Weaponizing Digital Health Intelligence

M. Bourdeaux, G. Abiola, B. Edgar, J. Pershing J. Wang, M. Van Loon, B. Schneier

Belfer Center for Science and International Affairs, Harvard Kennedy School, January 2020.

Introduction

Such actors may include states that wish to exaggerate or cover up an outbreak by hacking these systems and falsifying data within them; mask an ongoing biochemical or bioweapons attack; or prosecute a politically motivated attack on an individual or group through corruption of health data.

Modern state-sponsored health disinformation campaigns that cast doubt on the credibility of health institutions demonstrate the desire some states have to manipulate health information to these ends. For example, recent anti-vaccine campaigns have fueled measles outbreaks across the globe. The lethality of these vaccine-preventable outbreaks—in this case, boosted by Russian-backed anti-vaccination disinformation campaigns proliferated through social media—serve as a stark reminder of the serious harm these campaigns can do to public health, and the credibility of public health institutions.2

Recently, concerns that new technologies will facilitate a new generation of bioweapons have grabbed headlines, and appropriately so. However, much less attention has been paid to the risks of cyberattacks on health intelligence systems. This paper focuses on these vulnerabilities and the motivations states may have to exploit them in order to achieve their strategic and geopolitical aims.

This paper argues that these potential vulnerabilities deserve rigorous, urgent, and thorough investigation. First, it draws from cybersecurity literature, and reviews general sources of vulnerability in digital systems. Next, with these sources of vulnerability in mind, it reviews the health intelligence systems used in the US as well as in a current Public Health Emergency of International Concern (PHEIC), the Ebola outbreak in the Democratic Republic of the Congo (DRC). It then It then reviews the possible motives state actors have to attack health intelligence systems, drawing on recent examples of state-led efforts to manipulate, conceal, or undermine health information. It then speculates about what an attack on a health intelligence system might look like. It concludes by proposing a research and education agenda to thoroughly interrogate these issues and generate policy recommendations needed to address them.

Scope

This paper focuses on direct technical threats to health intelligence systems rather than social and political ones: threats that involve a state actor hacking, deleting, and changing health data in these systems. Examples include a state actor changing the number and location of cases during infectious disease outbreak; changing the microbial resistance profile of deadly pathogens; or denying decision makers access to critical health data during an emergency, and the like. As such, its primary focus is not on health disinformation campaigns that recently have leveraged social media to spread false information about health threats. We address these disinformation efforts only insofar as they point to motivations states may have to attack and corrupt health data and intelligence systems directly.

Also, this paper focuses only on threats to the US's health intelligence systems, as well as those the World Health Organization (WHO) and others are currently using to address a PHEIC—the Ebola outbreak in the DRC. It focuses on the US because of the authors' familiarity with its systems and their access to relevant information about those systems' architecture and functioning. The systems the WHO is using to address the Ebola PHEIC in the DRC is a second focus, because of the WHO's primacy in the global health security ecosystem and its responsibilities to health security conferred upon it by the International Health Regulations. However, the analysis of the vulnerabilities of these systems may be generalizable to other countries' health intelligence systems.

Means

Security researchers define three aspects of information security: confidentiality, integrity, and accessibility (the CIA triad). Confidentiality concerns around health data are most familiar to the lay public because of longstanding policy debates about patient privacy.

Today the more dangerous threats involve integrity and availability. The former involves manipulating data, and the latter involves deleting it or otherwise making it unavailable. In the health domain, this could involve changing a person's blood type in a hospital database (a data integrity attack) or not permitting them to access or change the controls on their insulin pump (a data availability attack). In recent years, there have been numerous ransomware attacks against hospitals, where patient data is encrypted and rendered inaccessible unless the hospital pays a ransom (another data availability attack).

There are many techniques hackers use to try to gain access to digital networks. We focus on four general categories here to give the reader a starting point to consider the potential vulnerabilities of digital health intelligence systems.

Stealing access credentials. The primary way cybercriminals gain access to a network is through credential stealing—stealing an authorized person's login and password. Poor authentication systems can make this easier. Health intelligence systems may need to give access to thousands of people, exacerbating this problem.

Exploitation of unencrypted networks. Encrypted networks secure the flow of communication by encoding data and messages that travel through it. Unencrypted communications, however, essentially allow eavesdropping: a hacker can "listen" in on communication flows or intercept and redirect them.

Exploiting coding mistakes to hack into networks. Software code is never perfect. Bugs in the code can create opportunities for hackers to break into the code and change it. These can often be fixed with a patch—a bit of update code that deletes the mistaken portion and replaces it with code that works. Sometimes, particularly with cheaper networked devices, patching is impossible.3

Supply chain attacks. This category of vulnerability arises when malicious actors subvert the manufacturing, production, distribution, or update mechanism of a digital system. Currently, the production of all of our IT systems is global. Software may be written by programmers in Serbia, Brazil, or China. Devices may be produced in Malaysia, Ghana, or India, using chips made in China or Taiwan. The ability to purposefully introduce product features that render them hackable is an enormous security risk that has yet to be addressed.4 As the US and the world moves to digital systems to manage health security emergencies, where the components of these vast systems originate and are assembled deserves scrutiny.

Health Intelligence Systems and Potential Vulnerabilities

Determining the vulnerability of health intelligence systems to hacking requires an analysis of what cybersecurity experts call the "attack surface." While a detailed assessment of current health intelligence system attack surfaces is beyond the scope of this paper, keeping the above generalities in mind, there are reasons to be concerned. We first provide an overview of current US and WHO health intelligence systems and then consider how these systems may be vulnerable to attacks that exploit the four types of vulnerability described in the prior section.

The United States Health Intelligence Systems

The Centers for Disease Control and Prevention (CDC), under the federal authority of the Department of Health and Human Services (HHS) has the primary responsibility for administering national health surveillance programs in the U.S. Of note, individual US states and territories set their own laws regarding reporting requirements for health providers within their borders. Reporting information to the CDC is technically voluntary, although cooperation is standard practice. Over the last decade there has been a push to facilitate rapid communication about emerging health crises and thus multiple efforts to make use of automated, digital reporting systems that link providers, labs, and local, state, and national public health authorities.

The CDC runs two major health surveillance systems that are broad and inclusive of multiple conditions and diseases. The first, the case-based National Notifiable Disease Surveillance System that monitors, responds and prevents 120 specific diseases of public health and biosecurity concern. 3,000 public health centers across the country submit data into the NNDSS. Electronic case reporting and electronic laboratory reporting that both make use of automated identification and transmission of reportable health events are available options for entering data into the NNDSS databases.

