Hackers are targeting the COVID-19 response and putting lives at risk
The COVID-19 pandemic is threatening the health of citizens and the economy, which has already put much strain on national infrastructure and society. However, urgent national security vulnerabilities exist that we are not prepared for and that are undermining our ability to respond to pandemics. Recently the U.S. Computer Emergency Readiness Team alerted the public that cyberattacks are happening to organizations involved in the COVID-19 response.
Unfortunately, the machines and infrastructure critical to diagnosing and treating patients with COVID-19 infections are extraordinarily vulnerable to cybersecurity threats. While these attacks confirm that this crisis is an opportunity for adversaries, we fear that they are only a taste of what is to come.
Hackers could easily cripple our hospitals and other healthcare responders. Now is the time for the U.S. government and industry to address this critical national security vulnerability. Fortunately, with some focus and coordination, there is a viable path forward.
Cyberattack vulnerabilities within health and biomedical infrastructure is not a new threat.
Reports by Bloomberg and Reuters have described earlier cyberattacks that targeted the U.S. Department of Health and Human Services and the World Health Organization. These attacks seem to have involved relatively crude methods centering on denial of service and a coordinated misinformation campaign through fake texts, websites, and social media posts. The ostensive goal being to sow public panic and erode public trust in our own institutions.
In June 2017, a ransomware named NotPetya caused an estimated $1.3 billion in losses at the American pharmaceutical company Merck & Co. The same vulnerabilities that affected Merck are ubiquitous across the healthcare and biomedical research enterprise.
Continuing to ignore these vulnerabilities will undermine pandemic response activities and the ongoing health security of our nation.
We can no longer reasonably cast these cyberthreats off as some far-fetched theory or only the remit of the most sophisticated actors. The tools and approaches needed to cripple our healthcare infrastructure are available and have been honed in previous attacks against the power grid, petrochemical plants, laboratory instrumentation companies and hospitals.
The medical IT infrastructure is highly vulnerable — from laboratory instrumentation, diagnostics equipment such as MRI and X-ray machines, to hospital networks. This critical infrastructure relies on software that was designed before cybersecurity was an understood concern, leaving it woefully vulnerable to attack. Imagine testing laboratories being shut down or treatment-critical machines — including ventilators — malfunctioning. Furthermore, attackers can target drug manufacturers and disrupt our ability to effectively and securely manufacture vaccine doses vital to a response effort.
The direct and indirect effects would be detrimental at a national scale, even deadly.
These are not a few spurious vulnerabilities, but a system-wide failure to take cybersecurity seriously — with no means to even tell when most attacks are happening. We have to act now, for the sake of our citizens’ well-being.
Government and industry together can bring about a solution.
We must bring together government and industry to systematically assess and remediate the software vulnerabilities pervasive in our national biomedical infrastructure. We must create minimum cybersecurity standards for all biomedical equipment, including laboratory and vaccine manufacturing instrumentation. In the last two years, the FDA and Department of Homeland Security have increasingly engaged with the cybersecurity community, and such efforts should be broadened to include other biomedical infrastructure instrumentation and software, in particular those critical to pandemic response.
Time has effectively run out, and we are putting ourselves at the mercy of an increasing number of attackers, who are already on the offensive.
Coordinated action to patch and monitor vulnerabilities must be implemented immediately.
We must also invest for the medium and long terms in programs that improve the security and resilience of our biomedical infrastructure. These efforts will need to consider the whole biomedical chain: from the laboratory instruments, all the way to the hospital networks.
Solutions to deter, protect, detect and adapt against these threats exist today — or could be quickly developed with existing technologies and methodologies. They are not complicated or difficult to develop and deploy. This is an area where the United States can — and should — lead on the global stage.
The ongoing cyberattacks on the COVID-19 pandemic response are a clear and present reminder that health security is a matter of National Security, one that needs to be urgently addressed.
Charles Fracchia, M.S., is the CEO of BioBright, a DARPA-funded company doing secure digital data collection and analysis for biotech and pharma companies. Follow him on Twitter @charlesfracchia
Stephanie Rogers, Ph.D., is vice president of operations at IQT Labs (@IQTLabs).
Michael Stebbins, Ph.D., is the president of Science Advisors, LLC and former Assistant Director for Biotechnology at the White House Office of Science and Technology Policy. Follow him on Twitter @Stebbins
Gloss