ECRI Institute has named health technology cybersecurity at the top of its just-released 2019 Top 10 Health Technology Hazards. The report highlights the potential for hackers to exploit remote access systems to gain unauthorized entry to a healthcare organization’s networked devices and systems. Such attacks can disrupt healthcare operations, hindering the delivery of care and putting patients at risk.
Cybersecurity is clearly a growing concern. ECRI Institute published 50 cybersecurity-related alerts and problem reports in the last 18 months, a major increase over the prior period.
“The consequences of an attack can be widespread and severe, making this a priority concern for all healthcare organizations,” says David Jamison, executive director of ECRI’s Health Devices program. “In critical situations, this could cause harm or death.”
The annual list defines the top health technology hazards that ECRI Institute believes warrant priority attention by healthcare leaders. It serves as a starting point for discussions, helping healthcare organizations plan and prioritize their patient safety efforts.
Other topics on the list include contaminated mattresses, retained surgical sponges, improperly set alarms on ventilators and physiologic monitors, recontaminated endoscopes, infusion pump errors, mechanical failures with overhead patient lifts, damage to electrical equipment from cleaning fluids, and battery charging errors.
“Healthcare organizations need to take technology safety seriously,” says Jamison. “That’s why our annual report includes practical solutions that can help prevent patient harm.”
The full report, accessible to ECRI Institute members, provides detailed steps that organizations can take to prevent adverse incidents at their facilities, not just respond to them. The 2019 Top 10 Health Technology Hazards executive brief is available for complimentary download here.
There are two things to note here. One is that ECRI’s methodology for arriving at its list is not exactly scientific. Second, even if an item on the list is a global or general priority, this doesn’t automatically make it a local priority. You still need to do your own risk assessment to decide what it is you need to be working on.
It’s not intended to be scientific. It’s intended to serve as a major industry threat list based on what’s actually happening in your world. Of course you need to decide what the highest threats are internally. That’s common sense. This list isn’t at all intended to replace your in-house risk assessment. However, it would be foolish to ignore the threats on the list just because your current biggest threat isn’t on the list or isn’t ranked as high as some others. That said, I’ll guarantee you your organization faces at least multiple, if not every single one, of these threats–and that some of them should be high priorities for your organization to mitigate right now.