Why DOD cares about hospital network attacks

A senior Defense Department official said there needs to be better technology and increased cooperation when it comes to securing the servers and health IT equipment at medical institutions.

"We have to take incidents like hospital hacking extremely seriously, go after those people, make sure there is accountability for criminal behavior," Richard Hale, DOD's deputy CIO for cybersecurity, said during a panel discussion on Feb. 17. "But we've got to fix the technology."

He was referring to the recent attack against Hollywood Presbyterian Medical Center in which hackers are blocking access to the center's servers until they receive $3.6 million in bitcoin. As a result, the center's staff has reportedly been unable to access patient information, and a significant communication breakdown has occurred.

Protecting private health care systems is not a DOD mission, of course, but the Pentagon is a massive medical provider in its own right. "The problem with this is that bad guys aren't waiting," Hale said. "It will take [DOD] a while, and it will cost us some money to move to stronger access control on medical devices."

Much of the critical and highly computerized medical equipment used today is not designed to handle public-key infrastructure or other means of securing access. Some don't even allow for a simple password. Furthermore, "there are all kinds of regulatory requirements on safety that have to be met before you go fiddling with these things," Hale said.

He added that DOD officials are attempting to establish security standards for buying medical devices, though he acknowledged that additional controls can create unacceptable complexity. "But we also try to put an escape clause in this plan [that allows a military health agency CIO to] approve exceptions where it doesn't make any sense for now or can approve alternate forms of control," he said.

In many ways, the risks to health IT are just another example of the expanding attack surface that DOD must defend, Hale said. Whether it's medical devices or massive weapons systems, "if it's got a computer in it, it can be cyberattacked," he added. "It doesn't matter if it's connected to a network.... And if it's a DOD thing, there's the higher chance that it might be cyberattacked."

So Hale said his job is to make sure "all of the embedded computing in the department" has the right cybersecurity properties.

Unlike DOD's core networks, "none of this stuff was designed to resist cyberattacks," he said. "It was built for a benign environment, [and the] environment for all computer science is no longer benign."

When it comes to health IT, Hale acknowledged that it will take time to develop standards and it will be "painful for a while." He also stressed the need too work with law enforcement on such matters.