The second system, the syndrome-based National Syndromic Surveillance Program (NSSP), gathers near real-time data from 590 emergency medicine departments across the country—roughly 63% of the nation's emergency departments—through the National Electronic Disease Surveillance System (NEDSS). The NEDSS is a cloud computing environment, giving members a shared pool of configurable computer software programs to enter and analyze data. System requirements for emergency departments and others who feed information into the NEDSS include:

  • Disease data entry possible directly through an Internet browser-based system
  • Electronic Laboratory Reporting that enables labs to report cases to health departments
  • Integration of health information databases into a single repository
  • Electronic messaging capabilities

Since other federal agencies run surveillance and field testing programs of their own (for example, the US Department of Agriculture, the Food and Drug Administration, the Environmental Protection Agency), in 1999, the US initiated a program to link these labs into a network so as to streamline and coordinate monitoring of health security threats. The CDC administers this network, referred to as the Laboratory Response Network (LRN). LRN-designated labs collect and store data on laboratory information management systems (LIMS) or laboratory information systems (LIS) and communicate results through electronic laboratory reporting (ELR). LIMS and LIS differ in who uses them: LIMS refers to clinical laboratories that deal directly with patient lab results and LISs are used in pharmaceutical and therapeutic production.5

Tier 1 Labs: Local healthcare laboratories in hospitals and clinics and large commercial laboratories serve as LRN "sentinel laboratories." All 25,000 private biologic labs in the US can feed into the LRN as a Tier 1. The majority of sentinel labs are private sector clinics or hospital and urgent care labs, with the remaining ones public health labs in schools, prisons, and STD clinics.6 The posture of sentinel labs with respect to biosecurity is to rule out biohazards of concern. If they are unable, in a particular case, to rule out a biohazard according to predefined criteria, then the sample is referred up to a Tier 2 laboratory in the LRN. Most laboratories, particularly high throughput labs, have testing equipment that automatically enters results into the lab's LIMS. Of note, labs, independent of their participation in the LRN program, may also communicate non-biodefense-related health information to the CDC or state public health officials through multiple channels.

Tier 2 Labs: Tier 2 labs are called "reference" labs. There are 120 biologic and 53 chemical Tier 2 labs across the country, all of which are public sector health labs. They can be state labs or affiliated with other federal agencies like the US Departments of Agriculture, Energy, Defense, and Homeland Security, and the Environmental Protection Agency. Labs associated with these federal agencies may administer specific monitoring programs, such as the Biowatch program run under the auspices of the Department of Homeland Security that focuses on detecting aerosolized and weaponized biologic agents. Each Tier 2 lab has its own LIMS program. Although there are many software brands that administer LIMS, there are three or so typical programs used by state public labs across the country. To be designated as a Tier 2 lab, the lab has, and maintains, a defined set of capabilities and works with a specified set of protocols to report results.

Both sentinel laboratories and reference laboratories work closely with CDC laboratories and programs to conduct standardized testing for the detection and confirmation of pathogens that threaten public health, including bioterrorism agents. Of note, over the last ten years there has been an effort to connect sentinel, reference, and CDC labs with electronic laboratory and case reporting software so that lab results or information in electronic medical records that suggests the presence of a biohazard are sent directly to the CDC. To make this work, one approach has been to integrate standardized software, called the Laboratory Information Management System integration (LIMSi) into each laboratory's individual LIMS.

Tier 3 Labs: The CDC and the US Army's Medical Research Institute for Infections Disease (USAMRIID) serve as top-tier specialized labs in the LRN. Their role, because of their specialized testing and analysis services, is to characterize a pathogen or chemical threat. Depending on the nature and geographic spread of a health security emergency, ultimately, they are the providers of health intelligence for public policy decision makers in the event of a health emergency.

Possible Vulnerabilities in US Health Intelligence Systems

With this in mind, we revisit the four areas of vulnerability: credential stealing, exploiting unencrypted networks, exploiting software errors, and infiltrating supply chains.

First, attacks that stem from the stealing of credentials are a significant risk in healthcare organizations where thousands of users may have access to laboratory databases, especially Tier 1 labs. With respect to US health surveillance systems that are devised specifically to detect bioweapon attacks, evaluators have found them to be lightly guarded, with weak authentication protocols. For example, the US Department of Homeland Security, in response to the anthrax attacks of 2002, runs the Biowatch program that surveils daily air samples from 30 US cities for aerosolized biologic weapons. In 2017, a whistleblower raised significant concerns regarding the security of the database that included not only the results of the daily sampling, but also the locations of the sampling air filters, and the decision making protocols and thresholds for responding to a positive result.7 The resulting Inspector General report agreed with the whistleblower's assessment: the database had significant security vulnerabilities, including that (1) it was kept on a non-secure private contractor's .org domain site, (2) it was miscategorized as a program required to meet only minimum security standards, and (3) it lacked strong authentication protocols to protect against inappropriate access.8 The ability to access this information could have allowed attackers to disable the Biowatch program during an attack, or spoof the Biowatch system to provoke an expensive and discrediting false positive response on the part of US authorities.9

The use of unencrypted networks that allow "man in the middle" attacks is also a significant problem in US health intelligence systems. As health institutions rapidly digitalize, encryption of the networks has not necessarily kept pace. For example, the adoption of the electronic medical record (EMR) has skyrocketed over the past 15 years in the US, leaping from 31% of hospitals using EMRs in 2003 to 99% in 2019.10 In addition, many ancillary medical systems and devices have been digitized and potentially linked with EMRs—ranging from pharmaceutical management and supply chains to diagnostic images to laboratories and medical devices. Health centers are awash in computerized devices that support patient care: heart monitors, respirators, pacemakers, dialysis machines, interventional radiology equipment, and blood sugar monitors. Given this "expanded attack surface," managing the security of this digital ecosystem is challenging.11 After a review of the cybersecurity posture of a large chain of Midwestern healthcare facilities found devices—refigerators, defibrillators, and drug pumps for anesthesia and chemotherapy—vulnerable to casual hacking, the reviewers noted "there are very few devices that are truly firewalled off from the rest of the organization."12 The more networked our health intelligence systems become, the faster officials can notice and address health threats. However, likewise, the bigger and more connected health intelligence systems are, the greater the attack surface of these systems.

In one particularly alarming study, researchers at the Ben-Gurion University Cyber Security Research Center in Israel showed the threat unencrypted health networks can present. They were able to gain control over a hospital's unencrypted picture archiving and communication systems (PACS) by hacking into the hospital's public Wi-Fi system. Once into the PACS, they inserted malware that altered real CT lung scans, inserting tumors into the images. Radiologists reading these CTs could only distinguish real from fake CTs 60% of the time—and only after being alerted that some of the CTs had been tampered with. Moreover, depending on which part of the network they penetrated, the researchers could gain access to patients' complete medical records and theoretically could have changed or altered all data within it—not just falsify their lung CT scans.1314

Third, vulnerabilities in software programs from bugs are also a concern. In particular, initiatives like LIMSi that aim to electronically interface with health information management systems, automatically scraping lab or medical databases, and sending the results to the CDC, deserve enhanced security and scrutiny. The integration of software systems multiplies the potential number of program bugs hackers can exploit. The concern raised by this connectivity is that hackers, moving laterally after penetrating one part of the network, could gain access to other networked public health databases, servers, and electronic medical records across the country. How "walled off" a Tier 1 public health laboratory that institutes LIMSi should be from critical CDC databases and communications systems needs to be determined by security analysis and "white hat" attacks—those in which hackers are authorized to try to break into systems so vulnerabilities are illuminated so system managers can remedy them.

Fourth, there is a risk of supply chain attacks on the systems that manage laboratories, electronic medical records, and the myriad of computerized devices integrated into health institution networks (internet of things devices). Software programmers are not licensed in the US, and there are no laws or restrictions in place to prevent programmers from installing remote accessing software. Hardware is similarly international, with a similar lack of controls or restrictions. Software developers for, say, PCR machines could insert machine learning malware into the machines at production that sends a false test result directly into LIMSs in ways that no one would question.

