Why hospitals are a weak spot in U.S. cybersecurity

Why hospitals are a weak spot in U.S. cybersecurity

Hospitals are vulnerable because they maintain so many systems at once — medical records, billing records and also internet-connected medical devices — that get further entangled after mergers, which have been spiking for at least a decade.


"Hospitals do make an attractive target for cyber bad guys," said John Riggi, a senior cybersecurity adviser for the American Hospital Association.
Attackers know hospitals are open 24/7, have a vastly complex network and can't afford interruptions to public health.

"Cybercriminals know they are a soft target where they can access patient records and social security numbers and other information," said Suzanne Schwartz, a deputy director in the FDA's device center, tells Axios.


Security firm Forescout has uncovered broken-down protections in hospital systems that make patient records vulnerable. The firm works with one of the largest health care providers in the New York area, Forescout's Tom Dolan said.

Threat level: Some vulnerabilities aren't as hard to fix as they might seem, experts said.


Riggi explains he has heard medical device manufacturers tell hospitals to buy total replacements for machines that may only need a security software update.
"And the hospital won't, because that costs a crap-load of money," Dolan said, noting hospitals can make 30-year investments in equipment like MRI machines.

What's next: The AHA doesn't make its own cybersecurity guidelines and the FDA's are limited. The agency is seeking more legal authority over device security, and the AHA wants FDA guidelines to be made mandatory.


The FDA's cybersecurity oversight in hospitals is limited only to medical devices — not the other i ..

Support the originator by clicking the read the rest link below.