HHS considering white hat hacking for 'security hygiene'


The success of the recent "Hack the Pentagon” program has the U.S. Department of Health and Human Services considering how it might implement such an effort within healthcare, reports Federal Times.

Ethical hacking, also known as white hat hacking, involves using “good guy” hackers to find and address organizations’ cybersecurity vulnerabilities before the bad guys.

The Pentagon’s recent pilot program paid bounties for bugs found. It enrolled 1,410 eligible hackers from around the world and identified 138 legitimate vulnerabilities in Department of Defense websites, reports Naked Security. One hacker who submitted multiple vulnerabilities earned the top prize of $15,000.

“I think that this is a technique that has been found highly valuable in the rest of industry. One of the things we are thinking about is how to get this to take root as a security hygiene process within the healthcare system,” Lucia Savage, chief privacy officer at HHS’s Office of the National Coordinator for Health Information Technology, said at last week's joint Health IT Policy and Standards committees meeting.

She said she’s working to determine, along with the U.S. Food and Drug Administration, how such a program could be applied to healthcare and medical devices.

There are issues to be considered: For instance, hacking devices could interfere with their safe operation. What's more, accessing operating electronic health records could run afoul of HIPAA if live data were involved.

Savage made clear that her office would solely be focused on security hacking, while issues of safety and effectiveness fall under the FDA’s purview.

Hacking was the most common source of healthcare data leaks in 2015, according to a Bitglass report.

To learn more:
- read the Federal Times article
- check out the Naked Security story
- listen to the meeting