Global Health Intelligence Systems During PHEICs—The Example of Ebola in the DRC

Globally, the World Health Organization is responsible for monitoring the health status and public health threats of the 194 member nations. Governments submit a variety of reports and indicators to the WHO routinely. In the event of a health security emergency such as an outbreak, however, health intelligence systems are set up locally in an ad hoc manner, depending on the location of the outbreak and the local and national surveillance systems on hand. As the threats of health security emergencies have grown, there has been a push for more formal and standardized approaches to health security preparedness. The notion of global heath security is grounded in the International Health Regulations (IHR).

The IHR, originally adopted in 1964, is a set of regulations adopted by 183 states with membership at the World Health Organization. Largely inactive, these regulations were elevated and revised in the wake of the 2003 SARS epidemic. Countries were required to submit reports to the World Health Assembly annually to notify it of its capabilities with respect to an outbreak; however, few resources were available for countries not meeting core capabilities and less than 20% of countries reported being fully prepared in 2012 (the first deadline set for achieving compliance with the revised IHR. The 2014 Ebola epidemic in West Africa highlighted this lack of progress: many countries, especially high poverty and, high disease-burden ones emerging from decades of civil wars, lacked the capabilities required in the IHR. The Global Health Security Agenda was born in 2014 as a vehicle to help states build the capabilities required by the IHR and help guide donor country investments in health system strengthening in aid-dependent states. While enormous progress has been made in identifying capacity gaps by conducting assessments through Joint External Evaluations (JEEs), most countries, including the Democratic Republic of Congo, are just beginning to reckon with their baseline status in terms of health emergency preparedness.

The Ebola outbreaks in the DRC began in May of 2018 in eastern provinces of the country—a region infamous for being the epicenter of civil, regional, and even continental armed conflict. Over the last 18 months, the global health community has mobilized to support the DRC in its attempt to bring the epidemic under control. While much progress has been made, success has been elusive to date. This description of the health intelligence systems of the DRC Ebola outbreak refers to the situation during the summer of 2019, when data for this analysis was collected.

Health data reporting is funneled through the DRC's national health information system that has operated on the District Health Information System 2 (DHIS2) platform since 2012.15 The DHIS2 is an open source, web-based health management information system that is used by 67 low- and middle-income countries totaling 30% of the global population—making it the world's largest health management information system. The platform allows for data warehousing, using Amazon Web Services as a storage platform.16 It enables each country to customize it to its own needs and take full ownership of the data, and can work in resource-limited settings via SMS-reporting and offline features. Originally developed by faculty and students at the University of Oslo, the DHIS2 software is now managed by a full-time professional team coordinated by a dedicated program at the University.17 The 2012 uptake of DHIS2 was facilitated by the non-governmental organization IMA World Health, with technical expertise from BAO Systems. As of March 2017, 89% of the DRC had moved to using the DHIS2 platform. Health workers in all 516 health zones were tasked with inputting the old health center paper-based reports into the electronic system as part of the transition to DHIS2, and satellites and solar panels were installed in health zones lacking the electricity and internet access required for this process.

The DRC's national Emergency Operations Center (EOC), established prior to March 2018 and now funded by the CDC via the Global Health Security Agenda,1819 is the current command center of the Ebola response. A temporary EOC has also been established near the outbreak zone. Staffed by the Ministry of Health (MOH), the WHO, and the UN Peacekeeping Mission MONUSCO along with support staff from non-governmental organizations such as PATH, the EOCs compiles the information and communication backbone for data collection, analysis, and decision making related to the outbreak. PATH has developed a targeted Ebola dashboard that operates through DHIS2 to provide real-time measures on the outbreak to the Ministry of Health. All information passes through the national EOC as an up-to-date repository.

Digital health tools include mobile phone use by health workers to track case contacts. This involves downloading an app such as CommCare onto a personal device, locating in person the individual who had contact with an Ebola-infected patient, taking their temperature, and entering their personal data onto the app software.20 These apps provide communication among health workers and staff, supply chain monitoring to ensure appropriate vaccine delivery, and the potential for mobile money transfers to resolve the issue of delayed health worker payment.21

All eight DRC laboratories functioning in an Ebola diagnostic capacity use the GeneXpert machine to generate a test result for the relevant Zaire strain of Ebolavirus in a patient sample within an hour. The labs are located in seven health zones in the region affected by the outbreak and in the national capital Kinshasa.22 In previous Ebola outbreaks when diagnostic capability was only available at the National Institute of Biomedical Research in Kinshasa, samples collected from suspected cases had to be shipped to the capital and results reported back. The establishment of field laboratories based in disease epicenters allowed for a smaller, faster loop of information feedback. Samples can be tested on site and positive results trigger immediate follow-up, an especially important element to outbreak containment in a remote or otherwise difficult region.23

Possible Vulnerabilities in the Health Intelligence Systems of the PHEIC in the DRC

Again, keeping in mind, the four types of vulnerabilities of digital systems—credential stealing, exploiting unencrypted networks, exploiting software errors, and infiltrating supply chains—consider the risks this health intelligence system might possess.

On one hand, fewer software and digital devices are involved in the PHEIC response in the DRC and thus the attack surface is relatively smaller than US systems. However, there remain important potential vulnerabilities. Taking each of these in turn:

First, dozens if not hundreds of individuals from different countries are involved in responding to the Ebola epidemic. It is unclear who is involved and what type of access each responder has to laboratories and databases, and the cybersecurity hygiene practices of each organization involved in the response is not standardized. And, importantly, in a politically fraught setting, the practice of bribing or coercing access to systems may be a greater risk.

With respect to encryption, the DHIS2 software program is cloud-based, meaning information, sent via the internet and stored on Amazon's cloud servers. While these cloud services are encrypted, there are increasing concerns that cloud servers in general, and Amazon's in particular, have vulnerabilities poorly understood by regulators and users who rely on their security.24

Software errors are also a concern. The DHIS2 website reports the program now supplies 67 countries with health surveillance capability—30% of humanity—so it is an attractive target to control. Notably, NGOs and small start-ups are developers and implementors of software employed in the DRC Ebola outbreak. Regardless of these entities' expertise and commitment to information security, it is unreasonable to expect them to be able to match the capabilities of, and defend against, states with formidable cyberattack capabilities.

The software that community health workers use to track contacts who have been exposed to Ebola, deserves scrutiny. The concern these software programs raise is that hackers could gain control over their databases, learning the identities and contact information. They could send them false messages about Ebola, and even convince them the community health workers are untrustworthy and foment community violence against them. Additionally, the degree to which data from this software is automatically integrated into DHIS2 reporting needs to be better understood. If a program like CommCare allows a hacker access to DHIS2 in the DRC, they will be able to manipulate the case load numbers and geographical locations.

Finally, supply chain vulnerabilities also apply to epidemiologic surveillance software and the devices used to diagnose, track and respond to health security emergencies. To date there are no standards or protocols in place to ensure digital health intelligence tools are free from the danger of purposefully introduced product features that render them hackable. This need not result from lack of scrupulous on the part of software and device developers. Indeed, governments around the globe are, in a variety of cases, pressuring developers to grant them means of access and control over digital products and systems.

