Cybersecurity

Why DOD cares about hospital network attacks

Shutterstock image: medical professional monitoring a patient's heartbeat.

A senior Defense Department official said there needs to be better technology and increased cooperation when it comes to securing the servers and health IT equipment at medical institutions.

"We have to take incidents like hospital hacking extremely seriously, go after those people, make sure there is accountability for criminal behavior," Richard Hale, DOD's deputy CIO for cybersecurity, said during a panel discussion on Feb. 17. "But we've got to fix the technology."

He was referring to the recent attack against Hollywood Presbyterian Medical Center in which hackers are blocking access to the center's servers until they receive $3.6 million in bitcoin. As a result, the center's staff has reportedly been unable to access patient information, and a significant communication breakdown has occurred.

Protecting private health care systems is not a DOD mission, of course, but the Pentagon is a massive medical provider in its own right. "The problem with this is that bad guys aren't waiting," Hale said. "It will take [DOD] a while, and it will cost us some money to move to stronger access control on medical devices."

Much of the critical and highly computerized medical equipment used today is not designed to handle public-key infrastructure or other means of securing access. Some don't even allow for a simple password. Furthermore, "there are all kinds of regulatory requirements on safety that have to be met before you go fiddling with these things," Hale said.

He added that DOD officials are attempting to establish security standards for buying medical devices, though he acknowledged that additional controls can create unacceptable complexity. "But we also try to put an escape clause in this plan [that allows a military health agency CIO to] approve exceptions where it doesn't make any sense for now or can approve alternate forms of control," he said.

In many ways, the risks to health IT are just another example of the expanding attack surface that DOD must defend, Hale said. Whether it's medical devices or massive weapons systems, "if it's got a computer in it, it can be cyberattacked," he added. "It doesn't matter if it's connected to a network.... And if it's a DOD thing, there's the higher chance that it might be cyberattacked."

So Hale said his job is to make sure "all of the embedded computing in the department" has the right cybersecurity properties.

Unlike DOD's core networks, "none of this stuff was designed to resist cyberattacks," he said. "It was built for a benign environment, [and the] environment for all computer science is no longer benign."

When it comes to health IT, Hale acknowledged that it will take time to develop standards and it will be "painful for a while." He also stressed the need too work with law enforcement on such matters.

About the Author

Aisha Chowdhry is a former staff writer for FCW.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.