Cyber Threats Top ECRI Institute’s 2019 Health Technology Hazards

ECRI Institute, one of the leading patient safety and medical technology research organizations, places health technology cybersecurity at the top of its just-released 2019 Top 10 Health Technology Hazards. This was also the case for ECRI’s 2018’s list, demonstrating the ongoing significance of cybersecurity as an issue.

ECRI Institute is providing an abridged version of its 2019 Top 10 list of health technology hazards as a free public service to inform healthcare facilities about important safety issues involving the use of medical devices and systems. The new report identifies safety issues and action steps for 10 dangerous and preventable hazards

The report highlights the potential for hackers to exploit remote access systems to gain unauthorized entry to a healthcare organization's networked devices and systems. Such attacks can disrupt healthcare operations, hindering the delivery of care and putting patients at risk.

Cybersecurity is clearly a growing concern. ECRI Institute published 50 cybersecurity-related alerts and problem reports in the last 18 months alone, a significant increase over the prior period. Cybersecurity attacks that infiltrate a network by exploiting remote access functionality on connected devices and systems can render them inoperative, degrade their performance, or expose or compromise the data they hold, all of which can severely hinder the delivery of patient care and put patients at risk.

Remote access systems are a common target because they are, by nature, publicly accessible. Intended to meet legitimate business needs, such as allowing off-site clinicians to access clinical data or vendors to troubleshoot systems installed at the facility, remote access systems can be exploited for illegitimate purposes.

Attackers take advantage of unmaintained and vulnerable remote access systems to infiltrate an organization’s network. Once they gain access—whether through medical or nonmedical assets—attackers can move to other connected devices or systems, installing ransomware or other malware, stealing data or rendering it unusable, hijacking computing resources for other purposes such as to generate cryptocurrency.

Safeguarding assets requires identifying, protecting and monitoring all remote access points as well as adhering to recommended cybersecurity practices such as instituting a strong password policy, maintaining and patching systems and logging system access.

Ransomware and other types of malicious software programs (malware) can disrupt healthcare delivery operations, hindering the delivery of care and putting patients at risk. These programs infiltrate a network, propagate through connected devices and systems and encrypt data, disabling user access, software and IT assets. Multiple variants of ransomware and other malware have infected healthcare facilities and other organizations throughout the world. In a healthcare environment, a malware attack can significantly impact care delivery by rendering health IT systems unusable by preventing access to patient data and records and by affecting the functionality of networked medical devices. Further, such attacks can disable third-party services, disrupt the supply chain for drugs and supplies, and affect building and infrastructure systems. Such disruptions can lead to cancelled procedures and altered workflows (e.g. reverting to paper records). They can also damage equipment and systems, expose sensitive data and force closures of entire care units. Ultimately, they can compromise or delay patient care leading to patient harm. Safeguarding against malware attacks requires a proactive approach involving senior management, clinical engineering, IT and other individuals throughout the organization.

The 2019 Top 10 Health Technology Hazards executive brief is available for complimentary download at here or here.

Also available for free download is ECRI’s article: Ransomware Attacks: How to Protect Your Medical Device Systems

ECRI Institute's engineers, scientists, clinicians, and other patient safety analysts select topics based on insights gained during incident investigations, medical device testing, and reviews of problem reporting databases. They weigh factors such as the severity, frequency, breadth, insidiousness, and profile of the hazards.

The annual list defines the top health technology hazards that ECRI Institute believes warrant priority attention by healthcare leaders. It serves as a starting point for discussions, helping healthcare organizations plan and prioritize their patient safety efforts. The annual report includes practical solutions that can help prevent patient harm.

Other topics on the list include contaminated mattresses, retained surgical sponges, improperly set alarms on ventilators and physiologic monitors, recontaminated endoscopes, infusion pump errors, mechanical failures with overhead patient lifts, damage to electrical equipment from cleaning fluids, and battery charging errors.

For more information on questions such as what do cyberattackers want? Where are the vulnerabilities? Where to begin? And how to protect your hospital with a cybersecurity gap-analysis? Please contact the ECRI Institute and also download your free copy of the 2019 Top 10 Healthcare Technology Hazards executive brief.

ECRI Institute, European Office, Suite 104, 29 Broadwater Road, Welwyn Garden City, Hertfordshire, AL7 3BQ, United Kingdom

01707 831001

Event Diary

Facilities Show brings together over 12,000 facilities management professionals from around the world to source cost-effective solutions across all sectors.