Cyber can now create biowarfare effects, without a bioweapon

The digitization of medicine and biomedical research has been a boon for medical breakthroughs, but comes at a cost. From ransomware attacks at hospitals to intellectual property breaches at research centers, cybersecurity is now a major concern in the medical world. In the following op-ed, three experts at the intersection of national security and health policy lay out the worryingly diverse ways the global healthcare system is at risk, and why it should concern the defense community. 

The worst biological warfare scenarios remain in the realm of nightmares and science fiction. From developing pathogens to finding an appropriate vector, the process of weaponizing biological agents is fraught with challenges. Without discounting the well-documented history of biowarfare and the very real threat of novel weaponized biological agents in the future — particularly as gene editing and designer molecules revolutionize the field — real hurdles remain. It’s dangerous, and the effects are difficult to predict and control.

But what if it was possible to create bioweapon effects, without having to actually use a bioweapon? That’s no longer a hypothetical. The digitization, automation, and networking of biomedical and public health information may mean that cyber tools can be used to achieve biowarfare effects that were previously unrealistic or impractical.

Perhaps the most glaring wake-up call is the use of social media tools to spread and amplify misinformation about COVID-19 vaccines, contributing to viral illness and death of US citizens. But that’s just the tip of the iceberg when it comes to how our public health is vulnerable to direct manipulation by malicious actors in the cyber domain. 2020 saw a 200% rise in healthcare cyber-attacks, and the upward trend continues. Networked data is increasingly the backbone of our entire medical system: initial R&D/experimental biomedical research, treatment development, clinical trial data, drug supply chains, the equipment used in treatment, individual health records, and personal fitness tracking.

Manipulation or theft of R&D and clinical trial data drugs, devices and treatments can invalidate results or sow doubts about their reliability, hamstringing or confounding scientific studies in response to public health crises and making people sick. The clinical R&D landscape is evolving: Growth in team-based translational science is bringing research scientists, systems thinkers, analytic boundary crossers, and business developers together across global communications architectures faster than ever. And as a result, the threat surface is growing as well.

RELATED: How To Build A Better Policy For Countering WMD Threats

Supply chain interference can cause widespread disruption in critical medical care or can target delivery to specific populations for more tailored effects. The sophisticated global cyber campaign targeting the COVID-19 vaccine supply chain (specifically the “cold chain”) is a striking example, but is by no means a unique event. It is part of a larger trend, in which hackers have shifted their focus in recent years to increasingly target pharmaceutical and medical supply chains. These are attractive ransomware targets for the lucrative prices they command precisely because they threaten the delivery of critical lifesaving drugs and therapies. These same supply chain vulnerabilities can be exploited by actors whose goal is not financial gain but biological damage.

Hospitals and healthcare facilities are vulnerable as well. Critical life-saving machinery and devices — infusion pumps, defibrillators, ventilators, dialysis machines, and active patient monitoring devices — can be breached by both insider and external threats. Access to cyber tools can give actors the ability to disrupt, delay, or deny treatment, manipulating critical health outcomes for patients, even life or death. The ability to hold patients’ health at risk is what has made this such an appealing and profitable target for ransomware. And the COVID-19 Pandemic has shown us that these breaches are now a common occurrence.

As health records and personal fitness data are increasingly specific, detailed, digitized, and shared across devices platforms, and databases, they become vulnerable. Health record breaches alone rose 300% from 2018 to 2021. Our ever-growing volume of personal health information can be harvested and even manipulated to affect specific individuals, or aggregated to target populations by race, age, gender, location, socioeconomic status, medical condition, or any number of other factors depending on the malicious actor’s goal.

The blending of the biological and cyber domains suggests that we need to prepare differently for the threat of biological warfare if we are to properly defend our population. The most difficult task is changing our fundamental model of boundaries between clinical research, bio-surveillance, care delivery, and individual devices. DoD has an important leadership role to play in driving, coordinating, and overseeing this change.

To start, we must embrace the same principles required by any other type of complex cyber supply chain which, according to NIST [PDF], requires that we: 1) assume our systems will be breached and consider recovery and mitigation up-front, 2) establish collaborative and cross-organizational governance organized by use case with clinical and business owners at the forefront, backed by security experts, and 3) remember that a risk anywhere in the entire chain can impact any link — it may not be your responsibility contractually, but it will be your problem in reality.

In the clinical cyber supply chain, the individual software systems receive most of the focus, but it is the rapidly changing interconnections where breaches happen most often — so working together to adjust perceived systems boundaries and overall mental models must be a continual task. The community of interest – which includes scientists, pharmaceutical companies, medical technology developers and manufacturers, academics, cyber security professionals, national defense professionals, and patients – is far-reaching, fragmented, and stove-piped. We must undertake a holistic reevaluation of biological warfare defense in the context of a changing and networked public health ecosystem.

Katherine Hasty is a US Air Force veteran and director of Future Warfare at Long Term Strategy Group. Dr. Janie L. Gittleman is executive director for Global Health Innovation at ManTech International and a former Senior Health Advisor to the Defense Intelligence Agency Surgeon General. Edward F. O’Connor is a Subject Matter Expert with ManTech’s Health Division and a former CIO of Central Health and the Community Care Collaborative.