What the AHA Advisory Covers
The American Hospital Association (AHA) is directing health systems to a critical federal advisory. The advisory warns that Chinese state-affiliated hackers actively use “covert networks” of compromised devices to plan and execute cyberattacks against U.S. infrastructure. Specifically, these actors exploit networks of already-infected devices — often called botnets — to mask their origin and evade detection while carrying out espionage and pre-positioning for disruptive strikes.
The federal advisory, issued by the Cybersecurity and Infrastructure Security Agency (CISA), outlines the shifting tactics these threat actors employ. Additionally, the AHA published a news release on April 24 to ensure hospitals understand the direct relevance of these tactics to their operations.
Why Hospitals Face Heightened Risk
Hospitals Are Critical Infrastructure Targets
Hospitals and health systems fall under the category of critical infrastructure. As a result, they draw significant attention from nation-state cyber actors. John Riggi, AHA national security advisor for cybersecurity and risk, emphasized this point clearly.
“Health systems are considered critical infrastructure and have been exposed to China-affiliated malware campaigns such as Volt Typhoon and Flax Typhoon,” Riggi stated. “These Typhoon campaigns have used covert networks to conduct espionage and preposition for disruptive attacks against other healthcare-dependent critical infrastructure.”
Furthermore, healthcare organizations hold vast quantities of sensitive patient data. This makes them valuable targets for both espionage operations and potential leverage in geopolitical conflicts.
Volt Typhoon and Flax Typhoon Campaigns
Understanding the Typhoon Threat Groups
Two named campaigns — Volt Typhoon and Flax Typhoon — represent the most prominent examples of China-affiliated cyber operations targeting U.S. healthcare and critical infrastructure.
Volt Typhoon focuses on long-term infiltration. Instead of deploying noisy malware, the group uses “living off the land” techniques — exploiting legitimate system tools to avoid detection. Consequently, traditional signature-based security tools often fail to catch them.
Flax Typhoon similarly targets routers, cameras, and other internet-connected devices to build covert proxy networks. These compromised consumer and enterprise devices serve as relay points, helping threat actors disguise their true locations while conducting attacks.
Both campaigns share a common goal: to pre-position within critical infrastructure networks before any future conflict escalates. Therefore, healthcare organizations must treat this threat as an active and ongoing concern — not a distant or theoretical risk.
What Health Systems Must Do Now
Four Priority Actions From the AHA
Riggi outlined four specific steps health systems should take in response to this advisory:
1. Review device inventories. Hospitals must audit all connected devices and identify those that are unpatched or running outdated software. Compromised endpoints are a primary entry point for these actors.
2. Update work-from-home tech policies. Remote work expanded the attack surface significantly. Health systems should reassess the security posture of all remote access tools and home network connections used by staff.
3. Monitor web traffic more aggressively. Security teams need to watch for abnormal outbound traffic patterns. Unusual data flows to unexpected destinations can signal covert communication with threat actor infrastructure.
4. Adopt behavior-based cyber defenses. Traditional defenses that rely on known malware signatures fall short against Typhoon-style attacks. Instead, behavior-based detection tools identify anomalous activity patterns that indicate an intrusion — even when no known malware signature is present.
Building Stronger Cyber Defenses
Moving Beyond Perimeter Security
The Typhoon campaigns illustrate a critical lesson: perimeter-based security alone is no longer sufficient. These threat actors operate patiently, embed themselves quietly, and rely on legitimate infrastructure to avoid raising alarms. Therefore, hospitals must rethink their entire cyber defense posture.
Behavior-based tools — including endpoint detection and response (EDR) platforms and network traffic analysis solutions — provide the visibility needed to catch these stealthy intrusions. Moreover, zero-trust architecture, which requires continuous verification of every user and device, significantly limits the lateral movement of threat actors who do manage to gain initial access.
Finally, regular tabletop exercises help clinical and IT teams rehearse response procedures before a real incident occurs. Preparedness dramatically reduces recovery time and operational disruption when attacks do happen.
Key Takeaways for Healthcare Leaders
Staying Ahead of the Threat
The AHA advisory makes one thing clear: Chinese state-affiliated cyber actors actively view U.S. hospitals as strategic targets. Health systems cannot afford to treat this as a low-priority concern. Instead, proactive investment in device hygiene, behavior-based detection, and staff cyber awareness is essential.
In summary, hospitals must act on the four priorities the AHA outlined — auditing devices, hardening remote access policies, monitoring network traffic, and adopting modern detection tools. By doing so, they move from reactive to resilient — better positioned to withstand threats from Volt Typhoon, Flax Typhoon, and any future campaigns that follow the same playbook.
