HHS tightens FISMA compliance, but risks remain

Unsupported software threatens medical devices, networks

When medical devices, endpoint systems and radiological scanning equipment are added to internet of things networks in health facilities, securing them presents a challenge. According to Christopher Wlaschin, chief information security officer at the Department of Health and Human Services, that's largely because such devices often are built on older, unsupported operating systems.

“The user interface looks familiar to a doctor or clinician that is trying to operate it, but they are full of vulnerabilities that are not patched or managed,” Wlaschin said at an Oct. 18 CyberScoop event. Those risks can cause a critical problem for a hospital or healthcare organization’s operations, he added.

Medical device manufacturers are working with the Food and Drug Administration and cybersecurity consortiums to modernize and secure operating systems of medical devices, according to Wlaschin, ensuring they  come with “two open ports instead of 10,000.”

One way to secure the devices might be equipping them with “stealth technology [that lets them] ‘hide’ in hospital networks so they can’t be seen or found except for the person using them,” Wlashchin said.

Mitchell Komaroff, principal advisor for cybersecurity, planning and oversight for the Department of Defense CIO, agreed with the importance of keeping network devices up to date.  “Maintenance and modernization is a core cyber basic and no-longer-supported operating systems should be removed,” he said.

The WannaCry ransomware attack, which took advantage of unsupported operating systems, affected some of DOD’s commercial partners and created a “mission risk,” Komaroff said.  He encouraged industry to follow the National Institute of Standards and Technology’s Cybersecurity Framework to understand the risks that government agencies must address.

Wlaschin said HHS “dodged a bullet” with WannaCry because of patching, workforce awareness and the agency’s “ability line up cyber risks with business risks.” The FDA, National Institutes of Health, Centers for Disease Control and Prevention and the operating divisions of HHS worked to together with industry partners on business risks and took “meaningful actions” to prevent intrusions, he said.

Information sharing between government and industry is another key component in preventing  ransomware attacks.

“HHS is partnering with the Department of Homeland Security and National Cybersecurity & Communications Integration Center to do automated threat sharing,” Wlaschin said. “We want to take some of the information and contextualize it to make it meaningful for our doctors and other practitioners.”

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at sfriedman@gcn.com or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


inside gcn

  • businessman pressing brain button (Jirsak/Shutterstock.com)

    What's government's role in AI?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group