No. 1 Patient Safety Threat? Ransomware, CyberattacksECRI Institute Releases List of Top 10 Health Technology Hazards
While dirty hospital mattresses and the failure to properly disinfect medical gear are among top safety risks posed to patients, ransomware and other cyberattacks will pose even bigger threats to patients in 2018, according to the ECRI Institute. The non-profit patient safety research organization named ransomware and cybersecurity threats as the No. 1 health technology hazard for 2018.
"This is the first year ransomware has been included in the ECRI Institute's Top 10 Health Technology Hazards list," says Juuso Leinonen, senior project engineer at the health devices group of ECRI. "Cybersecurity topics have been covered in the past, but this is the first year a cybersecurity topic has been ranked No. 1 in the list."
During the past year, ransomware showed its potential to disrupt healthcare delivery, he says. "We saw several global ransomware attacks that impacted various organizations, including some hospitals. Ransomware has the potential to impact technologies crucial for patient care, such as patient information systems and medical devices," Leinonen says. "Lack of access to these systems and devices can result in compromise or delay to patient care, which can lead to patient harm. Ransomware can also result in financial losses due to disruption to hospital operations such as postponed appointments and elective surgeries."
ECRI's top 10 list of health technology hazards identifies the potential sources of danger involving medical devices and other health technologies that the research organization says warrant the greatest attention for the coming year.
Global Health Threat
Global attacks, including those involving WannaCry and NotPetya, have had a heavy impact on the healthcare sector across the globe so far in this year, from the National Health System in the United Kingdom to medical device manufacturers including Bayer AG and pharmaceutical giant, Merck.
During the WannaCry ransomware attacks back in May, at least two U.S. hospitals reported that their imaging systems from Bayer AG had been infected.
Numerous other hospitals and clinics in the U.S. have also been victims of ransomware attacks that have greatly disrupted the delivery of patient care.
For instance, just last month, Arkansas Oral & Facial Surgery Center acknowledged that a ransomware attack in July not only shut down access to some electronic patient data but also rendered imaging files, including X-rays, inaccessible for an undisclosed period of time.
One of the highest-profile cyberattacks in 2016, which was suspected of involving ransomware, greatly disrupted patient care for several days at MedStar Health. The 10-hospital system serving Maryland and Washington area said it shut down many of its systems to avoid the spread of malware.
Ransomware and Medical Devices
The Food and Drug Administration recently called attention to the risks malware poses to medical devices. In an Oct. 31 blog post, Suzanne Schwartz, M.D., associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health, wrote: "A computer virus or hack resulting in the loss of or unauthorized use of data is one thing. A breach that potentially impacts the safety and effectiveness of a medical device can threaten the health and safety of an individual or patients using the device."
Schwartz, who'll be a speaker at Information Security Media Group's Healthcare Security Summit in New York on Nov. 14-15, wrote that the FDA "encourages medical device manufacturers to proactively update and patch devices in a safe and timely manner" to avoid having their products compromised by ransomware or other cybersecurity threats.
Managing cybersecurity in a healthcare environment is extremely difficult, ECRI's Leinonen says, because a hospital might have "thousands of devices from hundreds of vendors."
Healthcare facilities need to acknowledge that mitigating the risk of ransomware is not solely a problem for IT, he stresses.
"Collaboration within your organization is a key to success. Various departments, including IT, clinical engineering, information security, risk management, purchasing and clinicians all have a part to play," he says.
Susan Lucci, chief privacy officer and senior consultant at security consultancy Just Associates, says all healthcare entities can take two steps to better prepare and deal with emerging cyber issues that can pose a hazard to patient privacy and safety.
"Have a well-established privacy and security committee that meets to review subjects like this regularly, and have a clearly defined breach response plan and breach response team to quickly respond to immediate threats that may arise," she says.
Malware can pose risks to patients in several ways, says Curt Kwak, CIO of Proliance Surgeons in Washington state. "Ransomware will halt workflows, halt data processing and the [malware's] ongoing threat of data corruption could jeopardize the practitioner's trust in the data that they are utilizing to treat their patients," he says.
Nevertheless, some organizations fail to realize that ransomware poses a threat to patient safety, says Keith Fricke, principal consultant at tw-Security. For example, he notes, "those entities that have experienced ransomware events may have been inconvenienced by files getting encrypted that did not directly impact patient care." So they may not see ransomware as a patient safety issue.
Fricke says many organizations' data backup plans are insufficient, putting them at additional risk. "In addition, those with mature backup strategies have to be wary of ransomware-encrypted files getting replicated to their offsite backups," he points out.
And because ransomware and other cyberattacks show now sign of abating, Kwak stresses that it's "critical for the organizations to continue to monitor and protect their data environment and educate their end users on the best cybersecurity practices."