Discussion: View Thread

Traffic Light Protocol (TLP) Designation: CLEAR
 

The Department of Health and Human Services (HHS) encourages the Healthcare and Public Health (HPH) sector to remain vigilant against elevated cyber threat actor risks. As demonstrated during previous periods of increased geopolitical tensions, state-sponsored and state-aligned cyber actors may increase their targeting of U.S. critical infrastructure.

Known Tactics and How to Protect Against Them 

We encourage all HPH organizations to leverage the HPH Cybersecurity Performance Goals (CPGs) as they work to fortify their defenses. These CPGs are a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can prioritize to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety. Key actions organizations can take today, include:

• Establish network micro-segmentation security to minimize the attack surface by dividing networks into finely controlled segments.
• Refrain from directly connecting medical equipment and OT/ICS assets to the public internet. If remote access is required, enforce deny-by-default allow lists.
• Change default passwords, particularly on IOT and medical devices as soon as possible. 
• Implement phishing-resistant MFA.
• Patch all systems against known exploited vulnerabilities and leverage available alerting from  HHS &  CISA.
• Consider using the new Cybersecurity Module within the HHS RISC 2.0 Tool to assess cyber risk and prioritize critical mitigation approaches. You may also leverage CISA's free  cyber hygiene services.
• Be vigilant of Distributed Denial-of-Service Campaigns: Targeted distributed denial-of-service campaigns against public-facing services and websites intended to degrade availability and create cascading impacts, particularly when traffic filtering and rate-limiting protections are absent or insufficient. For additional information, please review CISA's document on  Understanding and Responding to Distributed Denial-Of-Service Attacks.
• Organizations are encouraged to remind users to remain vigilant as phishing campaigns often increase during periods of heightened global conflict and uncertainty. Threat actors frequently exploit current events to craft convincing emails, messages, and websites designed to trick users into revealing credentials or clicking malicious links. Users should exercise extra caution when reviewing unexpected communications, especially those that create a sense of urgency or reference ongoing conflicts. Reinforcing basic cyber hygiene-such as verifying the sender, avoiding suspicious links or attachments, and reporting potential phishing attempts promptly-can help reduce the risk of compromise during this period.
• Review and rehearse incident response plans.

Organizations should balance their operational needs with the current threat level and develop processes and postures for normal operating status and higher threat periods. The threat from cyber attacks is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery. 

HHS and our federal partners are closely monitoring threat activity. We will provide further guidance as more information becomes available.

Reporting Incidents

1. Report cyber attacks to any of the below:

2. You can also contact HHScyber@hhs.gov for support or with any questions regarding this advisory. You can also call the 24/7 HHS Secretary Operations Center at (202) 619-7800. 

3. For any cyber-related questions or incidents impacting medical devices, you may contact cybermed@fda.hhs.gov.

Threat Actor Landscape

State-sponsored & state-aligned cyber threats pose a persistent and rising risk to the HPH sector, especially during periods of heightened geopolitical tension. U.S. government partners, including the FBI, CISA, and the Department of Defense Cyber Crime Center, have repeatedly warned that these adversaries routinely target poorly secured healthcare systems, exploiting internet‑connected devices and legacy infrastructure for disruptive or destructive operations. Wiper malware, Distributed Denial of Service (DDoS) attacks, espionage, spear phishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools remain concerning and commonly used tactics among state-affiliated cyber threat actors.

Historical patterns show that HPH organizations are frequently victimized during global conflicts, with threat actors leveraging brute‑force intrusions, credential harvesting, and opportunistic exploitation of vulnerabilities to compromise clinical networks and sensitive patient data. Recent federal advisories underscore that both nation‑state operators and aligned hacktivists view the HPH sector as a high‑value target due to the criticality of healthcare delivery, the sector's interdependencies, and its often resource‑constrained cybersecurity posture.

Additional Information

For additional context on State-Sponsored Cyber Threats, please see the overview of CISA Nation-State Threats website.
 

Resources & Partner Guidance on Iran
 

1. The National Council of ISACs (NCI) Joint Advisory on Middle East Conflict and Critical Infrastructure

Subscribe to HPH Sector Bulletins

Did a colleague forward you this HPH Sector Bulletin? HPH Sector bulletins inform stakeholders about the most significant issues facing the sector including cybersecurity, medical supply chains, and more. If you are interested in receiving HPH Sector bulletins, visit the  CIP bulletins subscription webpage.
 
 

Comments and Questions
If you have any additional questions, we encourage you to contact us at hhscyber@hhs.gov.
 
 

Disclaimer: ASPR provides the above sources of information for the convenience of the HPH Sector community and is not responsible for the availability or content of the information or tools provided, nor does ASPR endorse, warrant or guarantee the products, services or information described or offered. It is the responsibility of the user to determine the usefulness and applicability of the information provided. 
 

