Unsupported software threatens medical devices, networks
Connecting state and local government leaders
Unpatched known vulnerabilities can open agencies up to internet of things based attacks and ransomware, according to a senior HHS official.
When medical devices, endpoint systems and radiological scanning equipment are added to internet of things networks in health facilities, securing them presents a challenge. According to Christopher Wlaschin, chief information security officer at the Department of Health and Human Services, that's largely because such devices often are built on older, unsupported operating systems.
“The user interface looks familiar to a doctor or clinician that is trying to operate it, but they are full of vulnerabilities that are not patched or managed,” Wlaschin said at an Oct. 18 CyberScoop event. Those risks can cause a critical problem for a hospital or healthcare organization’s operations, he added.
Medical device manufacturers are working with the Food and Drug Administration and cybersecurity consortiums to modernize and secure operating systems of medical devices, according to Wlaschin, ensuring they come with “two open ports instead of 10,000.”
One way to secure the devices might be equipping them with “stealth technology [that lets them] ‘hide’ in hospital networks so they can’t be seen or found except for the person using them,” Wlashchin said.
Mitchell Komaroff, principal advisor for cybersecurity, planning and oversight for the Department of Defense CIO, agreed with the importance of keeping network devices up to date. “Maintenance and modernization is a core cyber basic and no-longer-supported operating systems should be removed,” he said.
The WannaCry ransomware attack, which took advantage of unsupported operating systems, affected some of DOD’s commercial partners and created a “mission risk,” Komaroff said. He encouraged industry to follow the National Institute of Standards and Technology’s Cybersecurity Framework to understand the risks that government agencies must address.
Wlaschin said HHS “dodged a bullet” with WannaCry because of patching, workforce awareness and the agency’s “ability line up cyber risks with business risks.” The FDA, National Institutes of Health, Centers for Disease Control and Prevention and the operating divisions of HHS worked to together with industry partners on business risks and took “meaningful actions” to prevent intrusions, he said.
Information sharing between government and industry is another key component in preventing ransomware attacks.
“HHS is partnering with the Department of Homeland Security and National Cybersecurity & Communications Integration Center to do automated threat sharing,” Wlaschin said. “We want to take some of the information and contextualize it to make it meaningful for our doctors and other practitioners.”