Getty Images/iStockphoto
NCSC: Chinese Threat Actors Targeting US Healthcare, Genomic Data
A recent NCSC alert details the massive, ongoing campaign led by Chinese threat actors to steal healthcare, genomic, and valuable data from the US and other countries.
Threat actors with ties to China are continuing to target US healthcare, genomic, and other valuable data through hacking and other malicious activities, according to a recent alert from the National Counterintelligence and Security Center.
The alert follows a CBS 60 Minutes report detailing China’s push to control US healthcare and other foreign efforts to obtain DNA data from US citizens.
Chinese efforts to hack into US systems have been going on for years, with the most recent federal alert warning that nation-state actors were exploiting device vulnerabilities to gain access to US networks.
“For years, the People’s Republic of China (PRC) has collected large healthcare data sets from the U.S. and nations around the globe, through both legal and illegal means, for purposes only it can control,” according to the NCSC alert.
“While no one begrudges a nation conducting research to improve medical treatments, the PRC’s mass collection of DNA at home has helped it carry out human rights abuses against domestic minority groups and support state surveillance,” it added. “The PRC’s collection of healthcare data from America poses equally serious risks, not only to the privacy of Americans, but also to the economic and national security of the US.”
Bulk personal data, including health and genomic data, is seen as a strategic commodity by China for its economic and national security priorities. NCSC warns that China is heavily investing in a “biotech revolution,” which is the prioritization of collecting healthcare data from its citizens and those around the world.
To accomplish this, Chinese companies have partnered with and invested in US firms that handle healthcare data and other sensitive information. As noted by NCSC, the most notorious hack accomplished by these efforts was the massive breach of Anthem in 2015.
In total, the hackers were able to steal a trove of health and personal data from more than 78.8 million patients. China has obtained further data from other entities in this manner.
The most recent example was seen in a lawsuit against the developer of fertility app Premom. Users have accused the developer of selling data collected from the app to three Chinese marketing and analytics firms.
The goal is for China to become a global biotech leader, using the data harvested from its efforts for new medical discoveries and cures and to advance its AI and precision medicine industries. These efforts have vastly expanded amid the COVID-19 global pandemic.
“Aside from these immediate privacy risks, China’s access to U.S. health and genomic data poses long-term economic challenges for the United States,” according to the report. “The combination of stolen PII, personal health information, and large genomic data sets collected from abroad affords the PRC vast opportunities to precisely target individuals in foreign governments, private industries, or other sectors for potential surveillance, manipulation, or extortion.”
As noted in federal alerts and security researchers, there are key steps organizations should take to defend against these types of threats. Patch management and network segmentation are crucial for defending against attacks on exposed endpoints.
Entities should both understand and expect that stolen or modified accounts, credentials, or software taken prior to patching the vulnerabilities that the device will not be protected by a software update.
For those circumstances, administrators should employ a password update and account reviews as part of an overall security program. Enterprises must also enable robust logging capabilities for all internet-facing endpoints and services, which should also be isolated in a network demilitarized zone (DMZ) to reduce the threat of exposure.
Monitoring of all logs is crucial to quickly detect system compromise. Security researchers have also stressed the need for thorough and routine email security and training, given the prevalence of phishing campaigns used to prey on human instinct amid COVID-19.
“But what typically differentiates nation-state level groups is taking the attack surface provided to them and finding a way in, even if there are no known vulnerabilities,” Tom Pace, former vice president of Enterprise Solutions at BlackBerry, previously told HealthITSecurity.com.
“Externally exposed services and devices are targets that are often desirable as well as the ever-prominent phishing email,” he added. “If you’re unable to manage the systems and security themselves, outsource this function to a skilled third party. This comes with its own risks but is likely better than the alternative as healthcare has typically lagged behind other verticals.”