CISA turns to security experts with street cred to protect health sector

Josh Corman, who has long evangelized for medical-device security, will help expand the agency’s attempts to secure networks during the pandemic.
Josh Corman, a cybersecurity professional long focused on the health sector, is among the new CISA hires. (Flickr/New America)

The Department of Homeland Security’s cybersecurity agency is ramping up its efforts to protect medical organizations from hacking during the coronavirus pandemic by hiring multiple security specialists with strong ties to the health care sector, CyberScoop has learned.

As the race for a vaccine intensifies, DHS’s Cybersecurity and Infrastructure Security Agency is turning to Josh Corman, who has long evangelized for medical-device security, to help expand the agency’s attempts to secure private-sector networks during the pandemic. Rob Arnold, a former private executive focused on small business’ cybersecurity, is also joining CISA to advise on how COVID-19 has changed cyber risk for critical infrastructure companies.

Corman, a former security specialist at IBM, has joined CISA as a visiting researcher and will play a key role in the agency’s COVID-19 response with security advice on health care infrastructure, the agency is expected to announce later Wednesday. Beau Woods, who previously worked on cybersecurity at the U.S. Food and Drug Administration, is also expected to begin working with CISA in the coming weeks, pending administrative paperwork.

Corman and Woods’ volunteer organization, I am the Cavalry, has connected white-hat hackers interested in fixing software vulnerabilities with agencies like the FDA. Now, the pair faces one of their biggest career challenges yet: helping the broader push to use federal resources to make hospitals, clinics and drug companies more secure from hacking. The lessons learned from their work could apply to boosting security in other sectors.


The hiring, done through the $2.2 trillion stimulus package that Congress allocated to fight the virus in March, reflects the ongoing battle to guard U.S. research labs and pharmaceutical companies from an array of hacking threats. The announcement comes the day after the Department of Justice unveiled the indictment of two men for allegedly working on behalf of a Chinese intelligence agency to steal data from U.S. firms working on a potential vaccine.

As staples of popular Las Vegas hacking conferences like DEF CON and BSides, Corman and Woods are seen as trusted brokers between the Washington-weary federal officials and tattooed security researchers who attend the events. They also have a thick rolodex of security contacts across the health care sector that they’ll need to tap in their new roles.

A shift in resources

The new hires are part of a shift in resources that CISA has made to protect pharmaceutical supply chains and research labs during the pandemic. U.S. officials have watched with alarm as hackers have hit various health-sector organizations around the world, including a ransomware attack in May on a German health care conglomerate that hobbled some of the organization’s pharmaceutical operations.

“We are seeing adversaries that are targeting our pharmaceutical companies, pharmaceutical research, laboratory companies, testing and really even out into the future manufacturing of the vaccine systems,” Bryan S. Ware, an assistant director at CISA, said last month.


In the face of those threats, U.S. officials from multiple agencies, including the FBI, have identified a “Tier 1” list of companies and universities that are most critical to developing treatment and a vaccine for the virus. CISA officials say they have scanned an increasing number of devices on those organizations’ networks for vulnerabilities.

Greg Garcia, executive director for cybersecurity at the Health Sector Coordinating Council, an industry group that works with the government on security, credited CISA for hiring health-care-focused security experts and working closely with the council during the pandemic.

Now, Garcia said, he wants to see agency officials improve the security alerts they sends to industry to clearly identify the potential impact of a given threat on the health sector. CISA should also continue its efforts to make these alerts “more timely and actionable,” Garcia said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts