The immense success of DoD’s “Hack the Pentagon” program has grabbed the attention of Department of Health and Human Services. The recently completed program was able to determine the cyber vulnerabilities in the Department of Defense and the hackers who were able to find out these vulnerabilities were rewarded. HHS believes that this ethical hacking program has opened the doors to address many cyber security issues in healthcare.
Ethical hacking was one of the major topics of discussion at a Federal Drug Administration workshop, focused on medical device security. Lucia Savage, Chief Privacy Officer at HHS’s Office of the National Coordinator for Health Information Technology, commented that if the ethical hacking practice is capable of scaling up and meets healthcare requirements, then the chances of this program showing good results at the HHS are quite high.
Savage said, “This is a struggle for devices as well. You can’t hack something in the field, because what if the hacker disrupts the operation of the device. Similarly, health data and EHRs, we may not want to have the hacker accessing your live data because that might cause other problems relative to your obligation to keep that data confidential. Given that space and given the need to improve cyber security, is there something that ONC can do to improve that rate at which ethical hacking occurs in health care?”
She further mentioned that her office was trying to develop collaboration between FDA and to effectively apply this practice in healthcare and medical devices sector. “I think that this is a technique that has been found highly valuable in the rest of industry,” she also added that “One of the things we are thinking about is how to get this to take root as a security hygiene process within the health care system,” Savage added.
When the healthcare stakeholders enquired about the plans ONC has for ethically hacking devices, she responded that their “focus is on security hacking for the devices. We don’t have any authority on the safety or efficacy of devices or health IT. I will say that the work we are doing, we’re doing it in concert, sort of thinking through how to solve the problem.”
Savage said that ONC and FDA are continuing their efforts to identify intellectual property issues and to identify who can remediate the vulnerability. However, she also noted that with interoperability and Internet of Things advancing ahead with a great pace, all these devices are becoming more interconnected.