Sign up for our daily briefing

Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Denver news in your inbox

Catch up on the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Des Moines news in your inbox

Catch up on the most important stories affecting your hometown with Axios Des Moines

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Minneapolis-St. Paul news in your inbox

Catch up on the most important stories affecting your hometown with Axios Twin Cities

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tampa Bay news in your inbox

Catch up on the most important stories affecting your hometown with Axios Tampa Bay

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Charlotte news in your inbox

Catch up on the most important stories affecting your hometown with Axios Charlotte

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Illustration: Rebecca Zisser/Axios

Over 32 million people have had their protected health information breached this year, in 311 hacking incidents against health care providers that are under investigation by the Department of Health and Human Services.

The big picture: Complex, bloated hospital systems are a glaring weak spot in U.S. cybersecurity — and there are limits on the government's power to help.

Hospitals are vulnerable because they maintain so many systems at once — medical records, billing records and also internet-connected medical devices — that get further entangled after mergers, which have been spiking for at least a decade.

  • "Hospitals do make an attractive target for cyber bad guys," said John Riggi, a senior cybersecurity adviser for the American Hospital Association.
  • Attackers know hospitals are open 24/7, have a vastly complex network and can't afford interruptions to public health.

"Cybercriminals know they are a soft target where they can access patient records and social security numbers and other information," Suzanne Schwartz, a deputy director in the FDA's device center, tells Axios.

  • Security firm Forescout has uncovered broken-down protections in hospital systems that make patient records vulnerable. The firm works with one of the largest health care providers in the New York area, Forescout's Tom Dolan said.

Threat level: Some vulnerabilities aren't as hard to fix as they might seem, experts said.

  • Riggi explains he has heard medical device manufacturers tell hospitals to buy total replacements for machines that may only need a security software update.
  • "And the hospital won't, because that costs a crap-load of money," Dolan said, noting hospitals can make 30-year investments in equipment like MRI machines.

What's next: The AHA doesn't make its own cybersecurity guidelines and the FDA's are limited. The agency is seeking more legal authority over device security, and the AHA wants FDA guidelines to be made mandatory.

  • The FDA's cybersecurity oversight in hospitals is limited only to medical devices — not the other internet-connected devices that hospitals are also full of.
  • The FDA's ability to work with medical device-makers to tackle cybersecurity has improved drastically since the 2017 WannaCry attack, Schwartz said — but hospitals still have weaknesses that are left unaddressed.

The bottom line: The AHA and security vendors like MedCrypt and Forescout recommend that hospitals use network segmentation or medical devices with built-in security features.

Go deeper: What your hospital knows about you

Go deeper

Updated 3 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Eniola Odetunde/Axios

  1. Health: Most vulnerable Americans aren't getting enough vaccine information — Fauci says Trump administration's lack of facts on COVID "very likely" cost lives.
  2. Education: Schools face an uphill battle to reopen during the pandemic.
  3. Vaccine: Florida requiring proof of residency to get vaccine — CDC extends interval between vaccine doses for exceptional cases.
  4. World: Hong Kong puts tens of thousands on lockdown as cases surge — Pfizer to supply 40 million vaccine doses to lower-income countries — Brazil begins distributing AstraZeneca vaccine.
  5. Sports: 2021 Tokyo Olympics hang in the balance.
  6. 🎧 Podcast: Carbon Health's CEO on unsticking the vaccine bottleneck.

DOJ: Capitol rioter threatened to "assassinate" Alexandria Ocasio-Cortez

Supporters of former President Trump storm the U.S. Captiol on Jan. 6. Photo: Kent Nishimura / Los Angeles Times via Getty Images

A Texas man who has been charged with storming the U.S. Capitol in the deadly Jan. 6 siege posted death threats against Rep. Alexandria Ocasio-Cortez (D-N.Y.), the Department of Justice said.

The big picture: Garret Miller faces five charges in connection to the riot by supporters of former President Trump, including violent entry and disorderly conduct on Capitol grounds and making threats. According to court documents, Miller posted violent threats online the day of the siege, including tweeting “Assassinate AOC.”

Schumer calls for IG probe into alleged plan by Trump, DOJ lawyer to oust acting AG

Jeffrey Clark speaks next to Deputy US Attorney General Jeffrey Rosen at a news conference in October. Photo: Yuri Gripas/AFP via Getty Images.

Senate Majority Leader Chuck Schumer (D-N.Y.) on Saturday called for the Justice Department inspector general to investigate an alleged plan by former President Trump and a DOJ lawyer to remove the acting attorney general and replace him with someone more willing to investigate unfounded claims of election fraud.

Driving the news: The New York Times first reported Friday that the lawyer, Jeffrey Clark, allegedly devised "ways to cast doubt on the election results and to bolster Mr. Trump’s continuing legal battles and the pressure on Georgia politicians. Because Mr. [Jeffrey] Rosen had refused the president’s entreaties to carry out those plans, Mr. Trump was about to decide whether to fire Mr. Rosen and replace him with Mr. Clark."

You’ve caught up. Now what?

Sign up for Mike Allen’s daily Axios AM and PM newsletters to get smarter, faster on the news that matters.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!