Cybersecurity

Why DOD cares about hospital network attacks

Shutterstock image: medical professional monitoring a patient's heartbeat.

A senior Defense Department official said there needs to be better technology and increased cooperation when it comes to securing the servers and health IT equipment at medical institutions.

"We have to take incidents like hospital hacking extremely seriously, go after those people, make sure there is accountability for criminal behavior," Richard Hale, DOD's deputy CIO for cybersecurity, said during a panel discussion on Feb. 17. "But we've got to fix the technology."

He was referring to the recent attack against Hollywood Presbyterian Medical Center in which hackers are blocking access to the center's servers until they receive $3.6 million in bitcoin. As a result, the center's staff has reportedly been unable to access patient information, and a significant communication breakdown has occurred.

Protecting private health care systems is not a DOD mission, of course, but the Pentagon is a massive medical provider in its own right. "The problem with this is that bad guys aren't waiting," Hale said. "It will take [DOD] a while, and it will cost us some money to move to stronger access control on medical devices."

Much of the critical and highly computerized medical equipment used today is not designed to handle public-key infrastructure or other means of securing access. Some don't even allow for a simple password. Furthermore, "there are all kinds of regulatory requirements on safety that have to be met before you go fiddling with these things," Hale said.

He added that DOD officials are attempting to establish security standards for buying medical devices, though he acknowledged that additional controls can create unacceptable complexity. "But we also try to put an escape clause in this plan [that allows a military health agency CIO to] approve exceptions where it doesn't make any sense for now or can approve alternate forms of control," he said.

In many ways, the risks to health IT are just another example of the expanding attack surface that DOD must defend, Hale said. Whether it's medical devices or massive weapons systems, "if it's got a computer in it, it can be cyberattacked," he added. "It doesn't matter if it's connected to a network.... And if it's a DOD thing, there's the higher chance that it might be cyberattacked."

So Hale said his job is to make sure "all of the embedded computing in the department" has the right cybersecurity properties.

Unlike DOD's core networks, "none of this stuff was designed to resist cyberattacks," he said. "It was built for a benign environment, [and the] environment for all computer science is no longer benign."

When it comes to health IT, Hale acknowledged that it will take time to develop standards and it will be "painful for a while." He also stressed the need too work with law enforcement on such matters.

About the Author

Aisha Chowdhry is a former staff writer for FCW.


Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.