Ethical hacking at the DoD draws interest from HHS
The Department of Defense’s recent “Hack the Pentagon” bounty program was such a hit that the Department of Health and Human Services is starting to take a look at it.
HHS officials mentioned the DoD’s recently completed pilot program—which paid bounties to hackers who were able to discover cyber vulnerabilities at the agency, also known as ethical hacking—as a possible way to address cybersecurity issues in health care.
Speaking at the Collaboration of Health IT Policy and Standards Committees meeting on June 23, Lucia Savage, chief privacy officer at HHS’s Office of the National Coordinator for Health Information Technology, said that the practice could show promise at HHS if it was scaled up to meet health care needs.
Savage said that ethical hacking was a hot topic at a recent Federal Drug Administration workshop focusing on medical device security as a way to test the cybersecurity-worthiness of the items in question.
“This is a struggle for devices as well,” she said. “You can’t hack something in the field, because what if the hacker disrupts the operation of the device. Similarly, health data and EHRs, we may not want to have the hacker accessing your live data because that might cause other problems relative to your obligation to keep that data confidential.
“Given that space and given the need to improve cybersecurity, is there something that ONC can do to improve that rate at which ethical hacking occurs in health care?”
Savage said her office was working on plans to see how the practice could be effectively applied to the health care and medical devices sector, in collaboration with the FDA, but the advantages could be promising.
“I think that this is a technique that has been found highly valuable in the rest of industry,” she said. “One of the things we are thinking about is how to get this to take root as a security hygiene process within the health care system.”
The committees—which are composed of health care stakeholders who offer policy and standards recommendations to the National Coordinator for Health IT—queried Savage on what plans ONC might have for ethically hacking devices, especially related to Internet of Things capabilities.
But because ONC focuses on health IT and FDA regulates medical devices, Savage said her office was looking at ways ethical hacking could work, in partnership, rather than directly hacking devices.
“I just want to be super clear, our focus is on security hacking for the devices,” Savage said. “We don’t have any authority on the safety or efficacy of devices or health IT. I will say that the work we are doing, we’re doing it in concert, sort of thinking through how to solve the problem.”
Dr. Dale Nordenberg, CEO of Novasano Health and Science and a Health IT standards committee member, said that hacking medical devices could prove difficult because every medical device is hackable, leaving weaknesses and solutions to be worked out with a litany of detail.
“The issue is that once a vulnerability is identified, the industry is highly resistant to exposing to the public that specific vulnerability because the manufacturer has to get engaged,” he said.
Savage added that her office and FDA are continuing to identify details like intellectual property issues and identifying who remediates a vulnerability, but with the Internet of Things and interoperability moving forward, these devices are becoming more interconnected.
Source | FederalTimes