Hospital network hacks pose biggest tech threat: ECRI Institute

Hackers can sneak into hospitals' networks through remote-access systems, potentially disrupting care and operations and putting patient safety at risk, according to a new report from the ECRI Institute.

To keep hackers from gaining access to networks and installing malware on connected devices, hospitals need strong policies governing remote access, according to the ECRI Institute, a patient safety not-for-profit, which put hacks via remote-access systems at the top of its annual technology hazards list. Remote systems include remote desktop protocol servers on Windows computers and radiology viewing servers.

"Hospitals need to take seriously the vulnerabilities they have in their systems," said Dave Jamison, executive director of ECRI's health devices group. They should also heed the FBI's advice to not pay hackers ransom when they hold digital assets hostage with ransomware, Jamison said.

Two-factor authentication and frequent updates can also help, according to the Internet Crime Complaint Center, the U.S. Department of Homeland Security and the FBI. Those groups just released an alert on remote desktop protocol cyberthreats.

Though the problem is preventable, it will likely get worse before it gets better, Jamison said. Between January and the end of August of 2018, 7.2 million records were breached in 250 incidents that were reported to HHS' Office for Civil Rights, up 8% over the same period of 2017. In both years, hacking and "IT incidents" made up the largest share of breaches.

And network server breaches in particular have been on the rise, according to a study recently published in JAMA.

That's despite the fact that healthcare organizations have been spending more on information technology, according to the Ponemon Institute.

Data breaches can be expensive. Jamison pointed to Erie County Medical Center in Buffalo, N.Y., which spent almost $10 million to recover from a ransomware attack. The 602-bed hospital rebuilt its systems, rather than paying hackers $30,000 for access.

Other digital problems made ECRI's list for 2019. Missed alarms, at No. 7, can harm patients, as providers miss changes in the status of both the patients themselves and the medical devices and systems attached to them. Hospitals and health systems must customize alarm systems by unit and by patient, according to ECRI.

"If you don't take advantage of customization, or if you do it wrong, there's a good possibility you could have a missed alarm," said Erin Sparnon, manager of ECRI's health devices group.

Providers might also miss alarms if medical device batteries are low, a problem ECRI included on its list for the first time. When medical devices' batteries aren't sufficiently charged, patients could die, according to the institute. The problem is both with charging practices and with the devices themselves, which may have faulty battery-level indicators.

To address the problem, ECRI recommended that healthcare providers check battery systems before purchasing them.