Cybersecurity threats pose biggest healthcare hazard, ECRI reports

Malware attacks in healthcare can put patient safety at risk, shutting off access to records, taking down medical devices and interrupting supply chains, according to a new report from the ECRI Institute that puts ransomware and cybersecurity threats at the top of its technology hazards list for 2018.

To prevent cyberattacks, healthcare organizations must be proactive and engage their employees in safeguarding efforts, according to the ECRI Institute, a patient-safety not-for-profit.

"This is an issue that needs to be tackled by all different departments within a healthcare facility," said Juuso Leinonen, ECRI's product officer for health devices. "The collaboration between different departments, even the clinicians, is key to successful cybersecurity."

As expected, the number of data breaches in healthcare is on the rise. So far, there have been more data breaches in 2017 than there were in 2016. Between Jan. 1 and Nov. 1, 2017, there were 255 breaches submitted to the Office for Civil Rights that are still under investigation and another 34 breaches that have been resolved—a total of 289. That's up 12.5% from the same period last year, when 257 breaches were reported.

Yet another piece of ransomware—BadRabbit—has spread around the world in recent weeks, sticking mostly to Eastern Europe. It comes less than six months after the WannaCry ransomware crippled health systems and other organizations and after Merck and others were hit by the NotPetya ransomware.

The added threats come as the Office of National Coordinator for Health Information Technology faces a reduced budget, said Liz Johnson, chair of the board of the College of Healthcare Information Management Executives, at the group's Fall CIO Forum last week. That could affect the government's ability to implement security reporting programs or other safeguards.

Cybersecurity was a hot topic at CHIME's forum, as industry leaders discussed the diminishing value of actual patient records and the increasing value hackers see in interrupting systems' functioning. There are so many records available on the darknet now that they aren't worth as much anymore, Cynergistek CEO Mac McMillan said. "Disrupting systems has value," he said.

Disrupting systems also affects patient safety, since providers may be unable to access patient records or other systems.

"Ransomware gets a lot of attention from an IT point of view, but it also needs to be looked at in terms of how it affects patients," said Rob Schluth, ECRI's senior project officer for health devices.

Cybersecurity isn't the only patient safety danger healthcare organizations need to watch out for. Other items on ECRI's list of hazards include bed and stretcher contamination by body fluid and microbiological substances, unnecessary radiation exposure through the improper use of digital imaging, and missed alarms that come from notification systems and devices that weren't correctly configured.

To address the hazards listed, ECRI suggested "careful management of technologies." That way, healthcare organizations can prevent doing patients harm.