Ransomware Makes ECRI’s Top Health Tech Hazards List

February 05, 2024 - ECRI named ransomware as one of the top ten health tech hazards of 2024 in its annual report, following a record year for healthcare data breaches. Ransomware and other cyber risk areas have made ECRI’s list multiple times in the past as the industry continues to face persisting cyber threats.

Ransomware took the number six slot on ECRI’s top health tech hazards list, trumped by medical device usability challenges, inadequate device cleaning instructions, and overlooked environmental impacts of patient care, among others.

“All the items on our list represent problems that can be avoided or risks that can be minimized through the careful management of technologies,” ECRI noted.

ECRI, a nonprofit that focuses on health tech safety, based its rankings on user-submitted reports of adverse medical device events and other analyses. ECRI said that its list “reflects our judgment about which risks should be given attention now to help care providers, as well as device manufacturers, prioritize their patient safety effort.”

When it comes to ransomware, ECRI stressed the importance of policymaker and stakeholder action to reduce risk.

“[healthcare organizations] can, and should, implement measures to manage cybersecurity risks. Specifically, they should deploy a framework for identifying risks, protecting against them, detecting and responding to ongoing threats, and recovering from an attack,” the paper stated.

“These measures aren’t foolproof, however. In this fight, [healthcare organizations] are overmatched. They need help from policymakers and other stakeholders.”

ECRI recommended that policymakers consider incentives for implementing strong security programs, a measure that is already in the works as part of HHS’ healthcare cybersecurity strategy.

In addition to ransomware, the patient confidentiality risks of third-party web analytics software also made ECRI’s top health tech hazards list. At number ten, ECRI called attention to the issue of third-party tracking tech misuse and urged healthcare organizations to take action.

“Third-party web analytics software can provide businesses with valuable statistics and insights about how customers use their websites,” ECRI noted. “For healthcare organizations, though, these tools pose a hidden risk: Web analytics software installed on patient portals and other provider websites and applications can allow third-party companies (e.g., Meta, Google, Adobe) to collect information that could reveal details about the patient’s medical condition.”

As previously reported, healthcare organizations and tech companies have been under scrutiny over the widespread presence of third-party tracking tech on hospital websites. A study published in Health Affairs in April 2023 found third-party tracking technologies present on nearly all US nonfederal acute care hospital websites.

While the use of this technology is not inherently bad, its presence on certain parts of hospital websites may mean that sensitive health data is transmitted back to the tech companies that operate these tools, creating rampant privacy risks.

ECRI recommended that “healthcare organizations remove third-party web analytics software from patient portals, as well as from ‘find a doctor’ and medical library pages.

“In ECRI’s view: Patients expect a provider’s website to be a confidential safe haven for seeking medical information, treatment, and services. The collection and potential exploitation of private information could lead to patient distrust of the healthcare provider,” ECRI continued.

In its 17th year, ECRI’s list provides healthcare stakeholders with additional insights into existing and potential risk areas that could pose threats to patient safety. With this in mind, healthcare leaders can take action to prioritize these risks and address health tech shortcomings.