UPDATED: HHS fends off cyberattack as it fights coronavirus
UPDATE: On Monday afternoon, HHS Spokesperson Caitlin Oakley issued the following statement:
"HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities. On Sunday, we became aware of a significant increase in activity on HHS cyber infrastructure and are fully operational as we actively investigate the matter. Early on while preparing and responding to COVID-19, HHS put extra protections in place. We are coordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure."
The U.S. Health and Human Services Department reportedly was targeted with a cyberattack on Sunday evening, complicating its efforts to coordinate nationwide response to the mounting coronavirus pandemic.
WHY IT MATTERS
Bloomberg news was the first to report that hack, which officials surmise was meant to hamper HHS' ability to respond to the ongoing public health crisis.
Anonymous sources told the news outlet that the cyber intrusion – which reportedly involved a sustained attack with millions of hits to the agency's servers over the course of several hours – didn't cause any substantial damage to the health agency's response capabilities, and didn't result in the exfiltration of any data.
HHS has not yet responded to a request for comment from Healthcare IT News.
Some government officials connected the cyberattack to a subsequent tweet from the National Security Council, suggesting that the hackers – potentially foreign bad actors – sought to spread misinformation among an American public already on edge about the nationwide COVD-19 outbreak.
— NSC (@WHNSC) March 16, 2020
THE LARGER TREND
HHS has a complicated history with regard to cybersecurity – both its own, and its recommendations and policy prescriptions for private-sector healthcare organizations – over the years.
In 2018, HHS found itself facing Congressional criticism related to reported lack of leadership and preparedness at its Healthcare Cybersecurity and Communications Integration Center. (HCCIC was shuttered later that year, replaced with the joint HHS-DHS Health Cybersecurity Coordination Center, or HC3.)
In 2019, the agency was taken to task by the U.S. Government Accountability Office for being slow to implement – and only partially implementing – a range of recommendations to improve its IT infrastructure and cybersecurity readiness.
Four months ago, HC3 Director Greg Singleton, speaking at the HIMSS Healthcare Security Forum, offered some insights about the active threats being tracked on the agency's radar.
ON THE RECORD
"The nation’s critical infrastructure provides the essential services – including health care – that underpin American society," said GAO officials in its March 2019 report on HHS. "The infrastructure relies extensively on computerized systems and electronic data to support its missions. However, serious cybersecurity threats to the infrastructure continue to grow and represent a significant national security challenge."
Healthcare IT News is a publication of HIMSS Media.