Report: Feds Mull Bug Bounty Contest for Medical Devices

The Department of Health and Human Services has noted the success of the Hack the Pentagon Bug Bounty program and is considering a similar program to spur research on medical devices, the web site Federal Times reported.
The Department of Health and Human Services has noted the success of the Hack the Pentagon Bug Bounty program and is considering a similar program to spur research on medical devices, the web site Federal Times reported.

In-brief: Following the success of the Hack the Pentagon bug bounty program, officials at the U.S. Department of Health and Human Services are considering launching a similar program aimed at medical devices and other healthcare systems. 

If imitation is the sincerest form of flattery, then the U.S. Department of Defense should be feeling pretty good about its recently announced “Hack the Pentagon” bug bounty program.

Just a few months after the DOD unveiled a bug bounty program that provided financial incentives to security researchers and “white hat” hackers to have at its networks, the Chief Privacy Officer at the Department of Health and Human Services (HHS) has made public statements that suggest HHS is considering a similar program.

From the article, over at Federal Times:

HHS officials mentioned the DoD’s recently completed pilot program—which paid bounties to hackers who were able to discover cyber vulnerabilities at the agency, also known as ethical hacking—as a possible way to address cybersecurity issues in health care.

Speaking at the Collaboration of Health IT Policy and Standards Committees meeting on June 23, Lucia Savage, chief privacy officer at HHS’s Office of the National Coordinator for Health Information Technology, said that the practice could show promise at HHS if it was scaled up to meet health care needs.

On June 17, U.S. Secretary of Defense Ash Carter announced preliminary results from the program, which invited some 1,400 vulnerability hunters to try their luck on DOD systems. In all, the DOD paid bounties for 138 vulnerabilities submitted by 250 researchers.  In all, the DOD paid out $150,000 in bounties, with about half going to the hackers.

[Read more Security Ledger coverage of medical device security.]

Carter said that the DOD was surprised by the response to the program.

“We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks,” said Secretary Carter. “What we didn’t fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference – hackers who want to help keep our people and nation safer.”

The challenge, which was run under the auspices of HackerOne, a bug bounty broker, was conducted against five public-facing websites, including defense.gov. None of the Department’s critical networks were part of the competition.

 

Speaking of the challenge for Health and Human Services, Savage noted that ethical hacking programs like bug bounties were a topic at a recent FDA workshop on medical device security. There, experts said bounty programs, which have long been used by tech firms to solicit the attention of top-tier vulnerability researchers to their products and services, held promise for medical devices and software, as well.

“This is a struggle for devices as well,” said Savage of security vulnerabilities. “You can’t hack something in the field, because what if the hacker disrupts the operation of the device. Similarly, health data and EHRs, we may not want to have the hacker accessing your live data because that might cause other problems relative to your obligation to keep that data confidential.”

The Department did not respond to an e-mail request for comment prior to publication.

Savage wondered openly if “there something that ONC can do to improve that rate at which ethical hacking occurs in health care?”

Bounty programs aren’t new. Ur-Internet start-up Netscape launched the first such program in 1995 to find holes in its browser code. But the programs have attracted increasing attention from outside the software industry in recent years. Bugcrowd, a start-up that helps companies set up and manage bounty program said that it now hosts almost 300 such bounty programs and that its customer base has diversified from mostly tech companies. Today, over 25% of programs launched by Bugcrowd are in verticals such as Financial Services and Banking, automotive and manufacturing, according to a recently released report.

Read more on HHS plans here: Ethical hacking at the DoD draws interest from HHS