Healthcare Information Security

Cybersecurity News

ECRI: Healthcare Ransomware, Cybersecurity Threats Top Concerns

Healthcare ransomware and other cybersecurity threats were at the top of ECRI’s 2018 Top 10 list of health technology hazards.

ecri says healthcare ransomware top industry threat

Source: Thinkstock

By Elizabeth Snell

- Healthcare organizations need to understand the potential safety issues that come with medical devices and systems, according to the ECRI Institute. Healthcare ransomware threats, medical device networking flaws, and other cybersecurity threats are just some of the possible threats noted on ECRI’s latest list of health technology hazards.

Ransomware and malware were the number one potential technological threat on the 2018 Top 10 list. These attacks can prevent access to patient data and records or even impact networked medical device functionality, ECRI warned.

“Such disruptions can lead to canceled procedures and altered workflows (e.g., reverting to paper records),” report authors wrote. “They can also damage equipment and systems, expose sensitive data, and force closures of entire care units. Ultimately, they can compromise or delay patient care, leading to patient harm.”

“Safeguarding against malware attacks requires a proactive approach involving senior management, clinical engineering, IT, and other individuals throughout the organization.”

ECRI also pointed out that wide-ranging ransomware or malware attacks could disable third-party services, disrupt the supply chain for drugs and supplies, and affect building and infrastructure systems.

READ MORE: How Ransomware Affects Hospital Data Security

Flawed medical device networking was also a top 10 concern, with ECRI saying that data transfer errors or other data communication errors “can delay diagnosis or treatment or prompt a misdiagnosis, affecting patient safety.”

Healthcare organizations must properly assess, approve, and implement networked medical device changes. This is especially critical as more entities have medical devices and information systems connected through hardwired or wireless networks.

For example, if incomplete information is sent from a ventilator to the networked physiologic patient monitor, there may be a delay in patient care and sequential patient harm, ECRI stated.

ECRI Institute Health Devices Group Executive Director David T. Jamison said in a statement that patient safety is usually at the forefront of everyone’s mind, but technology safety can be forgotten.

“As an independent medical device testing laboratory and investigator of technology-related incidents, we know what can go wrong and what steps hospitals can take to reduce patient harm related to specific technologies and processes," Jamison maintained.

READ MORE: How Evolving Healthcare Cybersecurity Threats Affect Providers

The other top health technology hazards included the following:

  • Endoscope reprocessing failures continue to expose patients to infection risk
  • Mattresses and covers may be infected by body fluids and microbiological contaminants
  • Missed alarms may result from inappropriately configured secondary notification devices and systems
  • Improper cleaning may cause device malfunctions, equipment failures, and potential for patient injury
  • Unholstered electrosurgical active electrodes can lead to patient burns
  • Inadequate use of digital imaging tools may lead to unnecessary radiation exposure
  • Workarounds can negate the safety advantages of bar-coded medication administration systems
  • Slow adoption of safer enteral feeding connectors leaves patients at risk

Medical device security has been noted as a key concern by numerous industry stakeholders as of late, and there have been several pieces of legislation introduced in the past year in an effort to lessen the potential for risk.

Rep. Dave Trott and Rep. Susan Brooks introduced the Internet of Medical Things Resilience Partnership Act in October 2017 to centralize current and relevant frameworks, guidelines, and standards for Internet of Medical Things (IoMT) devices.

The bill calls for the Food and Drug Administration (FDA) and NIST to “establish a working group of public and private entities to develop recommendations for voluntary frameworks and guidelines to increase the security and resilience of networked medical devices sold in the United States that store, receive, access, or transmit information to an external recipient or system for which unauthorized access, modification, misuse, or denial of use may result in patient harm.”

Companies and consumers need a framework to ensure devices and health data remain protected, Brooks said in a statement. Malicious parties are working to gather sensitive information and to manipulate device functionality, she warned.

READ MORE: How FDA Medical Device Cybersecurity Guidance Affects Providers

“This can lead to life-threatening cyber-attacks on devices ranging from monitors and infusion pumps, to ventilators and radiological technologies,” Brooks stated.

In August 2017, Connecticut Senator Richard Blumenthal introduced medical device cybersecurity legislation that focuses on protecting individuals’ medical information. That bill would create a cyber report card for devices and require that testing be performed before devices are sold. Blumenthal explained this approach would increase medical device cybersecurity transparency.

“My bill will strengthen the entire health care network against the ubiquitous threat of cyberattacks,” Blumenthal said in a statement. “Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks