Fake vitals, real threats

Presented by

With help from Maggie Miller

Driving the day

Hackers can manipulate hospital equipment to show fake patient vitals, potentially leading to misdiagnosis and delayed treatment. Researchers are working to expose these vulnerabilities before it’s too late.

HAPPY MONDAY and welcome to MORNING CYBERSECURITY! I’m off all week, see you in July.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X at @JGedeon1 or email me at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

Today's Agenda

The Transportation Department is holding a meeting of the transit advisory committee for safety, and on the agenda is an update from the cyber and data security systems subcommittee. 9 a.m.

Critical Infrastructure

HELPING HAND FOR OT — In a state-of-the-art room nestled in Switzerland that looks more like a hospital ward than a high-tech lab, researchers are working to expose vulnerabilities in medical devices that millions of Americans rely on daily.

It’s here where the next ransomware attack on hospitals is being simulated — and hopefully prevented.

Safeguarding medical devices has also become a priority in Washington, where the Biden administration has cleared action after action to push back against rising attacks on the fledgling health care sector over the last few months.

Edgard Capdevielle, CEO of Nozomi Networks, told Maggie they’re testing for “very, very real” risks to hospital equipment — especially since the companies that produce this equipment haven’t always been focused on cybersecurity.

“Those vendors are in the business of producing equipment that produces test results, not cybersecurity, so I think hospitals in particular are probably the highest level of vulnerability,” Capdevielle said.

— A helping hand: Threats to OT systems is a problem worldwide — particularly in Ukraine, where the nation’s energy and other critical systems face a constant bombardment by missiles and cyberattacks more than two years into Russia’s invasion.

According to Capdevielle, the Swiss lab has also helped Ukrainian defenders root out vulnerabilities in key networks.

“We’re very involved in Ukraine, specifically the organizations that run power over there,” he said.

Some other key takeaways:

  • Nozomi Lab researchers demonstrated real-time manipulation of patient vital signs on standard hospital monitors, highlighting the potential for misdiagnosis or delayed treatment.
  • A common ultrasound machine was compromised within minutes using a simple USB drive, mimicking a ransomware attack that could cripple hospital operations.
  • Even basic equipment like refrigerator temperature monitors were found to have exploitable weaknesses.
  • The lab is used to test a range of OT systems, including traffic lights and other OT equipment used in modern cities, along with manufacturing systems.

— Meanwhile in Washington: The White House is finalizing new rules for the hospital sector within the next few weeks.

“We’re working on a rule related to minimum cybersecurity practices for hospitals,” Deputy National Security Adviser Anne Neuberger said at a Semafor event last week.

It comes in the wake of high-profile attacks on Change Healthcare in February and United Kingdom health services earlier in June. The White House said there’s been a 130 percent spike in Russian cybercriminal attacks on U.S. health systems in recent months.

Other than releasing new mandates, the administration also recently secured pledges from Google and Microsoft to offer discounted cybersecurity services to rural hospitals — a tacit acknowledgment of the gaps in the health care sector.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

On the Hill

SMALL BUT MIGHTY — The Department of Defense could receive approval to fund seven software and digital technology pilot programs out of this week’s House Appropriations bill, covering areas from cybersecurity to space domain awareness.

While they’re only a teeny mention in the legislation, you can expect these programs to utilize agile development methods for various stages, including research, testing and maintenance.

Key programs include:

  • Defensive CYBER
  • Risk Management Information
  • Maritime Tactical Command and Control
  • Space Domain Awareness Software

However, the bill prohibits initiating additional software pilots in fiscal year 2025, signaling a cautious approach to evaluate current programs before expansion.
— Get right: Congress is also impatiently waiting for DOD to get its act together on tech supply chain security. The House Appropriations Committee is eagerly expecting a report on the agency’s progress, while simultaneously nudging the Pentagon to fully embrace recommendations from a recent Government Accountability Office report.