Why worry about hacking the DHIS2 program in the DRC? The DRC regions where the Ebola outbreak is now present are some of the most politically contested regions in the world. These regions have been the epicenter of two massive regional armed conflicts, known as Africa's World Wars, over the past forty years. Foreign powers are currently jockeying for control over its mineral rich regions. The Ebola outbreak is already fodder for the local, regional, and global political struggles now unfolding there. Controlling information about the outbreak could be in the interests of many regional and global powers.

Motives

The concerns and likely vulnerabilities of health intelligence systems raise the question of why a state would attack another state in this manner. Mitigating biologic threats requires cooperation and should motivate states to share accurate information in a transparent way. Often these incentives to cooperate win the day. However, states also have strong motivations to do the opposite. States have a long history of hiding and manipulating health information to advance their interests. In modern times, this has taken the form of sponsoring health disinformation campaigns—initiatives that spread false health information, often leveraging social media to increase the speed and penetration of this disinformation into societies. The only difference between disinformation campaigns and corruption of health intelligence systems is directness. Digital health intelligence systems simply give states a new, direct, way of achieving what they have previously tried with disinformation campaigns. Below is a review of the motivations states have to attack and manipulate health intelligence systems, drawing on examples of when states have perpetrated health disinformation efforts in the past.

Undermine Trust of a Population in its Governing Institutions or Leading Administration

Digital connectivity has transformed the opportunities state actors have to sow distrust and societal discord in target groups. One goal of information warfare is to sever the bond of trust between people and their institutions and render collective action impossible.

Arguably Russia and China are active early adopters of techniques to control a population's relationship with governing institutions by manipulating and poisoning lines of communication and information exchange.25 The 2016 US Worldwide Threat Assessment submitted to the US Senate Intelligence Committee notes, "Chinese military doctrine outlines the use of cyber deception operations to conceal intentions, modify stored data, transmit false data, manipulate the flow of information or influence public sentiments—all to induce errors and miscalculation in decision making."26 Russian tactics, according to a study commissioned by the US Senate Select Committee on Intelligence, bank on creating "interlinked information ecosystems designed to immerse and surround target audiences."27

One of the most successful early Soviet disinformation campaigns, Operation Infektion, took place in the 1980s. The heart of Operation Infektion was the lie that HIV was invented by the United States government as a tool of genocide against its African American and gay citizens. KGB agents planted this rumor in a single article published in a small newspaper in New Delhi, India. They then wrote additional articles first in African media, later in the Moscow Times, citing the New Delhi article. They paid a scientist from East Germany to corroborate the "science" of behind the claim. The story finally hit US nightly news screens three years later. The rumor swept through African American communities, generating enough public commentary and concern that the then leader of the USSR, Gorbechav, apologized publicly to President Reagan the following year. 28 However, the false rumor proved durable. As recently as 2005, a survey of 500 randomly selected African Americans found that 48% believed HIV was a manmade virus and 16% thought the government created AIDS to control the black population.29

Today, social media platforms offer opportunities to speed up the process pioneered by Operation Infektion. In 2018, Russia undertook an extensive social media-mediated disinformation campaign to amplify the anti-vaccination movement.2 Researchers have confirmed that Russian trolls and bots tweeted anti-vaccination messages at twice to twelve times the rate of average users and Twitter users were twenty-two times more likely to come into contact with anti-vaccination messages. Furthermore, research shows exposure to these messages significantly decreases vaccine uptake.2 People who choose not to vaccinate their children report their main sources of media and news are social media platforms such as Facebook and Twitter.30 Because of these campaigns, measles outbreaks across the world have been fueled by purposeful decisions on the part of parents to not vaccinate their children, with the UK and the US currently risking their measles-free status due to large outbreaks.31

During outbreaks and public health emergencies, popular trust in public institutions is often fragile, as tensions about what actions are good for the few versus the many may cause individuals to wonder if their government is acting in their individual best interests.

The current Ebola outbreak in the DRC offers a contemporary case study of this phenomena. The provinces of Ituri and North and South Kivu in Eastern Congo have suffered from chronic armed conflict for two decades. Distrust of the DRC government, military, and health institutions is widespread. When Ebola was first found in this already inflamed region, local and regional political figures quickly moved to use the outbreak for political gain—either denying its existence or hyping its dangers to suit whatever political agenda was at hand.

Thus, the evidence of motivation to manipulate health information (through disinformation campaigns or otherwise) in order to sow distrust between populations and their governments is firmly established in the repertoire of previous approaches to advance geopolitical interests. The ability to hack health intelligence systems would be based on the same motivations to change ground truth as those that motivate nefarious actors to engage in health disinformation campaigns, but the results would be amplified.

Disrupt Alliances, Sow Distrust Between Allies

Another powerful motivation to disrupt health intelligence systems is the ability to rupture critical alliances that are required to inform and protect the global community from the spread of pandemics. Health security depends on the trust across multiple states and organizations. Sharing information about pathogens, numbers of ill citizens, failed measures to contain an outbreak, and modes of spread already require a large measure of trust among allies. To ensure that states share relevant data, the International Health Regulations were refurbished and strengthened in response to China's hiding of the SARS outbreak in 2004. In 2007, Indonesia's Minister of Health accused the global health community of giving Indonesia a bad deal—using H1N1 samples provided by it but making no provision for compensating Indonesia for their samples or making any arrangements in regard to offering Indonesia access to vaccines the samples went toward developing.32 In protest, they ceased sharing H1N1 samples and opened negotiations with a vaccine development company to produce vaccine against H1N1 exclusively for Indonesia. Recently, Tanzania has received harsh rebuke from the World Health Organization for its suspected actions of hiding Ebola cases.33

Multiple states have voiced suspicion about notions of "global health security" and question alliances formed around this paradigm. In 2011, the US enacted a Hepatitis B vaccination program in Pakistan as a cover for trying to identify Osama Bin Laden. In 2014, during the Ebola outbreak, the Liberian government green-lighted a military-backed quarantine of one of the poorest neighborhoods in Monrovia. The quarantine sparked violent confrontations, leading to the deaths of dozens of civilians and ultimately failing to curb the outbreak. These examples highlight concerns about what activities could be justified under the rubric of "global health security" with concerns that this paradigm will justify essentially imperialistic interventions, spying, or even human rights violations.34 In this already fraught political environment, states may even feel justified in falsifying evidence that another state is not engaging in good faith in sharing health security data, thus rupturing fragile alliances.

Avoid Economic or Reputational Harm

Outbreaks can devastate economies. According to the Global Preparedness Monitoring Board's 2019 report, each pandemic that has occurred in the last 15 years has cost $30 to $60 billion. West African countries impacted by the 2014 Ebola outbreaks saw a staggering 10% drop in government revenues and a 20% loss of GDP.1 Trade and tourism slow or halt altogether, and the poorest citizens pay the highest price. These dire economic consequences have led states to try to mask infectious disease outbreaks and have made the World Health Organization reluctant to declare an epidemic a Public Health Emergency of International Concern for fear the economic consequences of doing so will be more deadly than direct infection with the pathogen.

