Cyber vulnerabilities involve risk management; perfect cybersecurity is impossible with currently deployed technologies. At present, it is therefore impossible to defend against all Chinese, state-backed or non-state-backed cyberattacks on the health care sector. China’s ever-expanding arsenal of potential methods for cyberattacks is too sophisticated to be completely blocked. It also is prohibitively expensive to invest in perfect resiliency for all vulnerable sectors of the U.S. healthcare system. As with all aspects of risk management, prioritization of resources spent on resiliency and defense is crucially important to protecting the safety and privacy of U.S. citizens and the assets of the U.S. biotechnology and health care sectors.
The 2024 Change Healthcare attack demonstrated the vulnerability of U.S. citizens’ personal medical data. These attacks, which the Chinese government is believed to have sponsored, leaked sensitive data relating to one in every three Americans online. The attacks may directly benefit China’s economic competitiveness. Biomedical data are among the most valuable pieces of intellectual property to biotechnology researchers, whether academic, commercial, or military. Attacks on third party vendors such as Change Healthcare therefore present a major national security issue for the United States. Such attacks target the two types of U.S. intellectual property at most risk in the health care sector: vaccine research and medical data.
China’s stated plan is to dominate the bioeconomy by aggregating medical data. At the same time China is not spending nearly as much money attaining that data through typical research efforts as its central role in industrial policy would suggest is needed. Most research spending pouring into the sector is going to applications of biomedical “big data” to relevant end goals. At the same time, attacks that are likely from PRC state-sponsored hackers acquiring enormous quantities of U.S. biomedical data are seen.
Hacking may be the easiest and least expensive way to obtain valuable data, and the PRC has a long history of both hacking and data theft. Successful attribution, indictment and even arrest of Chinese hackers have not deterred China. A great deal of valuable medical data, especially data describing expensive medical testing or treatment, is American. Due to both privacy and national security concerns, the easiest way to obtain such sensitive U.S. data is to steal it. The PRC priority placed on medical data means that to protect the competitive position of the U.S. biomedical sector and the medical privacy of U.S. citizens requires the protection of the data of parties not directly providing care or undertaking research.
China sees developing epidemic and pandemic resilience and gaining influence in international health decisions related to infectious diseases as shorter term goals framed as directly relevant to national security. Thus, the PRC likely will continue to steal data directly relevant to vaccine manufacturing. Two sectors to watch for direct theft are areas upstream of biological data, such as medical devices, genetic testing, and areas with highly specialized data sets or a limited ability to be analyzed with existing computer technology.
In general, areas that support goals that are long term and that this study has determined to be low priority such as the integration of biotechnology and information technology are less likely to be the subject of direct cyberattack. It is unlikely, for example, that China will burn zero day attacks on data related to personalized medicine or stem cell therapies, two low priority long term goals.
Why might China focus cyber-attack efforts on biomedical data rather than direct sources of biotechnology?
China currently faces simultaneous civil and economic crises related to its own health care sector. These crises include China’s low fertility rate, aging labor force, lack of economically sustainable pandemic readiness, and the welcoming of non-Chinese nationals into the Chinese health care sector. China is also in the midst of a housing bubble collapse and in deep local government debt. Here China frames each of these issues in terms of national security and invokes principles of Military-Civil-Fusion while addressing them.
Immediate military and industrial policy interventions likely will not be enough to bring these economic and social crises to an end. Each of these problems involves health care, requiring a different intervention from the medical and biotechnology sectors. China itself says it is years behind the United States in these fields. On the other hand, simply stealing intellectual property relevant to fertility, diseases affecting older workers, and expensive pharmaceuticals will not enable China to develop an indigenous state-of-the-art healthcare and pharmaceutical industry that is capable of producing its own state of the art health care systems and pharmaceuticals.
Despite China’s formidable record in replicating foreign products and methods, even those having to do with advanced weaponry, formulae for drugs and devices are too diverse to steal in quantities that will make an impact on PRC public health. Stealing formulae may assist Chinese manufacturing over time, but theft by itself is not enough. China understands that it will need expertise in order to be dominant in biotechnology and provide solutions to fix its internal health-related issues. In an earlier era China stole U.S. nuclear weapons design information and had the expertise successfully to manufacture its own nuclear weapons based on the stolen information.
According to China’s official planning documents, instead of attacking the majority of downstream health-related goals head-on, the PRC will instead attempt to control their upstream access to big medical data and downstream to the medical sector. Using the leverage unique access to a diverse and integrated set of big medical data would provide, China plans to dominate the midstream and downstream expertise and manufacturing in the medical sector by using big data analysis techniques to discover new potential medical interventions. Creating that unique set may rely on a willingness to steal, a lack of privacy concerns, and an exchange of cheap services in the biomedical sector for access to medical data.