— Not a flop: The GAO’s scorecard on the DOD’s information and communications technology supply chain risk management is a mixed bag. Out of seven key practices, the Pentagon has fully implemented four and partially implemented three.

Now, Congress is urging DOD to cast a wider net in its component reviews for commercial IT and encrypted data storage products. On the to-do list are:

  • Getting the DOD CIO to commit to a timeline for a department-wide ICT supply chain risk management strategy
  • Implementing counterfeit detection procedures before deploying products

Vulnerabilities

MULTI-CAR PILEUP — Major auto retail software provider CDK Global might have to pay tens of millions of dollars in ransom to hackers who’ve crushed its systems since Wednesday, a person familiar with the situation told Bloomberg on Friday.

While these situations are fluid, the attack has ripped through the U.S. auto dealer network,which serves over 15,000 North American retail locations. The company is facing pressure to restore services quickly as giants like Sonic and Penske Automotive struggle with manual workarounds.

The unnamed person also tells Bloomberg the attacking group comes from an Eastern European country.

The company said in a statement to MC that it notified law enforcement, launched an investigation with third-party experts and has “begun the restoration process.” But if CDK decides to pay the ransom, it could set a precedent for future attacks in the sector.

CDK did not share whether the payment would be paid or who the perpetrator could be.

— Funny thing, that timing: The attack comes as cybersecurity risk has surged to the top of the auto industry’s worry list.

The 2024 State of Smart Manufacturing Report released last week revealed that cybersecurity is now the number one external obstacle for automotive manufacturers, up from ninth place just a year ago. This heightened concern matches the sector’s rapid digitalization, with 97 percent of manufacturers now using or evaluating smart manufacturing technology, up from 85 percent in 2023.

The International Scene

PARIS OLYMPICS — Kremlin-linked hacktivists are said to be ramping up their attacks on France, signaling what could be a prelude to a more aggressive campaign targeting the Paris Olympics.

According to hacktivist tracker CyberKnow, attackers are noting on Telegram that they are upping DDoS attacks as a sort of training exercise ahead of the Olympics, which kick off at the end of next month. Some notable groups to watch are: CyberArmyofRussia_Reborn, Hacknet, Noname05716 and Cyber Dragon.

While those attacks can’t steal data, they’re designed to overwhelm and crash networks and prompted the French government to activate a crisis response back in March.

— Recent history: This offensive follows a pattern of Russia-aligned groups targeting Western infrastructure. The CyberArmyofRussia_Reborn group has been linked by cybersecurity firm Mandiant to the notorious Sandworm unit within the Kremlin — and it has already claimed breaches of U.S. and European utilities earlier this year.

Tweet of the Weekend

Mark Cuban reached out to Google on X to say that his personal Gmail got hacked (posting the actual email address) over the weekend, and then deleted the post. Sigh.

Quick Bytes

UNDER PRESSURE — CISA’s “secure by design” pledge hopes to leverage customer pressure to push tech companies towards stronger cybersecurity, writes Justin Doubleday for the Federal News Network.

LISTEN TO THIS — The first episode of a brand new podcast dives into Microsoft Recall, dark patterns in big tech AI, Brad Smith’s testimony, Apple’s new cloud infrastructure and more. Listen to Security Conversations here.

AI is already wreaking havoc on global power systems” (Bloomberg)

The Cyber Calendar

Tuesday

Sierra co-founder and OpenAI chair Bret Taylor is joining Washington Post Live for a virtual discussion on the widespread adoption of AI. Noon.

Wednesday

The House Homeland Security committee is holding a hearing to address America’s cyber workforce shortage. 10 a.m.

Thursday

The HHS cyber subcommittee is holding a hearing on protecting critical infrastructure. 2 p.m.

Chat soon.

Stay in touch with the whole team: Joseph Gedeon ([email protected]); John Sakellariadis ([email protected]); Maggie Miller ([email protected]); and Heidi Vogt ([email protected]).

Correction: A previous version of Weekly Cybersecurity misstated the title of Edgard Capdevielle. He is CEO of Nozomi Networks.