Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019.

The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring.

To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention.

Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions that could realistically be taken to reduce any impact on patient care.

Unsurprisingly, given the volume of cyberattacks on healthcare organizations, the high potential for harm, and the number of individuals that could be affected, the remote accessing of healthcare systems by hackers was rated as the number one hazard for 2019.

There is considerable potential for the remote access functionality of medical devices and systems to be exploited by hackers. A cyberattack could render medical devices and systems inoperative or could degrade their performance, which could have a major negative impact on patient care and could place patients’ lives at risk. Cyberattacks could also result in the theft of health data, which could also have a negative effect on patients.

ECRI notes that while cyberattacks can have a negative impact on healthcare providers, resulting in reputation damage and significant fines, cybersecurity is also a critical patient safety issue.

Hackers can easily take advantage of unmaintained and vulnerable remote access systems to gain access to medical devices and healthcare systems. They can move laterally within the network and gain access to medical and nonmedical assets and connected devices and systems. Patient data can be stolen, malware installed, computing resources can be hijacked, and ransomware can be installed which could render systems inoperable. In the most part, these attacks are preventable.

“Safeguarding assets requires identifying, protecting, and monitoring all remote access points, as well as adhering to recommended cybersecurity practices, such as instituting a strong password policy, maintaining and patching systems, and logging system access,” suggests ECRI.

The full Top Ten List of Health Technology Hazards for 2019 are:

  1. Hackers Can Exploit Remote Access to Systems, Disrupting Healthcare Operations
  2. “Clean” Mattresses Can Ooze Body Fluids onto Patients
  3. Retained Sponges Persist as a Surgical Complication Despite Manual Counts
  4. Improperly Set Ventilator Alarms Put Patients at Risk for Hypoxic Brain Injury or Death
  5. Mishandling Flexible Endoscopes after Disinfection Can Lead to Patient Infections
  6. Confusing Dose Rate with Flow Rate Can Lead to Infusion Pump Medication Errors
  7. Improper Customization of Physiologic Monitor Alarm Settings May Result in Missed Alarms
  8. Injury Risk from Overhead Patient Lift Systems
  9. Cleaning Fluid Seeping into Electrical Components Can Lead to Equipment Damage and Fires
  10. Flawed Battery Charging Systems and Practices Can Affect Device Operation

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.