Why DOD cares about hospital network attacks

Shutterstock image: medical professional monitoring a patient's heartbeat.

A senior Defense Department official said there needs to be better technology and increased cooperation when it comes to securing the servers and health IT equipment at medical institutions.

"We have to take incidents like hospital hacking extremely seriously, go after those people, make sure there is accountability for criminal behavior," Richard Hale, DOD's deputy CIO for cybersecurity, said during a panel discussion on Feb. 17. "But we've got to fix the technology."

He was referring to the recent attack against Hollywood Presbyterian Medical Center in which hackers are blocking access to the center's servers until they receive $3.6 million in bitcoin. As a result, the center's staff has reportedly been unable to access patient information, and a significant communication breakdown has occurred.

Protecting private health care systems is not a DOD mission, of course, but the Pentagon is a massive medical provider in its own right. "The problem with this is that bad guys aren't waiting," Hale said. "It will take [DOD] a while, and it will cost us some money to move to stronger access control on medical devices."

Much of the critical and highly computerized medical equipment used today is not designed to handle public-key infrastructure or other means of securing access. Some don't even allow for a simple password. Furthermore, "there are all kinds of regulatory requirements on safety that have to be met before you go fiddling with these things," Hale said.

He added that DOD officials are attempting to establish security standards for buying medical devices, though he acknowledged that additional controls can create unacceptable complexity. "But we also try to put an escape clause in this plan [that allows a military health agency CIO to] approve exceptions where it doesn't make any sense for now or can approve alternate forms of control," he said.

In many ways, the risks to health IT are just another example of the expanding attack surface that DOD must defend, Hale said. Whether it's medical devices or massive weapons systems, "if it's got a computer in it, it can be cyberattacked," he added. "It doesn't matter if it's connected to a network.... And if it's a DOD thing, there's the higher chance that it might be cyberattacked."

So Hale said his job is to make sure "all of the embedded computing in the department" has the right cybersecurity properties.

Unlike DOD's core networks, "none of this stuff was designed to resist cyberattacks," he said. "It was built for a benign environment, [and the] environment for all computer science is no longer benign."

When it comes to health IT, Hale acknowledged that it will take time to develop standards and it will be "painful for a while." He also stressed the need too work with law enforcement on such matters.

About the Author

Aisha Chowdhry is a former staff writer for FCW.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.