Federal report: Hospital cybersecurity is in ‘critical condition’

Many hospitals "may not know that they have experienced an attack until long after it has occurred."
(Getty Images)

Many American hospitals and health care practices are critically vulnerable to cyberattack and lack the resources to protect against rising threats, according to a long-awaited report issued by the U.S. Department of Health and Human Service’s Health Care Industry Cybersecurity Task Force.

The starkly negative report points to problems beyond hardware and software. The task force, established a year go, is made up of 21 security experts, health care professionals and government officials.

“Many organizations cannot afford to retain in-house information security personnel, or designate an information technology (IT) staff member with cybersecurity as a collateral duty,” the task force reported. “These organizations often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.”

The talent shortage that hampers cybersecurity in all sectors hits health care especially hard so that the industry leans especially hard on part-time positions or individuals with little or no training.


Relatively ancient equipment and devices with needless internet connectivity add further risk that has resulted in real world patient care shut down both in the United States and abroad, the report says.

The warning comes in the wake of the global outbreak of the WannaCry ransomware that found fertile ground for malicious action across hospitals in the United Kingdom.

In 2016, a Hollywood hospital paid a $17,000 ransom in bitcoin when hackers took control of the institution’s systems. The 40 bitcoin ransom is worth over $100,000 today. Over 158 other hospitals have reported major breaches impacting over 500 people to the federal government since 2010.

A year earlier, in 2015, hackers accessed nearly 80 million records from Anthem, one of America’s largest health insurers. The breach is still the subject of court battles.

“Many organizations also have not crossed the digital divide in not having the technology resources and expertise to address current and emerging cybersecurity threats,” the task force reported. “These organizations may not know that they have experienced an attack until long after it has occurred.”


The task force made six broad recommendations including streamlining leadership for health care industry cybersecurity, increasing security on medical devices, develop industry cybersecurity awareness, education and technical capabilities, protect research and development and improve industry information sharing.

“If the health care system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs,” the report noted. “Our nation must find a way to prevent our patients from being forced to choose between connectivity and security.”

Latest Podcasts