Strapped to a stretcher, surrounded by medics, nurses and doctors, a middle-aged man was about to play patient zero in what America's health care industry fears could be the next major pandemic: "cybergeddon." "Alert: All computer monitors are down in the hospital system," an automated-sounding female voice pronounced over a public address system. Soon, the man’s condition worsened, and a pair of doctors tried to figure out the unusual responses from the simulated patient’s insulin device – while more than a hundred people watched their every decision. The heart-pounding, pulse-racing demonstration at a recent cybersecurity conference in downtown San Francisco visualized what happens when a cyberattack paralyzes or hijacks equipment found in every hospital in the country and devices – like insulin pumps – used in many homes. The crucial question: when hackers take down critical care devices, like in this extreme example, can doctors still save the patient? "It's very visceral, sympathetic, stimulating experience,” said Dr. Jeff Tully, who, along with fellow hacker-turned-healer Dr. Christian Dameff, developed the cyber demonstration. “We're raising the alarm,” Dameff said in a joint interview. When asked whether most U.S. hospitals can detect the moment a cyberattack is underway, Dameff answered, “I would say not most, no,” and acknowledged that it is a problem for the country’s health care system. “We believe too much emphasis is put on the protection of patient data instead of the protection of patient care,” he explained. “We joke around that we like our patient's privacy, but we'd like them to be alive to use it.” “We're tremendously concerned about infrastructure being targeted for health care… A great example of this being WannaCry,” Dameff said. WannaCry was the cyber shock to a health care system many had long predicted. In 2017, the malicious malware shut down 16 hospitals across Great Britain. The U.S. blamed North Korea. Nations, non-state actors, hackers and others have various motivations when launching cyber strikes, experts say, including for political or financial reasons or simply for curiosity or amusement. "We didn't learn the lessons of WannaCry here in the United States,” warned Dameff. "Why do we need to wait for people to be hurt by this?” Tully added. “Why can't we prevent that from happening altogether?"Cyber warnings grow If prevention is the best medicine, lots of places didn't get the script. Digital analytics firm Netscout’s Worldwide Infrastructure Security Report found attacks that paralyze web networks at hospitals and physicians' offices, known as distributed denial of service (DDoS) attacks, soared up to 1,400 percent in the past 12 months. Even though officials with three-quarters of health care organizations said in a recent survey that they've had a "significant security incident" in the past year, only nine percent of health care organizations think supply chain integrity is a top potential cyber threat. The Department of Homeland Security thinks otherwise. In research done for the Hearst Television National Investigative Unit, DHS officials said it has issued more medical device vulnerability warnings, known as advisories, in the past fiscal year (29) than in the previous five years combined (23). Reported vulnerabilities for all sectors – not just medical – have more than doubled since 2016 to 1,302 in the 2018 fiscal year, officials with the department said.Has your medical provider suffered a cyber breach? Click to see data breaches by state, company, type of breach, location of breach, date and number of people affected that are currently under investigation by the Department of Health and Human Services Offices of Civil Rights. The growing cyber threat is why Daniel Beard, the chief technology officer at Irvine, California-based Promenade Software, which makes software for medical devices, helped launch the Medical Information Sharing Analysis Organization (MedISAO). With the blessing of the Food and Drug Administration, it acts as a clearinghouse for normally competitive device manufacturers to share data on vulnerabilities that could affect multiple devices – not just those from one company. "If you're a hacker and you're looking to get the largest payoff you can,” Beard explained in an interview, “you're not going to attack one medical device. You're going to attack the library that's used in hundreds of medical devices." The “library” is a repository of data in a device, almost always code provided by third-party programmers to multiple clients that manufacturers can purchase or license for use in an otherwise proprietary device. Using a laptop and television screen, Beard demonstrated how his company scans a software library for vulnerabilities, especially those that could be exploited. On a day in March, the program detected 30 potential weaknesses in software Promenade is currently programming to be used in an ophthalmological device. Each vulnerability was highlighted in red font. A growing but still nascent culture of information sharing is part of an evolution within the medical device community, which is not accustomed to disclosing private information to competitors or keeping their products updated with the latest cyber protections long after purchase. "When you sell a device to a hospital, there needs to be a plan in place for how you're going to keep it updated; how you're going to address the new vulnerabilities that come out to it,” Beard said. “For many years, it hasn't been” in the medical device manufacturers’ business plan, he said. 