Illustration: Rebecca Zisser/Axios

Over 32 million people have had their protected health information breached this year, in 311 hacking incidents against health care providers that are under investigation by the Department of Health and Human Services.

The big picture: Complex, bloated hospital systems are a glaring weak spot in U.S. cybersecurity — and there are limits on the government's power to help.

Hospitals are vulnerable because they maintain so many systems at once — medical records, billing records and also internet-connected medical devices — that get further entangled after mergers, which have been spiking for at least a decade.

  • "Hospitals do make an attractive target for cyber bad guys," said John Riggi, a senior cybersecurity adviser for the American Hospital Association.
  • Attackers know hospitals are open 24/7, have a vastly complex network and can't afford interruptions to public health.

"Cybercriminals know they are a soft target where they can access patient records and social security numbers and other information," Suzanne Schwartz, a deputy director in the FDA's device center, tells Axios.

  • Security firm Forescout has uncovered broken-down protections in hospital systems that make patient records vulnerable. The firm works with one of the largest health care providers in the New York area, Forescout's Tom Dolan said.

Threat level: Some vulnerabilities aren't as hard to fix as they might seem, experts said.

  • Riggi explains he has heard medical device manufacturers tell hospitals to buy total replacements for machines that may only need a security software update.
  • "And the hospital won't, because that costs a crap-load of money," Dolan said, noting hospitals can make 30-year investments in equipment like MRI machines.

What's next: The AHA doesn't make its own cybersecurity guidelines and the FDA's are limited. The agency is seeking more legal authority over device security, and the AHA wants FDA guidelines to be made mandatory.

  • The FDA's cybersecurity oversight in hospitals is limited only to medical devices — not the other internet-connected devices that hospitals are also full of.
  • The FDA's ability to work with medical device-makers to tackle cybersecurity has improved drastically since the 2017 WannaCry attack, Schwartz said — but hospitals still have weaknesses that are left unaddressed.

The bottom line: The AHA and security vendors like MedCrypt and Forescout recommend that hospitals use network segmentation or medical devices with built-in security features.

Go deeper: What your hospital knows about you

Go deeper

Updated 2 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Eniola Odetunde/Axios

  1. Global: Total confirmed cases as of 7:30 p.m. ET: 18,982,658 — Total deaths: 712,266— Total recoveries — 11,477,642Map.
  2. U.S.: Total confirmed cases as of 7:30 p.m. ET: 4,873,747 — Total deaths: 159,931 — Total recoveries: 1,598,624 — Total tests: 59,652,675Map.
  3. Politics: Pelosi rips GOP over stimulus negotiations: "Perhaps you mistook them for somebody who gives a damn" — Ohio Gov. Mike DeWine tests positive.
  4. Public health: Majority of Americans say states reopened too quicklyFauci says task force will examine aerosolized spread.
  5. Business: The health care sector imploded in Q2More farmers are declaring bankruptcyJuly's jobs report could be an inflection point for the recovery.
  6. Sports: Where college football's biggest conferences stand on playing.
2 hours ago - World

Nuclear free-for-all: The arms control era may be ending

Illustration: Aïda Amer/Axios

The mushroom clouds over Hiroshima and Nagasaki have remained unreplicated for 75 years in part because the U.S. and Soviet Union — after peering over the ledge into nuclear armageddon — began to negotiate.

Why it matters: The arms control era that began after the Cuban Missile Crisis may now be coming to a close. The next phase could be a nuclear free-for-all.

Pelosi, Schumer demand postmaster general reverse USPS cuts ahead of election

Schumer and Pelosi. Photo: Alex Wong/Getty Images

House Speaker Nancy Pelosi (D-Calif.) and Senate Minority Leader Chuck Schumer sent a letter to Postmaster General Louis DeJoy on Thursday calling for the recent Trump appointee to reverse operational changes to the U.S. Postal Service that "threaten the timely delivery of mail" ahead of the 2020 election.

Why it matters: U.S. mail and election infrastructure are facing a test like no other this November, with a record-breaking number of mail-in ballots expected as Americans attempt to vote in the midst of a pandemic.