Security

VA, DOD Work to Protect Patient Information and Secure Devices

The federal government’s health facilities are filled with internet-connected technology needed to care for more than 16 million people. Here is how they plan to keep data safe.

Elizabeth Neus

Twitter

Elizabeth Neus is the former managing editor of FedTech and the former producer of FedTech's award-winning Feds in the Field video series. The Washington Nationals are her team; 80s Brit pop is her sound.

Just like their civilian counterparts, the medical facilities run by the Department of Veterans Affairs and the Defense Department rely on modern technology, using everything from electronic health records to networked diagnostic equipment and 5G-enabled technology.

More than 6 million people use the VA’s 1,243 healthcare facilities worldwide; 9.5 million active-duty service members, military retirees and the families of both get care in nearly 500 military hospitals and clinics through the Military Health System, run by the Defense Health Agency.

The VA, which already has an elaborate cybersecurity framework, is working with Massachusetts General Hospital and Shepherd University to research new cybersecurity and compatibility measures for its medical devices and hopes to upgrade cybersecurity standards and practices for network-connectable medical devices, medical data systems and other related technology.

Not only does the MHS/DHA work protect patient data in its facilities, it also offers tips to patients — many of whom are tempting targets for hackers and other threats — to protect themselves outside the doctor’s office.

“More and more, that is healthcare,” says Dr. Carolyn Clancy, the VA’s assistant undersecretary for health, discovery, education and affiliate networks. “Instead of merely digitizing what we were doing on paper, we’re making sure that these devices are secure and not a gateway.”

The Shift to Telehealth Highlights New Security Challenges

October is National Cybersecurity Awareness Month, and the theme for week three is “Securing Internet-Connected Devices in Healthcare.” The healthcare sector in general has become a popular target for hackers.

Of the 3,950 breaches reported in Verizon’s “2020 Data Breach Investigations Report,” released in May, healthcare accounted for the most in any identified sector with 521, or about 13.2 percent of the total. “Financially motivated criminal groups continue to target this industry via ransomware attacks,” notes the report.

With the onset of the COVID-19 pandemic, concern about attacks on hospitals and research centers working on vaccines and treatments grew stronger. The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, is spearheading a program to help increase cybersecurity awareness and protections on that front.

At the VA, the boom in telehealth services presented a major security challenge. The agency’s expanded telehealth program attracted about 491,000 patients in 2019; between March and August of this year, it saw about 3 million patients, says Paul Cunningham, the VA’s CISO.

“What we’re looking at now is, how do we improve the gateways in terms of capability and bandwidth, because we know that we have more and more people accessing those resources,” he says. “How are we making sure that only authorized users are coming through?

“It all revolves around those key principles of knowing what’s on your network, who’s on your network and what they’re doing on that network,” he adds. “Whether it’s an EKG machine or an insulin pump or an intern who’s checked in for their first day or even a cybersecurity administrator, all those things still apply.”

EXPLORE: How can next-generation endpoint security tools help feds?

How Combining Networks May Decrease Cybersecurity Risk

Within the DOD, the concern centers on phishing-related attacks, many with a COVID-19 angle, such as fake offers of test kits for people who provide personal information.

“Human error data breaches, just like improper handwashing, puts us at risk,” Servio Medina, branch chief of the cybersecurity division of the DHA, tells Health.mil. “We need to change human behavior so we’re not making ourselves more vulnerable to ‘cyber infections.’”

DOD officials are working to boost IT security across its medical system by blending its virtual local area networks, many of them legacy, into what Federal News Network describes as “a new 13-zone architecture, with each zone designed for a different level of security to segment network traffic.”

This new Medical Community of Interest would cover about 240,000 users worldwide under a single security environment.

“Since we’ll have that same design at each facility, it’s going to allow inheritance of security controls, reduced variants in configuration, and is going to greatly reduce the time to complete our risk management framework processes for each enclave and the associated systems,” DHA CIO Pat Flanders tells Federal News Network.

Morsa Images/Getty Images