Why DOD cares about hospital network attacks

Shutterstock image: medical professional monitoring a patient's heartbeat.

A senior Defense Department official said there needs to be better technology and increased cooperation when it comes to securing the servers and health IT equipment at medical institutions.

"We have to take incidents like hospital hacking extremely seriously, go after those people, make sure there is accountability for criminal behavior," Richard Hale, DOD's deputy CIO for cybersecurity, said during a panel discussion on Feb. 17. "But we've got to fix the technology."

He was referring to the recent attack against Hollywood Presbyterian Medical Center in which hackers are blocking access to the center's servers until they receive $3.6 million in bitcoin. As a result, the center's staff has reportedly been unable to access patient information, and a significant communication breakdown has occurred.

Protecting private health care systems is not a DOD mission, of course, but the Pentagon is a massive medical provider in its own right. "The problem with this is that bad guys aren't waiting," Hale said. "It will take [DOD] a while, and it will cost us some money to move to stronger access control on medical devices."

Much of the critical and highly computerized medical equipment used today is not designed to handle public-key infrastructure or other means of securing access. Some don't even allow for a simple password. Furthermore, "there are all kinds of regulatory requirements on safety that have to be met before you go fiddling with these things," Hale said.

He added that DOD officials are attempting to establish security standards for buying medical devices, though he acknowledged that additional controls can create unacceptable complexity. "But we also try to put an escape clause in this plan [that allows a military health agency CIO to] approve exceptions where it doesn't make any sense for now or can approve alternate forms of control," he said.

In many ways, the risks to health IT are just another example of the expanding attack surface that DOD must defend, Hale said. Whether it's medical devices or massive weapons systems, "if it's got a computer in it, it can be cyberattacked," he added. "It doesn't matter if it's connected to a network.... And if it's a DOD thing, there's the higher chance that it might be cyberattacked."

So Hale said his job is to make sure "all of the embedded computing in the department" has the right cybersecurity properties.

Unlike DOD's core networks, "none of this stuff was designed to resist cyberattacks," he said. "It was built for a benign environment, [and the] environment for all computer science is no longer benign."

When it comes to health IT, Hale acknowledged that it will take time to develop standards and it will be "painful for a while." He also stressed the need too work with law enforcement on such matters.

About the Author

Aisha Chowdhry is a former staff writer for FCW.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.