U.S. Department of Health & Human Services  ,  Administration for Strategic Preparedness & Response
 

Traffic Light Protocol (TLP) Designation: CLEAR
 

The Department of Health and Human Services (HHS) encourages the Healthcare and Public Health (HPH) sector to remain vigilant against elevated cyber threat actor risks. As demonstrated during previous periods of increased geopolitical tensions, state-sponsored and state-aligned cyber actors may increase their targeting of U.S. critical infrastructure.

Known Tactics and How to Protect Against Them 

We encourage all HPH organizations to leverage the HPH Cybersecurity Performance Goals (CPGs) as they work to fortify their defenses. These CPGs are a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can prioritize to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety. Key actions organizations can take today, include:

• Establish network micro-segmentation security to minimize the attack surface by dividing networks into finely controlled segments.
• Refrain from directly connecting medical equipment and OT/ICS assets to the public internet. If remote access is required, enforce deny-by-default allow lists.
• Change default passwords, particularly on IOT and medical devices as soon as possible. 
• Implement phishing-resistant MFA.
• Patch all systems against known exploited vulnerabilities and leverage available alerting from  HHS &  CISA.
• Consider using the new Cybersecurity Module within the HHS RISC 2.0 Tool to assess cyber risk and prioritize critical mitigation approaches. You may also leverage CISA's free  cyber hygiene services.
• Be vigilant of Distributed Denial-of-Service Campaigns: Targeted distributed denial-of-service campaigns against public-facing services and websites intended to degrade availability and create cascading impacts, particularly when traffic filtering and rate-limiting protections are absent or insufficient. For additional information, please review CISA's document on  Understanding and Responding to Distributed Denial-Of-Service Attacks.
• Organizations are encouraged to remind users to remain vigilant as phishing campaigns often increase during periods of heightened global conflict and uncertainty. Threat actors frequently exploit current events to craft convincing emails, messages, and websites designed to trick users into revealing credentials or clicking malicious links. Users should exercise extra caution when reviewing unexpected communications, especially those that create a sense of urgency or reference ongoing conflicts. Reinforcing basic cyber hygiene-such as verifying the sender, avoiding suspicious links or attachments, and reporting potential phishing attempts promptly-can help reduce the risk of compromise during this period.
• Review and rehearse incident response plans.

Organizations should balance their operational needs with the current threat level and develop processes and postures for normal operating status and higher threat periods. The threat from cyber attacks is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery. 

HHS and our federal partners are closely monitoring threat activity. We will provide further guidance as more information becomes available.

Reporting Incidents

1. Report cyber attacks to any of the below:

2. You can also contact HHScyber@hhs.gov for support or with any questions regarding this advisory. You can also call the 24/7 HHS Secretary Operations Center at (202) 619-7800. 

3. For any cyber-related questions or incidents impacting medical devices, you may contact cybermed@fda.hhs.gov.

Threat Actor Landscape

State-sponsored & state-aligned cyber threats pose a persistent and rising risk to the HPH sector, especially during periods of heightened geopolitical tension. U.S. government partners, including the FBI, CISA, and the Department of Defense Cyber Crime Center, have repeatedly warned that these adversaries routinely target poorly secured healthcare systems, exploiting internet‑connected devices and legacy infrastructure for disruptive or destructive operations. Wiper malware, Distributed Denial of Service (DDoS) attacks, espionage, spear phishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools remain concerning and commonly used tactics among state-affiliated cyber threat actors.

Historical patterns show that HPH organizations are frequently victimized during global conflicts, with threat actors leveraging brute‑force intrusions, credential harvesting, and opportunistic exploitation of vulnerabilities to compromise clinical networks and sensitive patient data. Recent federal advisories underscore that both nation‑state operators and aligned hacktivists view the HPH sector as a high‑value target due to the criticality of healthcare delivery, the sector's interdependencies, and its often resource‑constrained cybersecurity posture.

Additional Information

For additional context on State-Sponsored Cyber Threats, please see the overview of CISA Nation-State Threats website.
 

Resources & Partner Guidance on Iran
 

1. The National Council of ISACs (NCI) Joint Advisory on Middle East Conflict and Critical Infrastructure

Subscribe to HPH Sector Bulletins

Did a colleague forward you this HPH Sector Bulletin? HPH Sector bulletins inform stakeholders about the most significant issues facing the sector including cybersecurity, medical supply chains, and more. If you are interested in receiving HPH Sector bulletins, visit the  CIP bulletins subscription webpage.
 
 

Comments and Questions
If you have any additional questions, we encourage you to contact us at hhscyber@hhs.gov.
 
 

Disclaimer: ASPR provides the above sources of information for the convenience of the HPH Sector community and is not responsible for the availability or content of the information or tools provided, nor does ASPR endorse, warrant or guarantee the products, services or information described or offered. It is the responsibility of the user to determine the usefulness and applicability of the information provided. 
 

U.S. Department of Health & Human Services  ,  Administration for Strategic Preparedness & Response