Vulnerability Management, Incident Response

Bill targets suicide hotline vulnerabilities after cyberattack on Intrado

A sign for the Military and Veterans Crisis Line

A newly proposed bipartisan bill takes aim at the cybersecurity challenges facing the national suicide hotline, brought to light after a cyberattack led to widespread outages of the system in December.

Dubbed the 9-8-8 Lifeline Cybersecurity Responsibility Act, Reps. Jay Obernolte, R-Calif., and Tony Cárdenas, D-Calif., aim to mitigate the potential risk of future service disruptions by mitigating known security vulnerabilities.

The bill comes on the heels of a cyberattack deployed against the telecommunications vendor Intrado on Dec. 1. Multiple unconfirmed reports attributed the attack to the Royal ransomware threat group, which posted Intrado on its dark web leak site in the weeks after the attack.

What is clear is that the incident sparked widespread outages on all Intrado’s services, including the healthcare sector and the national suicide hotline. The company’s phone lines were also brought down during the attack, with customers urged to email or use the chat box for communication.

Although the suicide hotline outage lasted for less than a day, a Department of Health and Human Services spokesperson called the disruption “unacceptable” as the line is critical for veterans, military service members, and other individuals suffering with suicidal thoughts.

“People across America rely on access to the 988 Lifeline for help during a mental health crisis,” said Cárdenas, in a press release. “Failure to protect the lifeline from cybersecurity breaches could delay care or endanger callers.”

The proposal would amend the statute that gives the 9-8-8 program the authority to require better coordination for reporting potential cybersecurity vulnerabilities within the service line.

Specifically, the hotline leadership would be empowered to coordinate with the HHS CIO to take necessary steps to ensure the program is better protected from known cybersecurity vulnerabilities. The bill language suggests these flaws can be eliminated, however, even the strongest cyber programs struggle to accomplish such a feat.

The bill does call for greater funding directed specifically to protecting the privacy of individuals, while ensuring coordination of threat sharing with the HHS assistant secretary. What’s more, it also calls for a study to review current risks and vulnerabilities to the program to be submitted to Congress.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.