The Department of Health and Human Services (HHS) encourages the Healthcare and Public Health (HPH) sector to remain vigilant against elevated cyber threat actor risks. As demonstrated during previous periods of increased geopolitical tensions, state-sponsored and state-aligned cyber actors may increase their targeting of U.S. critical infrastructure.
Known Tactics and How to Protect Against Them
We encourage all HPH organizations to leverage the HPH Cybersecurity Performance Goals (CPGs) as they work to fortify their defenses. These CPGs are a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can prioritize to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety. Key actions organizations can take today, include:
- Establish network micro-segmentation security to minimize the attack surface by dividing networks into finely controlled segments.
- Refrain from directly connecting medical equipment and OT/ICS assets to the public internet. If remote access is required, enforce deny-by-default allow lists.
- Change default passwords, particularly on IOT and medical devices as soon as possible.
- Implement phishing-resistant MFA.
- Patch all systems against known exploited vulnerabilities and leverage available alerting from HHS & CISA.
- Consider using the new Cybersecurity Module within the HHS RISC 2.0 Tool to assess cyber risk and prioritize critical mitigation approaches. You may also leverage CISA’s free cyber hygiene services.
- Be vigilant of Distributed Denial-of-Service Campaigns: Targeted distributed denial-of-service campaigns against public-facing services and websites intended to degrade availability and create cascading impacts, particularly when traffic filtering and rate-limiting protections are absent or insufficient. For additional information, please review CISA’s document on Understanding and Responding to Distributed Denial-Of-Service Attacks.
- Organizations are encouraged to remind users to remain vigilant as phishing campaigns often increase during periods of heightened global conflict and uncertainty. Threat actors frequently exploit current events to craft convincing emails, messages, and websites designed to trick users into revealing credentials or clicking malicious links. Users should exercise extra caution when reviewing unexpected communications, especially those that create a sense of urgency or reference ongoing conflicts. Reinforcing basic cyber hygiene—such as verifying the sender, avoiding suspicious links or attachments, and reporting potential phishing attempts promptly—can help reduce the risk of compromise during this period.
- Review and rehearse incident response plans.
Organizations should balance their operational needs with the current threat level and develop processes and postures for normal operating status and higher threat periods. The threat from cyber attacks is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery.
HHS and our federal partners are closely monitoring threat activity. We will provide further guidance as more information becomes available.
Reporting Incidents
- Report cyber attacks to any of the below:
a. FBI’s Internet Crime Complain Center (IC3)
b. A local FBI Field Office
c. CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (contact@mail.cisa.dhs.gov) or by calling 1-844-Say-CISA (1-844-729-2472) - You can also contact HHScyber@hhs.gov for support or with any questions regarding this advisory. You can also call the 24/7 HHS Secretary Operations Center at (202) 619-7800.
- For any cyber-related questions or incidents impacting medical devices, you may contact cybermed@fda.hhs.gov.
Threat Actor Landscape
State-sponsored & state-aligned cyber threats pose a persistent and rising risk to the HPH sector, especially during periods of heightened geopolitical tension. U.S. government partners, including the FBI, CISA, and the Department of Defense Cyber Crime Center, have repeatedly warned that these adversaries routinely target poorly secured healthcare systems, exploiting internet connected devices and legacy infrastructure for disruptive or destructive operations. Wiper malware, Distributed Denial of Service (DDoS) attacks, espionage, spear phishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools remain concerning and commonly used tactics among state-affiliated cyber threat actors.
Historical patterns show that HPH organizations are frequently victimized during global conflicts, with threat actors leveraging brute force intrusions, credential harvesting, and opportunistic exploitation of vulnerabilities to compromise clinical networks and sensitive patient data. Recent federal advisories underscore that both nation state operators and aligned hacktivists view the HPH sector as a high value target due to the criticality of healthcare delivery, the sector’s interdependencies, and its often resource constrained cybersecurity posture.
Additional Information
For additional context on State-Sponsored Cyber Threats, please see the overview of CISA Nation-State Threats website.