Avoiding reputational, not just economic, harm from a health issue is also a powerful state motivator. During the Sochi Olympics, Russia, as a point of national pride, hoped to demonstrate their athletes' superior capabilities. Many of their athletes were forced or coerced into using anabolic steroids to boost their performance. Upon investigation, authorities uncovered an elaborate scheme to cover up this state-sponsored program. The cover-up included both physically breaking into labs to alter urine samples and changing digital lab reports.35

Reputational risks go beyond those that harm national pride. Nations go to great lengths to mask weaknesses of their defense forces and maintain the appearance of invulnerability and strength. Health security risks, like outbreaks among military forces, can signal weaknesses that could be exploited by an enemy. The 1918 Spanish flu pandemic offers a telling example. Nations, still engaged in World War I, were loath to allow reporting of the outbreak that quickly mushroomed into a pandemic, for fear of revealing weakness of their armed forces. The world paid a heavy price for trying to ignore or mask the severity and scale of the epidemic: an estimated 2% to 5% of the world's population perished. Spain, neutral during the conflict, was the only European power to allow reporters to publish articles about the lethality of the emerging disease. The "reward" for this transparency was lending its country's name to the pandemic.

Similar to killing negative news stories about outbreaks that could cause economic or reputational harm, states may conclude that hacking health intelligence systems and deleting damaging information is indeed in their best interests.

To Support a Real Attack with Biological Weapons

A more straightforward reason for attacking health intelligence systems would be to mask a bioweapons attack. The nonprofit think tank, the Nuclear Threat Initiative, ran a simulation at the 2019 Munich Security Conference involving a genetically modified bioweapon untreatable with existing medicines—the only remedy was to locate and halt the source of the attack.36 The exercise highlighted the difficulty of gathering, analyzing, and communicating health intelligence in this context. It stands to reason that a biologic attack, particularly this type of attack, would be more lethal and prolonged if data collection and communication systems themselves were disabled.

Sicken or Kill a Specific Group

Collecting and using biometric data against an adversary has a long and storied history. The origins of the US's militaries' humanitarian aid and Humanitarian Civic Assistance programs are rooted in 1950s counterinsurgency programs in Central America. The strategy of these programs was to lure insurgent fighters into health clinics where their personal data could be collected, along with intelligence as to the insurgent forces' locations and vulnerabilities. This type of tactic was resurrected by the US in Afghanistan until NATO medical leaders lodged formal complaints as to its violation of the Geneva Conventions.

The access to digital health information makes it increasingly feasible to hack and manipulate military disease surveillance systems, in addition to breaking into and corrupting medical information about individuals.

Disincentives

The above section outlines the incentives states may have to hack and alter health intelligence systems based on past behavior. The disincentives to do so also deserve mention, however, since understanding these may help generate policies that promote transparent behavior and dissuade bad behavior.

It is dangerous for a state to destroy ground truth data during a health security emergency. Pathogens and other biologic hazards cross borders, and an outbreak in a nearby state will put the state's own population at risk. Indeed, this recognition has driven stakeholders to the table repeatedly over the last four decades and brought about ratification of the International Health Regulations and Global Health Security Agenda in the first place.

Furthermore, an attack on health intelligence systems risks retaliation on the part of other states. If, for example, a state is found to be hiding cases of a deadly infectious disease, other states may impose devastating travel and trade restrictions out of proportion to the threat the infection actually poses.

It is true that significant progress has been made toward improving global health security, and in many countries political leadership is stepping up to address the challenge. According to the newly released Global Preparedness Monitoring Board first assessment, 108 countries have taken strides to come into compliance with the International Heath Regulations, with many spending significant time, political capital, and money to enhance their health security preparedness.1

Nevertheless, health security imperatives often take a back seat to more conventional and longstanding security paradigms that confer economic, security, and political advantages. When states see a tradeoff between undermining an adversary and protecting an economy or supporting global health security, it is not at all clear that health security will win the day.

With respect to attacks on health surveillance being deterred by counterattacks, there is less reassurance. Unfortunately, concepts and clear policies about what constitutes an attack, and where cyberattacks and cyberwar fall on the spectrum of armed conflict do not currently exist.3

Threat Scenarios in the Future: Motives meet Methods

Means and motivations exist to gain access to and manipulate health intelligence systems. In this section, we take a look forward—at the specific scenarios we should worry about with respect to hacks of health intelligence systems.

Scenario #1: Manipulating a response to a real, ongoing health security emergency, such as a pandemic or environmental contamination

This scenario, suggested by multiple cybersecurity experts, would involve an opportunistic attack wherein a health security emergency is already underway or is just beginning.374 A hostile power, keen to sow doubts about the leadership of the affected state, would seize the moment. It would fabricate cases by hacking into lab diagnostic systems and changing negative tests results of real patients to positive ones. It could undertake intermittent denial-of-service attacks on the DHIS2 or NNDSS servers so case information could not be tallied and analyzed. Distributed denial of service (DDoS) attacks, in which an attacker cuts off authorities' access to data systems, are frequent in the healthcare industry. In the context of an emergency, a DDoS attack would not only render decision makers incapable of managing the emergency, it would also damage the health institution's standing in the eyes of the population. Worse, a DDoS attack could be combined with a virulent disinformation campaign that accuses health officials of hiding cases, thus fomenting fear in the public and sowing distrust among allies. Health officials would deny this, only to have contrary evidence drawn from the hacked, manipulated databases leaked to the press. The attack could continue with hacks of the mobile apps that keep track of contacts exposed to the pathogen, sending them threatening messages so they avoid, or even attack, the health workers who reach out to them.

A variant of this scenario would be a state-led cyberattack that involved deleting evidence that the state was harboring cases of a deadly disease. Motivated by the economic penalty the state would pay if a PHEIC is declared and their borders are closed, they might decide to destroy any incriminating data WHO officials have access to.

Scenario #2: Creating a health security emergency when one doesn't exist

A wholesale fabrication of an outbreak or health emergency would be less feasible. Such a ruse would be difficult to sustain over time and would likely be found out quickly, since there would be no actual patients to verify an outbreak was occurring. However, a short-term panic and rapid, inappropriate deployment of resources could be triggered by targeting a program like the Department of Homeland Security's Biowatch initiative. As described previously, this program monitors air samples in 30 US cities for aerosolized bioweapons. Filters are tested and changed daily. Some bioweapons, especially aerosolized anthrax, are so lethal and contagious that decisions about responding if a test were to be positive have to be made within 30 minutes. The deployment of resources would be significant and costly as it would require mobilizing personnel to evacuate densely populated areas rapidly or distribute antibiotics to millions of people within 48 hours. Spoofing the Biowatch system would pay off for an attacker if the goal is to economically damage US cities, stoke popular distrust of health institutions, and create tension between federal, state, and regional authorities. Since this program has in fact had minimal security for over a decade, it could be an especially tempting target to manipulate.

