care sector for some time now,” Warner told The Hill on Monday.

Warner, who serves as vice chairman of the Senate Intelligence Committee, noted that he was worried the coronavirus crisis would “magnify” these threats.

“While we’ve seen the sector make some strides in recent months, we’re still operating from a unnecessarily low security baseline compared to other critical infrastructure sectors and I fear any weaknesses could be magnified during a crisis such as this,” Warner said.

The threats are worse for smaller hospitals in rural areas, many of which have closed in recent years and leaving the those remaining with scarce resources to address cybersecurity needs. 

“These vulnerabilities are something that rural hospitals take seriously and work to prevent them from happening,” Brock Slabach, the senior vice president for member services at the National Rural Health Association, told The Hill. 

Slabach noted that “the meager resources rural hospitals have to defend themselves against hackers makes it difficult, as evidenced by the fact that 126 rural hospitals since 2010 have closed in rural communities nationwide and 47 percent are operating at a negative margin.”

There are steps healthcare groups can take to prevent cyberattacks, particularly in light of coronavirus. 

Greg Garcia, the executive director of cybersecurity at the Health Sector Coordinating Council, told The Hill that these steps should include training employees on how to spot threats such as malicious emails with links to viruses, keeping systems updated, and encrypting patient data. 

“The health sector is aggressively monitoring system security and resiliency,” Garcia said.  

As confirmed cases of coronavirus increase in the U.S. and hospitals take in more patients, the urgency of paying attention to cyber vulnerabilities will likely be brought into sharper focus. 

Sen. Ben Sasse (R-Neb.), a member of the Senate Intelligence Committee, said in a statement Monday that cyberattacks are healthcare groups are “massive weapons to kick opponents when they’re down.”

“At a time when Americans face uncertainty and fear from coronavirus, we should expect an increase in cyberattacks and stay vigilant,” Sasse said. “There need to be consequences for these kinds of attacks. We can’t take our eye off the ball.”