'Clearly 10 to 15 years behind' Beard has a surprising ally in Michael McNeil, the global product security and services officer at Royal Philips, who bluntly stated in an interview that his industry is “clearly 10 to 15 years behind” in its cybersecurity. “I will be candid because by being candid, it allows us to help accelerate and move the industry in the right direction,” McNeil said. At a January FDA workshop on the management of cybersecurity in medical devices outside Washington, D.C., McNeil pressed his peers to -- in his words -- "step up” to face the challenge. The FDA used the event, attended by hundreds of industry stakeholders, to roll out and explain new cybersecurity benchmarks devices will be required to meet in order to win its approval. Dr. Suzanne Schwartz, the deputy director of the Office of Strategic Partnerships and Technology Innovation at the FDA’s Center for Devices and Radiological Health FDA, is leading the effort. She acknowledged in an interview there is no central database that tracks cyberattacks against hospitals and health care providers and the consequences of those incidents. When asked whether it would be helpful to have such a nationwide repository of incidents, Schwartz responded, "Yes, it would be … I’m not sure where that repository would be." To the suggestion that a database of medical device cyber incidents be housed and managed by the FDA – which is in the process of strengthening its cyber guidance for medical devices – Schwartz responded, “I think we’ve got a lot on our plate right now.” Instead, she said such information sharing and product improvements would work best if they remained voluntary. “It is much more powerful to really be able to identify different groups among the community and have them really take ownership and accountability,” she said.Dr. Suzanne Schwartz at the Food and Drug Administration talks with Chief National Investigative Correspondent Mark Albert about the agency’s efforts to improve cyber security in medical devices and health care.New research Part of that voluntary effort is taking place at the Medical Device Interoperability and Cybersecurity Program lab at Massachusetts General Hospital in Cambridge, led by Dr. Julian Goldman, who is also an attending anesthesiologist at MGH and medical director of Biomedical Engineering for Partners HealthCare. In April, Goldman and the FDA allowed a television crew from the National Investigative Unit to see the results of an 18-month research project that had never before been shown publicly. Collaborators hope the findings will improve cybersecurity and patient outcomes across America’s health care network. "You have to think about what bad things could happen and then what steps to put in place before they happen to protect the patients,” explained Goldman. Goldman's team identified four key shortcomings in U.S. health care:Data transmitted within a hospital is typically not encrypted, introducing a potential vulnerability not found in external communications.Some technical support staff are overriding manufacturers’ warnings and turning off security protections on devices.Most medical professionals are not always trained to recognize when malware infects a device, causing it to malfunction or provide corrupted data.Many health care providers need to do a better job of partitioning networks so that during an intrusion, a hacker can't see the entire system on a “flat network.”Research funding cut But despite the vital importance of securing cyber defenses in health care, a valuable source of research grants and funds have been cut – and more reductions could be just months away. Some of the current cybersecurity research at the MGH lab has been cut by the Trump administration by almost 60 percent. In a proposed budget for the next fiscal year submitted to Congress in March, the administration also slashed next year's DHS science and technology budget by 37 percent, or $219 million, a portion of which also goes to fund cyber medical studies. "This is important research,” Goldman said in an interview in his lab. “It's there to improve patient safety and patient care. So, it's frustrating to see these cuts."It's also resulted in a blunt diagnosis from doctors trying to treat the problem. "Cyber disaster knows no geographic boundary," said Dameff, the doctor in California who helped develop the cyber demonstration. "If you're connected to the internet, you're vulnerable." Check out our Facebook Live where we discussed cyber vulnerabilities in U.S. health care. Know of waste, fraud, abuse or want to hold someone accountable? Send investigative tips to the National Investigative Unit at investigate@hearst.com.