Scenario #3: Harming (or unfairly helping) an individual or a specific group

The rapidly expanding digital health information environment may create an opportunity for attackers to prosecute a physical attack on specific individuals, like political leaders, by altering information in their personal medical record. With access to an EMR, hackers could alter the patient's blood type, allergen profile, or diagnostic imaging. If EMRs are connected to other functions in the care center, like lab diagnostic testing, attackers could potentially falsify repeated confirmatory lab tests, so inaccuracies in the EMR wouldn't be corrected if noticed by an astute patient or provider. If EMRs generate prescriptions sent to pharmacies to be filled, hackers could intercept these messages and cause pharmacies to fill the prescription with the wrong medicine, or the wrong dose of a medication.

In the context of an outbreak, attackers might want to alter the lab test result of an individual, changing it from negative to positive or vice versa. Perhaps a state wants to have its personnel, or political allies, get first access to a scarce countermeasure against a deadly outbreak, like a vaccine. To this end, they could jump the queue by falsifying a positive test result of one member of their delegation and have this "infected" person report contact with others in the favored group so they would all receive the countermeasure. Alternatively, an attacker might want to mask the number of cases of an outbreak and thus change individuals' lab results from positive to negative.

Attacks on the integrity of medical records could also focus on a particular group of patients, such as members of an enemy state's military. Disrupting the healthcare of this group through an integrity attack on their medical records could be one approach. While concocting a health emergency that only affects this particular group would be difficult, one approach might be to subtly alter lab results—falsify every eighth HIV test, say—such that individuals receive inappropriate treatment and the readiness of the force is degraded. Maintaining this false record over time would require familiarity with the care context so that coordinated hacking into both the lab processing the screening test and the one conducting the confirming tests could be undertaken. These types of elaborate fabrications, however, are the art of information warfare, wherein people are exposed to "interlinked information ecosystems designed and immerse and surround target audiences."27

A variant of this type of attack could be attacking health workers through other digital systems, particularly financial ones. Bank accounts of military medical workers might be frozen, payment systems drained, or fake credit lines opened. Abrupt financial insecurity of a military's health workforce would disrupt readiness. Likewise, doxing attacks, where an attacker releases private, embarrassing information about an individual or institution could target military health leaders. As part of a larger information warfare operation, the resulting lack of readiness could allow a hostile power to take advantage of the disarray.38, 39

A Way Forward: A Research and Education Agenda

In the emerging world of digital health intelligence, the motives for states to attack health intelligence systems are strong, the means possible, and the stakes high enough to warrant thorough investigation and institution of preventative measures. Below we outline initial policy recommendations to be undertaken in the short term. We then turn to the research, education, and training necessary to characterize and mitigate these security threats to digital health intelligence systems.

Initial Policy Recommendations

The research and simulation activities described above are prerequisites for generating detailed policy recommendations. However, some generic policies and practices that would improve cybersecurity overall should be advanced immediately in the health intelligence space. Every global health organization, be it a public or private sector entity, needs to start thinking about this issue and take initial common sense steps to shore up health intelligence systems. Drawing from election cyber security recommendations from the Cybersecurity Campaign Playbook,40 modest ones include:

Raise awareness: Provide initial and ongoing training to staff and double-check security settings of all devices, programs and networks.

Use encrypted and secure communications: All logins should require two-factor authentication; apps like Signal or Wickr should be used for texting and calls, especially when communicating with patients.

Encourage password hygiene: Make sure default usernames and passwords are avoided and every staff member has their own unique username and strong password for each system they interact with. Requests for password resets should only be granted in person or over video conference to ensure the identity of the person making the request. Never share passwords and don't store them using a helpdesk system.

Embrace software system hygiene: Use neutral cloud service providers and segment cloud-based storage. Patch, or update, software swiftly and know the update policies of software in your system. (Does it happen automatically? Is the software no longer being maintained?) Limit access to your systems; adopt a "policy of least privilege." This policy partitions access, so if an employee is compromised, they do not give up the keys to the kingdom; the hacker only gets access to what the employee had access to.

Identify a prevention and response team in case of a system breach: Develop an incident response plan. If normal operations go down, what is the backup plan for recording/reporting data and communicating with emergency operations centers? Protocols for prevention and response teams should be developed and distributed by the World Health Organization for its member states and incorporated into the Global Health Security Agenda's preparedness work.

A Research, Education and Training Agenda

A problematic feature of research in this area is that fully characterizing a cybersecurity threat to health intelligence requires multi-sector, multi-disciplinary research teams. Cybersecurity researchers can describe how an attack might be prosecuted, but health information specialists and an array of healthcare providers are needed to understand the implications and impacts such an attack might have. We recommend research into this topic be sequenced with this in mind.

Stage one research would utilize traditional cybersecurity analysis, with the logical first step being a mapping of the attack surfaces of health intelligence systems in detail. This requires cataloging all components of the system, including the software, operating systems, application components, source codes, and firewalls of each system; and then probing for vulnerabilities in the context of this holistic picture. A second step is to understand the maneuverability and degrees of freedom an attacker has once the surface of the system has been breached. This would illuminate the vulnerabilities associated with integrated digital systems and allow us to understand if, for example, hacking a public health laboratory in Missouri affords the hacker access to other laboratories' databases. Once we characterize the attack surface and the degree of access to other nodes in the network an attacker would have, other stages of research can commence.

Stage two research would involve inputs from healthcare providers who utilize the health intelligence systems for patient care and formulating public health responses to health security emergencies. Important health constituencies to involve in this research phase include public health officials, epidemiologists, primary care and emergency medicine physicians, lab techs, pharmacists, and community health workers. These investigations would focus on playing out the scenarios described in this paper and generating others. The aim of this phase of research would be to understand the impact of working with falsified information; how it could change decision making and resource allocation; and how it could impact emergency management. From there, a discussion of the clues that data may have been manipulated and the double checks and verifications that should be developed would ensue. The goal would be to understand the impacts as well as identify coping mechanisms and responses to make health intelligence resilient in the face of challenge.

A third stage of research requires inputs from security theorists, diplomats, and security policymakers. This stage of research focuses on, given these threat models and impacts, what types of governance could increase the costs for bad behavior and increase the rewards for good behavior. It would consider how the global health security governance space can be structured to align with these incentives. The ultimate goal of this stage of research is to generate sound, comprehensive policy recommendations for global health and security policymaking bodies such as the UN Security Council and the World Health Organization.

Simulations can be effective learning tools to educate groups of leaders who must work together to address a problem. Using the research outlined above, simulations would be developed to train leaders in how to recognize and defend against hacking of health intelligence systems. To be effective these simulations would require participation across stakeholders and employ "whole of government" or "whole of response" methodologies wherein leaders from multiple public sectors and at different levels of government participate.

Conclusion

The digital revolution in health has created an unparalleled playing field for nefarious actors to wreak havoc with health-related data, thereby creating widespread vulnerabilities to health security. Recent experiences with health disinformation campaigns demonstrate the advantages some actors see in undermining health institutions and systems. This paper is concerned with the notion that health intelligence systems—those that gather, analyze, and communicate information critical to promoting health security—could themselves become a target. The motivations and means exist to attack these systems, and the consequences of such an attack could be devastating. To date, we haven't experienced an attack on bedrock data and communications systems that underpin health security emergency mitigation. This signals that we have a window of opportunity in which to act. We should seize the opportunity and commit to the research, training, and policy development that can inform the creation of a more secure and healthier world.

