By Megan R. Wilson

Listen to this briefing

Did someone forward you this newsletter? Sign up here to get it in your inbox.

In today’s issue:

• Why health systems should be on alert for cyberattacks
• RFK Jr. adds two members to federal vaccine advisory panel

Hello, everyone. Welcome to Health Brief. Please send any tips or leads to megan.wilson@washpost.com. If you prefer to message me securely, I’m also on Signal at megan. 434.

This newsletter is published by WP Intelligence, The Washington Post’s subscription service for professionals that provides business, policy and thought leaders with actionable insights. WP Intelligence operates independently from The Washington Post newsroom. Learn more about WP Intelligence.

Secretary of State Marco Rubio talks to reporters at the U.S. Capitol before briefing congressional leaders about the weekend attack on Iran. (Anna Moneymaker/Getty Images)

	The Lead Brief

In the aftermath of U.S. and Israel military strikes on Iran this weekend, health systems should be on alert for cyberattacks, security experts warn.

Federal agencies have repeatedly warned about threats from Iran-backed cyberattacks on critical infrastructure, including hospitals, over the last several years following spikes in geopolitical tensions in the Middle East. 

“The recent escalation following the joint U.S.-Israeli strikes in Iran [have] fundamentally altered the risk calculus for domestic critical infrastructure,” said Tatyana Bolton, the head of Monument Advocacy’s cyber practice.

While retaliation from Iran has been mostly focused on bomb strikes in surrounding countries, Bolton said that Iran and allied groups “will have every incentive to attack U.S. critical infrastructure, especially as a last resort if their missile capability is severely degraded.”

“Cyber operations have become their primary instrument for asymmetric retaliation,” Bolton said. “They don’t need to win a naval battle in the gulf to hurt us; they can attempt to hold our power grids and hospitals hostage from halfway around the world.”

Why it matters: The health care industry is an attractive target for cyberattackers because of the amount of monetizable and sensitive data available to them. Hospitals rely on interconnected electronic health record systems, billing platforms and connected medical equipment that are all at risk.

In some cases, health systems have had to divert patients to other facilities following a ransomware attack, in which criminals install malicious software that locks down computer systems and then demand payment to fix it. A well-placed ransomware attack or an effort to flood websites with traffic, known as a distributed denial-of-service campaign, can shut down scheduling systems, divert ambulances and delay surgeries.

	Industry Rx

The American Hospital Association, an industry group, “maintains a very robust and ongoing cyber and physical threat information exchange with the federal government,” John Riggi, senior adviser for cybersecurity and risk at AHA, tells me in an email. This includes the FBI and the Department of Health and Human Services.

Advertisement

But the association is “not aware of any specific credible threats directed against U.S. health care at this time,” he said.

At HHS, the Administration for Strategic Preparedness and Response serves as the risk management agency for cybersecurity within the health care system. The department didn’t respond to an inquiry about whether there is an elevated cyber risk for hospitals, health systems or insurers.

The bottom line: Unlike attacks on financial institutions, cyber-intrusions that involve the health care system are more likely to come with immediate consequences for people’s well-being.

“Ransomware and other cyberattacks on hospitals have evolved. The crime itself has changed from one that is financially motivated to an act that also represents a threat to life that endangers public health,” Riggi writes in a post about the topic.

→ It’s not just hospitals: Insurance information and clinical trial data and information stemming from medical research have also been targeted in cyberattacks, though necessarily not from Iranian-linked sources.

Alexander Leslie, senior adviser for threat intelligence company Recorded Future, said that most of the cyber activity they’ve seen thus far is relatively “low-level,” and “not the sustained or destructive campaigns that would materially threaten health care networks.”

“That said, hospitals remain chronically attractive targets for both state-sponsored actors seeking asymmetric pressure and opportunistic cybercriminals who exploit moments of heightened tension and distraction,” Leslie said. “In these scenarios, the risk calculus can shift quickly, and the health care sector cannot afford to assume it’s insulated.”

Advertisement

Aneesh Chopra, who served as U.S. chief technology officer during the Obama administration, said that this is a moment for the information security officers at hospitals to “double down on core cyber hygiene.”

This includes applying security updates to internet-facing systems, reviewing dependence on third-party software and increasing the adoption of multifactor authentication that’s resistant to phishing, a scam that tricks users into giving out their passwords or other sensitive information.

Riggi said the AHA is telling its members to be extra vigilant with both cybersecurity and physical security measures “should Iran, its proxies or self-radicalized individuals attempt an attack in the U.S.” — and report suspicious activities to federal and local authorities where appropriate.

	Immunization Update

One of Health Secretary Robert F. Kennedy Jr.’s newest picks for an influential vaccine advisory panel announced on Friday has previously suggested that the covid-19 shot had been linked to thousands of deaths — and that people could take vitamins to treat the virus rather than getting vaccinated.

Angelina Farella, a Texas-based pediatrician, said years ago that she is not opposed to vaccines — and has given “tens of thousands” at her practice.

“I’m very pro-vax actually — except when it comes to this covid vaccine, if we can call it that,” Farella said during a Texas Senate hearing in 2021 about a bill that would ban vaccine mandates.

In Friday’s announcement, Kennedy named Farella and Sean G. Downing, a primary care physician licensed in Florida, to the Advisory Committee on Immunization Practices (ACIP).

Farella did not respond to an inquiry about her remarks.

ACIP is scheduled to meet later this month, with plans to discuss covid-19 vaccine injuries, among other topics. Although there have been rare instances of severe side effects, including myocarditis in young men, researchers argue that contracting covid makes a person more likely to develop health issues. The Centers for Disease Control and Prevention has repeatedly deemed the shots safe and effective for children and adults.

Why it matters: The appointments come as the Trump administration has been trying to move its public-facing health care agenda toward more popular policies — such as food and drug pricing — ahead of this year’s midterm elections. The changes to vaccine policy, spearheaded by Kennedy, have been more divisive among independent voters, who will be critical to Republicans in November.

“ACIP must scrutinize the evidence openly, ask hard questions, and earn the nation’s confidence through transparent deliberation,” Kennedy said in a statement announcing the new members.

What to watch: A federal judge is weighing whether ACIP’s meeting, scheduled for March 18 and 19, should take place at all. The question is part of a lawsuit led by the American Academy of Pediatrics, which alleges that Kennedy didn’t follow the law when appointing his picks for the panel. (HHS has said that Kennedy stands by his overhaul of the CDC.)

	What We’re Reading

“How 10-minute procedures and routine scans become five-figure medical bills,” Elisabeth Rosenthal writes for KFF Health News.

“C.D.C.’s New Acting Director Draws Unexpected Praise From Agency Staff,” Apoorva Mandavilli reports at the New York Times.

“Turmoil Takes Hold at CDC as Top Officials Keep Leaving,” report the Wall Street Journal’s Sabrina Siddiqui, Jennifer Calfas and Liz Essley Whyte.

“Trade probe focuses on China’s biotech support,” Adriel Bettelheim writes at Axios.

“FDA to Give Staff Bonuses for Speeding Up Drug Reviews,” Bloomberg’s John Tozzi and Robert Langreth report.