- Hackers attacking healthcare through remote access systems and disrupting operations is the number one patient safety risk, according to the ECRI Institute’s annual Top 10 Health Technology Hazards for 2019.
ECRI Institute said it published 50 cybersecurity-related alerts and problem reports in the last 18 months, a major increase over the prior period.
“Remote access systems are a common target because they are, by nature, publicly accessible. Intended to meet legitimate business needs, such as allowing off-site clinicians to access clinical data or vendors to troubleshoot systems installed at the facility, remote access systems can be exploited for illegitimate purposes,” the report warned.
The ECRI report said that once hackers gain access through these systems, they can move around the network, install ransomware, steal or encrypt data, or hijack computer resources for cryptocurrency mining.
“The consequences of an attack can be widespread and severe, making this a priority concern for all healthcare organizations,” said ECRI Health Devices Program Executive Director David Jamison. “In critical situations, this could cause harm or death.”
The report recommended that healthcare organizations identify, protect, and monitor all remote access systems and points of entry, and adopt cybersecurity best practices, such as a strong password policy, maintaining and patching systems and software, and logging system access.
Around half of senior healthcare executives surveyed by Marsh & McLennan Companies earlier this year said they had instituted multifactor authentication (MFA) to control remote access to private networks.
In addition to MFA, the Marsh & McLennan report recommended a series of measures healthcare organizations can take to prevent threats, including the development of a cyber incident response plan, conducting a cybersecurity gap assessment, and holding phishing awareness training for employees.
Other patient safety risks that made ECRI's top 10, from second to tenth, are:
- “Clean” mattresses can ooze body fluids onto patients
- Retained sponges persist as a surgical complication despite manual counts
- Improperly set ventilator alarms put patients at risk for hypoxic brain injury or death
- Mishandling flexible endoscopes after disinfection can lead to patient infections
- Confusing dose rate with flow rate can lead to infusion pump medication errors
- Improper customization of physiologic monitor alarm settings may result in missed alarms
- Injury risk from overhead patient lift systems
- Cleaning fluid seeping into electrical components can lead to equipment damage and fires
- Flawed battery charging systems and practices can affect device operation
The ECRI weighs a number of factors in deciding which patient safety risks make the top ten, including severity, frequency, breadth, insidiousness, profile, and preventability.
In a warning earlier this year about SamSam ransomware, HHS said that attackers were exploiting open remote desktop protocol (RDP) connections and breaking into networks by carrying out brute-force attacks against these endpoints. RDP is a proprietary protocol, which provides a user with a graphical interface to remotely connect to another computer over a network connection.
Because SamSam hackers attack RDP connections, HHS recommended that healthcare organizations restrict access behind firewalls with RDP gateways and virtual private networks, use strong/unique username and passwords with MFA, limit users who can log in using remote desktop, and implement an account lockout policy to help thwart brute force attacks.
HHS said it encourages organizations to use data backups and develop contingency and business continuity plans that can ensure resilient operations in the event of a ransomware event.
Research by security firm Rapid7 confirmed that the leading attack vector in healthcare was remote access, such as suspicious logins, access attempts from disabled accounts, and account leaks, followed by phishing.
The significant number of suspicious logins correlates to the large number of remote entry alerts identified throughout the quarter and ties in to the second-highest threat identified, phishing.
Much of phishing in the first quarter involved sending users to sites appearing to be authentication sites that are designed to steal a user’s credential, enabling attackers to log in to the network.