Software Integrity Blog


Feds consider a ‘hack the FDA’ bug bounty program

Coming on the heels of a successful “Hack the Pentagon” bug bounty program, in which one 18-year old received a $1K prize, the U.S. Federal Government is considering a similar program for healthcare.

Last Thursday, Lucia Savage, chief privacy officer at HHS’s Office of the National Coordinator for Health Information Technology, said that the practice could show promise at HHS if it was scaled up to meet health care needs, according to Federal Times.

“This is a struggle for devices as well,” she said. “You can’t hack something in the field, because what if the hacker disrupts the operation of the device. Similarly, health data and EHRs, we may not want to have the hacker accessing your live data because that might cause other problems relative to your obligation to keep that data confidential. Given that space and given the need to improve cybersecurity, is there something that ONC can do to improve that rate at which ethical hacking occurs in health care?”

“I think that this is a technique that has been found highly valuable in the rest of industry,” she said, continuing. “One of the things we are thinking about is how to get this to take root as a security hygiene process within the health care system.”

“The issue is that once a vulnerability is identified, the industry is highly resistant to exposing to the public that specific vulnerability because the manufacturer has to get engaged,” Dr. Dale Nordenberg, CEO of Novasano Health and Science and a Health IT standards committee member.

On June 17, U.S. Secretary of Defense Ash Carter announced preliminary results from the program, which invited some 1,400 vulnerability hunters to try their luck on DOD systems, according to the Security Ledger. In all, the DOD paid bounties for 138 vulnerabilities submitted by 250 researchers. In all, the DOD paid out $150,000 in bounties, with about half going to the hackers.


More by this author