Rebecca Zisser / Axios

It's been a few months since the worldwide WannaCry ransomware attacks, and a month and a half since the NotPetya attacks that hit U.S. hospitals and the drug company Merck. The cyberattacks were bad enough to get the attention of the health care industry — and the rest of us — but not bad enough to force the industry to solve the underlying problems.

The bottom line: A cyberattack that takes down multiple hospital systems is "the thing that keeps me up at night," said Richard Staynings, principal and cybersecurity healthcare leader at Cisco. "I have no way of knowing the last time a patient received their medication … It essentially renders hospitals near useless."

Here's what's changed and what still hasn't, according to cybersecurity experts.

Changed:

  • Hospitals and other health care facilities have been reluctant to install security patches on devices that have to be available at all times, like CT scanners. But they're becoming more open to it "now that the risk equation has changed significantly," meaning it's clearly more dangerous to be vulnerable to an attack than to take a device offline, according to Staynings.
  • Hospital officials are generally more aware of the importance of cybersecurity. "I think they're interested — I'm not sure they understand what they should be doing," said David Damato, chief security officer at the cybersecurity startup Tanium.

Not changed:

  • Health care organizations still don't spend a lot on cybersecurity, compared to traditional priorities like doctors and researchers. "Health care is now an easy target compared to financial services," said Staynings.
  • It's an increasingly urgent issue as more and more software is added, especially at smaller facilities that don't have a lot of money to spend, said Bryan Sivak, a former chief technology officer at the Department of Health and Human Services.
  • Electronic health records are becoming a big worry. You don't want someone getting in and changing a patient's blood type, for example, or getting access to highly sensitive personal information about them.
  • Old or unpatched operating systems will always leave health care facilities vulnerable. "We've been talking about this for decades and are still running into the same problems," said Sivak.
  • Facilities have to learn to segment their networks, or divide them into subnetworks to make them more secure. (That's a tough task, though, if they don't have a lot of IT resources.)
  • Vendors have to be more willing to patch their medical devices — some don't want to change them for risk of losing their certifications from the Food and Drug Administration. And the FDA "has sat on the fence on this issue, quite frankly, for the last few years," said Staynings.

Go deeper

Updated 2 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Politics: Americans feel Trump's sickness makes him harder to trustFlorida breaks record for in-person early voting — McConnell urges White House not to strike stimulus deal before election — Republican senators defend Fauci as Trump escalates attacks.
  2. Health: The next wave is gaining steam.
  3. Education: Schools haven't become hotspots — University of Michigan students ordered to shelter-in-place.
  4. World: Ireland moving back into lockdown — Argentina becomes 5th country to report 1 million infections.

Report: Goldman to settle DOJ probe into Malaysia's 1MDB for over $2B

Illustration: Lazaro Gamio/Axios

Goldman Sachs has agreed with the Department of Justice to pay over $2 billion for the bank's role in Malaysia's multi-billion dollar scandal at state fund 1MDB, Bloomberg first reported.

Why it matters: The settlement, expected to be announced within days, would allow Goldman Sachs to avoid a criminal conviction in the U.S. over the bribery and money laundering scandal that saw three of its former bankers banned for life from the banking industry by the Federal Reserve Board.

Trump threatens to post "60 Minutes" interview early after reportedly walking out

Trump speaks to reporters aboard Air Force One, Oct. 19. Photo: Mandel Ngan/AFP via Getty Images

President Trump tweeted on Tuesday that he was considering posting his interview with CBS' "60 Minutes" prior to airtime in order to show "what a FAKE and BIASED interview" it was, following reports that he abruptly ended the interview after 45 minutes of taping.

Why it matters: Trump has escalated his war on the media in the final stretch of his re-election campaign, calling a Reuters reporter a "criminal" this week for not reporting on corruption allegations about Hunter Biden and disparaging CNN as "dumb b*stards" for the network's ongoing coronavirus coverage.