When the Navy hospital ship Comfort deployed to Haiti in 2010 following devastating earthquakes, media organizations broadcasting in the area ate up so much satellite bandwidth that the ship had to revert to paper processes and adjust its satellite communications for some ship-to-shore messaging.
While the outages weren’t a widespread issue, said Sean Kelley, who served as the ship’s top IT officer at the time, the problem highlighted a challenge these ships face: broadband.
Now, the hospital ships Mercy and Comfort are deployed to Los Angeles and New York, respectively, and are in the national spotlight as symbols of the coronavirus pandemic relief effort. But security and IT experts say the ships’ mission presents the Navy with distinct networking problems, from cybersecurity to network connection for patients.
Onboard devices
When disaster strikes, the Navy’s hospital ships deploy in a matter of days, mobilizing with a crew of about 100-1,200 personnel. But the influx of staff also leads to an incursion of devices, all of which must be secure and require bandwidth.
“You have a lot of different people going to a lot of different places that now have to be acclimated to this environment,” said Kelley, now executive vice president at Unissant, an IT and cybersecurity company. “So that’s really one of the biggest challenges, is getting all those things turned on, all those things activated, making sure that they are all compliant with the latest patches and fixes, and making sure they’re good.”
This process can be a “nightmare,” said retired Rear Adm. Danelle Barrett, former deputy chief information officer of the Navy and cybersecurity division director.
“The challenging part is always in the first couple days whenever this happens,” said Barrett, who oversaw communications and cyberspace for Operation Unified Response, the U.S. military’s mission in Haiti following the 2010 earthquake. “The team is coalescing about how they want to operate, and they’re getting their feet wet, getting new accounts on networks … [getting] their logins.”
Cybersecurity aboard the ships is also complex. Both ships have 1,000 beds, 12 operating rooms, blood banks, labs, medical devices and a multitude of other “internet of things” devices connected to hospital beds. According to a 2018 survey by health care IoT security company Zingbox, each bed can have as many as 10-15 IoT devices.
“They have to be cyber-ready, or the mission of the Mercy is considered [degraded],” said Dean Hullings, global defense solutions strategist at Forescout, which handles Comply to Connect — a Defense Department framework created to ensure the cybersecurity of new devices — for the USNS Mercy.
Ensuring connectivity
For the devices to function, they need connectivity. When the ships arrived in ports in late March, technology firm CenturyLink “donated” connectivity to the Mercy, while Verizon provided connectivity to the Comfort.
Former and current Navy officials told C4ISRNET that adequate broadband is the most challenging IT consideration faced by these ships.
“Obviously you’re going to be transferring imagery of X-rays or things like that that are more dense and require a ... higher data rate, so that bandwidth in port is important,” Barrett said.
And with the introduction of patients, bandwidth needs become more complex.
“The greatest communications challenge we are going to face during this deployment is the increased need for patients to communicate off the ship during their stay,” Tom Van Leunen, a spokesman for Military Sealift Command, told C4ISRNET. “Our hospital ships are designed to support official communication for the ship’s crew and embarked medical community to complete their job. Adding a capability for patients to reach loved ones increases the risk of saturating the bandwidth off the ship.”
Aboard both ships, the Navy doubled the bandwidth, he said, adding that Navy personnel also set up separate networks for patients’ communications.
While this solves one networking problem, it can also create an increased cybersecurity risk.
Securing the ships
Cybersecurity on the hospital ships follows the same standard practices as the rest of the Navy fleet. Since those aboard are largely Navy medical staff and personnel, they know what activities are acceptable on the network, Barrett said.
“You can’t just go and plug anything into that network because of potential vulnerabilities that that system may bring that could affect not just the ship, but remember, the ship is then connected to the rest of the [Department of Defense Information Network],” Barrett said. “So risk by one is shared by all.”
ForeScout’s Hullings said a hospital environment “epitomizes” why the Comply to Connect program is necessary. The ship has desktops, servers, routers, printers and other networks equipment, as well as mobile devices, such as tablets, that health care providers use to track patient care.
“The truly unique stuff is the mission systems of the hospital, like X-ray machines, MRI machines, the beds themselves in the post-operative recovery rooms, that are all sensors. And they are all passing data. They have to be protected,” Hullings said.
A spokesperson for the Navy told C4ISRNET that the ships are prepared for the cybersecurity challenges associated with their missions, but declined to address what additional cybersecurity challenges are introduced with the addition of private citizens.
“These ships have routinely deployed in humanitarian assistance missions such as Pacific Partnership (USNS Mercy) and Continuing Promise (USNS Comfort) that required them to operate in partner nation ports, with foreign national patients being brought to and from the ship,” said Cmdr. Dave Benham, a spokesman for the Navy’s 10th Fleet. “In all operating locations, we take appropriate precautions to keep our networks secure, and we do not discuss specific measures in order to protect operational security.”
Cybersecurity on the hospital ships follow the same protocols as any other Military Sealift Command ship, said Benham.
“Protecting our networks is a continuous challenge, and the overarching concern is to ensure that the right information gets to the right place at the right time with the right level of protection,” he explained.
Cybersecurity aboard the hospital ships follow similar efforts to those recommendations made by the Centers for Disease Control and Prevention: Wash your hands.
“It’s ‘wash your hands’ with your computer, too,” Barrett said. “Do good hygiene with your computer.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.