Hospital cyberdefense high on DoD's priority list

While hospital network security might not seem like an expected responsibility for the Department of Defense, because the agency is a huge healthcare provider, anything relating to the U.S. military is likely to come under attack, Richard Hale, DoD's deputy CIO for cybersecurity, reminded attendees at a recent panel discussion.

"We've got to fix the technology," he said, according to FCW, imploring the industry to take hacking seriously, cooperate with law enforcement and ensure accountability for criminal behavior. Hale's comments were part of a discussion about the recent ransomware attack on Hollywood Presbyterian Medical Center.

It might take DoD longer to move to stronger access control on medical devices, he said; meanwhile, however, the criminal element isn't waiting around.

Whether medical devices or massive weapons systems, "if it's got a computer in it, it can be cyberattacked," Hale said. "It doesn't matter if it's connected to a network. ... And if it's a DoD thing, there's the higher chance that it might be cyberattacked."

Much of the problem is that medical devices were not designed with cybersecurity in mind, but for a "benign environment" that's no longer benign.

Like all government agencies, DoD faces many regulatory requirements. It's trying to enmesh security standards in procurement, exercising what security expert Kevin Fu calls "the power of the purse."

At the same time, additional controls can create unacceptable complexity. The DoD also wants military CIOs to have the discretion to make exceptions when the controls don't make sense or when they can provide controls in other ways.

A report due next month on a five-year test of a large, jointly-operated DoD and VA hospital in Chicago could help determine the outcome of that proposal.

To learn more:
- read the FCW article