Aug 9, 2017

Why we still haven’t solved the health care cybersecurity problem

Rebecca Zisser / Axios

It's been a few months since the worldwide WannaCry ransomware attacks, and a month and a half since the NotPetya attacks that hit U.S. hospitals and the drug company Merck. The cyberattacks were bad enough to get the attention of the health care industry — and the rest of us — but not bad enough to force the industry to solve the underlying problems.

The bottom line: A cyberattack that takes down multiple hospital systems is "the thing that keeps me up at night," said Richard Staynings, principal and cybersecurity healthcare leader at Cisco. "I have no way of knowing the last time a patient received their medication … It essentially renders hospitals near useless."

Here's what's changed and what still hasn't, according to cybersecurity experts.


  • Hospitals and other health care facilities have been reluctant to install security patches on devices that have to be available at all times, like CT scanners. But they're becoming more open to it "now that the risk equation has changed significantly," meaning it's clearly more dangerous to be vulnerable to an attack than to take a device offline, according to Staynings.
  • Hospital officials are generally more aware of the importance of cybersecurity. "I think they're interested — I'm not sure they understand what they should be doing," said David Damato, chief security officer at the cybersecurity startup Tanium.

Not changed:

  • Health care organizations still don't spend a lot on cybersecurity, compared to traditional priorities like doctors and researchers. "Health care is now an easy target compared to financial services," said Staynings.
  • It's an increasingly urgent issue as more and more software is added, especially at smaller facilities that don't have a lot of money to spend, said Bryan Sivak, a former chief technology officer at the Department of Health and Human Services.
  • Electronic health records are becoming a big worry. You don't want someone getting in and changing a patient's blood type, for example, or getting access to highly sensitive personal information about them.
  • Old or unpatched operating systems will always leave health care facilities vulnerable. "We've been talking about this for decades and are still running into the same problems," said Sivak.
  • Facilities have to learn to segment their networks, or divide them into subnetworks to make them more secure. (That's a tough task, though, if they don't have a lot of IT resources.)
  • Vendors have to be more willing to patch their medical devices — some don't want to change them for risk of losing their certifications from the Food and Drug Administration. And the FDA "has sat on the fence on this issue, quite frankly, for the last few years," said Staynings.

Go deeper

Pompeo tells Congress Hong Kong is no longer autonomous from China

Photo: Nicholas Kamm/Pool/AFP via Getty Images

Secretary of State Mike Pompeo said in a statement Wednesday that he has certified to Congress that Hong Kong is no longer autonomous from China and does not warrant special treatment under U.S. law.

Why it matters: Revoking Hong Kong's special status would hasten its economic and financial decline, already set in motion by China's growing political grip on the city. The preferential status that the U.S. has long granted Hong Kong has made the city a top U.S. trading partner.

Go deeper (1 min. read)ArrowUpdated 23 mins ago - World

Podcast: Trump vs. Twitter ... vs. Trump

Twitter came under fire on Tuesday for allowing President Trump to tweet conspiracy theories about Joe Scarborough and the 2001 death of one of his staffers, despite the objections of the staffer's family. The company came under further fire from Trump himself for fact-checking two of his tweets about mail-in voting.

Dan and the New York Times' Kara Swisher dig into Trump’s use of the platform and Twitter’s steps — and missteps — in handling it.

Go deeper: Trump has turned Big Tech's speech rules into a political football

50 mins ago - Technology

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Global: Total confirmed cases as of 11:30 a.m. ET: 5,618,829 — Total deaths: 351,146 — Total recoveries — 2,311,404Map.
  2. U.S.: Total confirmed cases as of 11:30 a.m. ET: 1,681,793 — Total deaths: 98,933 — Total recoveries: 384,902 — Total tested: 14,907,041Map.
  3. Public health: Fauci says data is "really quite evident" against hydroxychloroquine — Nearly half of Americans say someone in their household has delayed medical care.
  4. Tech: Zipline drones deliver masks to hospitals; vaccines could be next
  5. Business: Boeing to lay off 6,770 more U.S. employees.
  6. 🏒Sports: NHL unveils 24-team playoff plan to return from hiatus.
  7. What should I do? When you can be around others after contracting the coronavirus — Traveling, asthma, dishes, disinfectants and being contagiousMasks, lending books and self-isolatingExercise, laundry, what counts as soap — Pets, moving and personal healthAnswers about the virus from Axios expertsWhat to know about social distancingHow to minimize your risk.
  8. Other resources: CDC on how to avoid the virus, what to do if you get it, the right mask to wear.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

Updated 54 mins ago - Politics & Policy