Glossary

AcronymTitleDescription
CDC Center for Disease Control and Prevention The Centers for Disease Control and Prevention is the leading national public health institute of the United States. The CDC is a United States federal agency under the Department of Health and Human Services and is headquartered in Atlanta, Georgia
DDoS Distributed Denial of Service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
DHIS2 District Health Information System 2 The DHIS2 is an open source, web-based health management information system that is used by 67 low- and middle-income countries totaling 30% of the global population--making it the world's largest health management information system. The platform allows for data warehousing, using Amazon's Web Services as a storage platform.
ELR Electronic Laboratory Reporting the electronic transmission from laboratories to public health of laboratory reports which identify reportable conditions
EMR Electronic medical records a digital version of the paper charts in the clinician's office. An EMR contains the medical and treatment history of the patients in one practice.
EOC Emergency Operations Center The DRC's national Emergency Operations Center (EOC), established prior to March 2018 and now funded by the U.S. Centers for Disease Control and Prevention (CDC) via the Global Health Security Agenda.
GHSA Global Health Security Agenda The Global Health Security Agenda (GHSA) is a group of countries, international organizations, NGOs and private sector companies that have come together to advance a world safe and secure from infectious disease threats
GPMB Global Preparedness Monitoring Board The Global Preparedness Monitoring Board (GPMB) is an independent monitoring and accountability body to ensure preparedness for global health crises, created in response to recommendations by the UN Secretary General's Global Health Crises Task Force in 2017. The GPMB was co-convened by the World Health Organization and the World Bank Group and formally launched in May 2018. Comprised of political leaders, agency principals and world-class experts, the Board provides an independent and comprehensive appraisal for policy makers and the world about progress towards increased preparedness and response capacity for disease outbreaks and other emergencies with health consequences.
HHS Health and Human Services The United States Department of Health & Human Services, also known as the Health Department, is a cabinet-level department of the U.S. federal government with the goal of protecting the health of all Americans and providing essential human services
IHR International Health Regulations The International Health Regulations are a legally binding instrument of International law signed by 196 countries. The purpose and scope of the IHR are to prevent, protect against, control and provide a public health response to the international spread of disease.
JEE Joint External Evaluations Joint External Evaluations are voluntary, collaborative, multisectoral processes to assess country capacities to prevent, detect, and rapidly respond to public health risks whether occurring naturally or due to deliberate or accidental events.
LIMS or LIS Laboratory Information Management Systems A laboratory information management system (LIMS), sometimes referred to as a laboratory information system (LIS) or laboratory management system (LMS), is a software-based solution with features that support a modern laboratory's operations. Key features include—but are not limited to—workflow and data tracking support, flexible architecture, and data exchange interfaces, which fully "support its use in regulated environments". The features and uses of a LIMS have evolved over the years from simple sample tracking to an enterprise resource planning tool that manages multiple aspects of laboratory informatics.
LIMSi Laboratory Information Management Systems Integration LIMSi was launched by the CDC in 2010 to speed data exchange by integrating the software used by the Laboratory Response Network to store their internal records with an automatic messaging system to send critical results directly to the CDC
LRN Laboratory Response Network A program implemented and administered by the CDC in 1999 to link the labs of other Federal agencies into a network so as to streamline and coordinate monitoring of health security threats.
MONUSCO The United Nations Organization Stabilization Mission in the Democratic Republic of the Congo The United Nations peacekeeping force in the Democratic Republic of the Congo (DRC)
NEDSS National Electronic Disease Surveillance System a cloud computing environment, giving members a shared pool of configurable computer software programs to enter and analyze data.
NNDSS National Notifiable Disease Surveillance System The NNDSS provides the underlying data that public health officials at CDC need to monitor disease trends, study risk factors, evaluate prevention and control efforts, and target public health resources. Hospitals, laboratories, and healthcare providers send data to local and state public health departments who then voluntarily submit data to CDC to include in NNDSS.
NSSP National Syndromic Surveillance Program NSSP is a collaboration among CDC, federal partners, local and state health departments, and academic and private sector partners who have formed a community of practice. They collect, analyze, and share electronic patient encounter data to detect, characterize, monitor, and respond to events of public health concern. Syndromic data can serve as an early warning system for public health concerns such as flu outbreaks and have been used in responses for opioid overdoses, vaping-associated lung disease, Zika virus infection, and natural disasters.
PACS Picture Archiving and Communication Systems A picture archiving and communication system (PACS) is a medical imaging technology which provides economical storage and convenient access to images from multiple modalities (source machine types). Electronic images and reports are transmitted digitally via PACS; this eliminates the need to manually file, retrieve, or transport film jackets, the folders used to store and protect X-ray film.
PCR Polymerase Chain Reaction Thermal cyclers, or PCR Machines, are DNA amplifiers that allow for detection and diagnosis of pathogens in submitted samples.
PHEIC Public Health Emergencies of International Concern The term Public Health Emergency of International Concern is defined in the IHR as "an extraordinary event which is determined to constitute a public health risk to other States through the international spread of disease; and to potentially require a coordinated international response". This definition implies a situation that: is serious, unusual or unexpected; carries implications for public health beyond the affected State's national border; and may require immediate international action. The responsibility of determining whether an event is within this category lies with the WHO Director-General and requires the convening of a committee of experts—the IHR Emergency Committee.
USAMRIID US Army's Medical Research Institute for Infections Disease The U.S Army's main institution and facility for defensive research into countermeasures against biological warfare. It is located on Fort Detrick, Maryland and is a subordinate lab of the U.S. Army Medical Research and Development Command (USAMRDC), headquartered on the same installation
WHO World Health Organization The World Health Organization is a specialized agency of the United Nations that is concerned with international public health. It was established on 7 April 1948, and is headquartered in Geneva, Switzerland.

Endnotes

1. Global Preparedness Monitoring Board. A World At Risk: Annual Report on Global Preparedness for Health Emergencies. Geneva: World Health Organization; 2019. https://apps.who.int/gpmb/assets/annual_report/GPMB_annualreport_2019.p…. Accessed November 10, 2019.

2. Broniatowski DA, Jamison AM, Qi S, et al. Weaponized Health Communication: Twitter Bots and Russian Trolls Amplify the Vaccine Debate. Am J Public Health. 2018;108(10):1378-1384. doi:10.2105/AJPH.2018.304567

3. Schneier B. Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. W. W. Norton & Company; 2018.

4. Schneier B. Opinion | We Must Prepare for the Next Pandemic. The New York Times. https://www.nytimes.com/2019/06/17/opinion/pandemic-fake-news.html. Published June 17, 2019. Accessed October 13, 2019.

5. Friedman B. LIS vs. LIMS: It's Time to Blend the Two Types of Lab Information Systems. Lab Soft News. https://labsoftnews.typepad.com/lab_soft_news/2008/11/liss-vs-limss-its…. Published November 4, 2008. Accessed October 13, 2019.

6. FAQ About the Laboratory Response Network (LRN). Center for Disease Control and Prevention. https://emergency.cdc.gov/lrn/faq.asp. Published April 22, 2019. Accessed December 9, 2019.

7. Jackson H. Securing the BioWatch Web Portal. J Bioterrorism Biodefense. 2017;8(1):4.

8. Office of the Inspector General. Office of Health Affairs Has Not Implemented An Effective Privacy Management Program. Department of Homeland Security; 2017:31. https://www.oig.dhs.gov/sites/default/files/assets/2017-12/OIG-18-20-No….

