As ransomware and other disruptive security incidents continue to surge, cyberattacks rank as the top health technology hazard in hospital environments this year, say security experts Chad Waters and Juuso Leinonen of patient safety organization ECRI.
Cyberattacks were identified as the number one health tech hazard in ECRI’s 15th annual special report, titled Top 10 Health Technology Hazards for 2022, “due to there being a lot more demonstrable impact to patient safety,” as seen in some of the ransomware and other cybersecurity incidents occurring over the last year or so, Waters says in an interview with Information Security Media Group.
“We’ve seen hospitals going on divert – that delay of care has impacted patient outcomes. There have been reports of cloud services being unavailable, and that has delayed treatment on the clinical side,” he says.
ECRI, a not-for-profit entity, has reviewed reports about individual medical devices being affected “by a larger security incident,” which affected the clinical functionality of the equipment and in turn affected patients, Waters says.
But attacks on individual hospitals are not the only incidents that potentially affect patients. Incidents involving vendors and the interconnected nature of healthcare delivery also cause disruption, Leinonen says in the joint interview.
“There were examples last year of manufacturers of medical devices and systems being impacted by a cybersecurity concern, which in turn had a direct impact on how some hospitals were treating patients,” he says.
“We’re seeing more and more clinical workflows rely on various connected technologies … and the disruption to the availability of some of these systems … can delay care, and in worst-case scenarios, can lead to harm,” Leinonen says (see: Federal Authorities, Patient Safety Experts Warn of Risks).
Waters adds: “When there’s a security incident in a healthcare system, often the emphasis is on confidentiality and protected health information breaches. But we’re definitely seeing more and more connecting of dots on how [an incident] affects patients” and their safety.
In the interview (see audio link below photos), Leinonen and Waters also discuss:
- Factors ECRI considers in compiling its annual list of top tech hazards;
- Other top 10 health technology hazards in 2022 that have a security risk component;
- How healthcare sector entities can use the ECRI report to improve patient safety in their organizations.
Waters is senior cybersecurity engineer in the health devices group at ECRI, where he develops security guidance for healthcare facilities. He evaluates the security of medical devices, curates ECRI security-related alerts and consults with healthcare facilities about medical technologies. Prior to ECRI, Waters worked for more than a decade in IT security and network engineering within the healthcare sector.
Leinonen is a principal project engineer in the device evaluation group at ECRI. His subject matter expertise includes medical device cybersecurity, infusion technology and telehealth. He is a member of the ECRI medical device security team.