The ECRI Institute's annual list of health technology dangers can prompt healthcare leaders to address cyber vulnerabilities.
Endoscope reprocessing failures, missed alarms, neglecting to use technology the way it's intended all figure prominently in ECRI Institute's annual Top 10 Health Technology Hazards for 2018 list. But the No. 1 hazard is ransomware and other cybersecurity threats, which impacts the safety of patients and threatens the safety of their sensitive personal information, too.
Cyberattacks have hit healthcare organizations several times this year, including in June, when the pharmaceutical company Merck, health records service Nuance Communications, and the Pennsylvania-based Heritage Valley Health System were among the many entities affected by a global ransomware, and in May, when the United Kingdom's National Health Service was crippled when a global ransomware attack—dubbed "WannaCry"—forced appointments and operations to be cancelled, hospitals to disconnect from email, IT systems to be shut off, and some facilities to turn patients away.
"The disruption has the potential to cause a patient safety issue and can ultimately lead to patient harm," says Juuso Leinonen, senior project engineer for ECRI Institute's Health Devices Group, a nonprofit organization dedicated to applied scientific research for the improvement of patient care. He says ransomware can impact IT systems and data and make them unusable.
Leinonen said the ECRI Institute "look[s] at ransomware in the context of how that can impact anything from your data to your normal workflow."
For example, ransomware often uses encryption to make data unavailable for use, and that can impact anything that's used within the normal workflow, from EHR systems to the thousands of networked devices in the organization, such as ventilators and pumps.
"If you suddenly cannot access those systems or utilize those devices, we strongly feel like that can lead to compromised patient care," Leinonen says.
In addition to delaying care, ransomware can compromise patient data, damage information systems, and hurt an organization's reputation.
"The cleanup can cost a lot," he says.
Leinonen offers insights to hospital and healthcare system leaders about how to be as prepared as possible for cyber threats. Six points for leadership to consider are:
- Define organization-specific goals to improve security and develop a practical plan.
- Prioritize resource allocation, including money and people power. (The 2017 HIMSS Cybersecurity Survey found that 71% of the organizations included in the survey allocate specific budget toward cybersecurity. Additionally, 80% of IT leaders said their organization employs dedicated cybersecurity staff).
- Conduct real-life exercises and drills that consider overall organizational response and what the clinical workflow would be in the case of an attack (including the chance of reverting to a paper workflow).
- Create a complete and detailed inventory of assets that are connected to the hospital networks. "It's probably near impossible to tackle it unless you know the types of assets that are in your organization and what they're used for," Leinonen says.
- Involve everyone in the organization, which can be as small as reminding everyone not to click on suspicious emails. "It requires a collaboration in the org; this is not just an IT headache," Leinonen says. "This is something where every department in the facility can contribute to the overall security posture."
- Institute a plan for identifying when software updates are available, confirming whether a device can be safely updated, and applying the updates in a timely manner.
Alexandra Wilson Pecci is an editor for HealthLeaders.
