As the American health care and public health sectors continue responding to the COVID-19 pandemic, the Department of Health and Human Service’s Health Sector Cybersecurity Coordination Center (HC3) is taking a multi-pronged communications approach to securing health IT and operations across the country.
HC3 normally develops cyberattack mitigation resources and promotes cyber-forward partnerships across the medical and public health industry, but when COVID-19 resulted in heightened reliance on medical facilities and providers, there was also increased importance to secure IT across that sector, HC3 Director Greg Singleton said during Tuesday’s ATARC virtual event.
“HHS is a very large agency being faced with unprecedented cybersecurity pandemic challenges while also being asked to respond to the pandemic,” Singleton said, adding that “some of the cybersecurity challenge is information management challenges and complexity management challenges and how you need tools, you need the systems and the people in place. You also need to be able to understand your environment. You need to be able to understand your posture, your perimeter, and be able to make actionable decisions."
HHS, as well as large swaths of the American health care sector, had to pivot drastically amid the pandemic this past year. The cyberattack risk across the industry expanded significantly as parts of the HHS and health workforce moved to telework and as the medical industry brought in additional resources and personnel to address the COVID-19 response. That attack surface, in addition to COVID-19-related data to safeguard, has made the security of those assets a priority for HC3 and its partners across the health sector.
HC3 has also had to address malicious cyber activity across the COVID-19 information space online, Singleton added, making the communications and coordination about safe online activity an additional layer of work his organization has taken on.
“What we started to see was some malicious actors — they made a weaponized version of the Johns Hopkins University COVID tracker map, and they were selling that on the dark web,” Singleton said. “We sent an alert out saying, ‘Be aware of this weaponized website because you think you’re going to get information on COVID. You’re going to get information on COVID, and then you’re also going to get trick bots onto your machines.’”
Singleton added that HC3 has seen a significant uptick in the number of malicious domains themed around COVID-19 that hosted “malware clickbait,” making networks and IT assets vulnerable to cyberattacks. More recently, HC3 has also seen a rise in similar malicious cyber activities around vaccine-related information online.
“We’re seeing shifts and jumps as the actors do follow the themes of the day — anything really to get that click and be able to exploit your machine,” Singleton said.
With the country’s heavy reliance on medical facilities in the pandemic, Singleton explained that another area HC3 has had to focus on is rising cyberattacks on U.S. hospitals. In November 2020, HC3 saw a concerted effort to compromise as many as 400 hospitals across the country. HC3 launched an interagency approach to address that attempt.
“We worked with our federal partners (the FBI, CISA and others) to put out the word, get some other actions in place, and ultimately we were able to mitigate quite a bit of damage through that campaign,” Singleton said. “I will not say that too much of it is different from what was expected, but the volume intensity has increased certainly as the expectation or hopes that they can get remote workers to click on stuff has increased.”
While these communications and education campaigns will continue to be a centerpiece of HC3’s work, raising awareness around supply chain security will continue to be another area of focus for the organization as well as the rest of the federal information security space in the coming year.
“We’re going to see greater scrutiny and intense focus on supply chains and supply chain attacks and really concerted attention from the federal government, as well as I expect within the vendor community, to be looking at both their own software and the software that they’re introducing into the environment,” Singleton said.