9. Baumgaertner E. It was sensitive data from a U.S. anti-terror program—and terrorists could have gotten to it for years, records show. Los Angeles Times. https://www.latimes.com/science/sciencenow/la-sci-biowatch-20190402-sto…. Published August 25, 2019. Accessed October 11, 2019.

10. Meijer JW. A Model for Internet Traffic Growth. Acta Nova. 2007;3:11.

11. Adefala L. Healthcare Experiences Twice the Number of Cyber Attacks As Other Industries. Fortinet Blog. March 2018. https://www.fortinet.com/blog/business-and-technology/healthcare-experi…. Accessed October 11, 2019.

12. Zetter K. It's Insanely Easy to Hack Hospital Equipment. Wired. April 2014. https://www.wired.com/2014/04/hospital-equipment-vulnerable/. Accessed October 11, 2019.

13. Zetter K. Hospital viruses: Fake cancerous nodes in CT scans, created by malware, trick radiologists. Washington Post. https://www.washingtonpost.com/technology/2019/04/03/hospital-viruses-f…. Published April 3, 2019. Accessed October 11, 2019.

14. Mirsky Y, Mahler T, Shelef I, Elovici Y. CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning. In: 28th USENIX Security Symposium. ; 2019. http://arxiv.org/abs/1901.03597. Accessed October 11, 2019.

15. Creating a National Health Information System in the DRC. IMA World Health. https://imaworldhealth.org/creating-a-national-health-information-syste…. Published March 23, 2017. Accessed July 8, 2019.

16. DHIS2 Hosting. BLUESQUARE. https://bluesquarehub.com/services/dhis2-hosting/. Published February 12, 2019. Accessed November 4, 2019.

17. Collect, Manage, Visualize and Explore your Data. DHIS2. https://www.dhis2.org/. Accessed July 8, 2019.

18. World Health Organization. Evaluation Externe Conjointe Des Principales Capacités RSI de La Republique Démocratique Du Congo.; 2018.

19. Shaw A. The promise of a digitally connected DR Congo. PATH. March 2019. https://www.path.org/articles/digital-congo-ebola/. Accessed July 8, 2019.

20. RDC EVD Contract Tracing. Digital Health Atlas. https://digitalhealthatlas.org/en/-/projects/1176/published. Accessed December 9, 2019.

21. PATH. Digitalizing the Ebola response. PATH. November 2018. https://www.path.org/articles/digitalizing-ebola-response/. Accessed July 8, 2019.

22. WHO | Ebola virus disease—Democratic Republic of the Congo. WHO. http://www.who.int/csr/don/06-june-2019-ebola-drc/en/. Accessed July 2, 2019.

23. New technology allows for rapid diagnosis of Ebola in Democratic Republic of the Congo. WHO | Regional Office for Africa. https://www.afro.who.int/news/new-technology-allows-rapid-diagnosis-ebo…. Accessed July 9, 2019.

24. McMillan R. Senators Ask FTC to Investigate Amazon Over Capital One Hack. Wall Street Journal. https://www.wsj.com/articles/senators-ask-ftc-to-investigate-amazon-ove…. Published October 24, 2019. Accessed November 4, 2019.

25. Grady J. Panel: Kremlin Now Reaping Benefits From Years of Investment in Information Warfare. USNI News. June 2018. https://news.usni.org/2018/06/12/panel-kremlin-now-reaping-benefits-yea…. Accessed October 12, 2019.

26. Clapper JR. Worldwide Threat Assessment of the US Intelligence Community. Washington, DC: Senate Armed Services Committee; 2016:33.

27. DiResta R, Shaffer DK, Ruppel B, et al. The Tactics & Tropes of the Internet Research Agency. New Knowl. 2018:101.

28. Ellick AB, Westbrook A. Opinion | Operation Infektion: A three-part video series on Russian disinformation. The New York Times. https://www.nytimes.com/2018/11/12/opinion/russia-meddling-disinformati…. Published November 12, 2018. Accessed October 12, 2019.

29. Bogart LM, Thorburn S. Are HIV/AIDS conspiracy beliefs a barrier to HIV prevention among African Americans? J Acquir Immune Defic Syndr 1999. 2005;38(2):213-218. doi:10.1097/00126334-200502010-00014

30. Wachob DA, Boldy A. Social Media's Influence on Parents' Decision-Making Process of Child Vaccinations. Epidemiol Biostat Public Health. 2019;16(1):5.

31. New Scientist Staff and Press Association. The UK has lost its World Health Organization ?measles-free' status. New Sci. 2019;3244. https://www.newscientist.com/article/2213764-the-uk-has-lost-its-world-…. Accessed December 2, 2019.

32. Fidler DP. Indonesia's Decision to Withhold Influenza Virus Samples from the World Health Organization: Implications for International Law | ASIL. /insights/volume/11/issue/4/indonesias-decision-withhold-influenza-virus-samples-world-health. Published February 28, 2007. Accessed October 12, 2019.

33. Mole B. Possible cover-up of Ebola outbreak in Tanzania prompts travel warnings. Ars Technica. https://arstechnica.com/science/2019/09/possible-cover-up-of-ebola-outb…. Published September 30, 2019. Accessed October 12, 2019.

34. Kamradt-Scott A. Global health security First Steps. BMJ Glob Health Intiatives. 2015. https://www.bmj.com/company/global-health-ii/global-health-security-and…. Accessed October 12, 2019.

35. McLaren RH. Investigation of Sochi Allegations. World Antidoping Agency; 2016:151. https://www.wada-ama.org/sites/default/files/resources/files/mclaren_re….

36. Tabletop Exercise for Senior Global Leaders on International Response to Deliberate Biological Events. NTI. https://www.nti.org/about/projects/global-biosecurity-dialogue/tabletop…. Published February 14, 2019. Accessed October 13, 2019.

37. Walker J. Civil Society's Role in a Public Health Crisis. Issues Sci Technol. December 2016. https://issues.org/civil-societys-role-in-a-public-health-crisis/. Accessed October 13, 2019.

38. Schneier B. Future Cyberwar. Schneier on Security. August 2018. https://www.schneier.com/blog/archives/2018/08/future_cyberwar.html. Accessed November 25, 2019.

39. Cancian MF. Coping with Surprise in Great Power Conflicts. CSIS; 2018:154. https://csis-prod.s3.amazonaws.com/s3fs-public/publication/180227_Canci….

40. Mook R, Rhoades M, Rosenbach E. Cybersecurity Campaign Playbook. Belfer Center for Science and International Affairs; 2017. https://www.belfercenter.org/CyberPlaybook. Accessed July 19, 2019.


a Health Security is the collective ability to mitigate health threats that have the potential to destabilize societies, states, and regions. Its goal is to establish resilient health systems in order to achieve peace and security for all.

b Health Intelligence refers to the interpretation, analysis, processing, and generation of knowledge that can inform situational awareness of health security threats.

c Hacking is the gaining of unauthorized access to data in a system or computer.

Categories: Miscellaneous Papers

Sidebar photo of Bruce Schneier by Joe MacInnis.