Cybersecurity is 2015 Top Health Technology Hazard

Cybersecurity should be a top priority for healthcare organizations, especially with more facilities implementing EHRs and connecting to HIEs. However, healthcare organizations might need to up their game for the new year, as a recent report cites cybersecurity as one of the top health technology hazards for 2015.

Insufficient protections for medical devices and systems were listed as an area of concern on ECRI’s “2015 Top 10 Health Technology Hazards” report.

“Protecting medical devices against malware that could potentially affect the functionality of the device or the integrity of patient data is one key cybersecurity measure,” the report said. “Unfortunately, healthcare facilities face a variety of obstacles that complicate the process of keeping medical devices up to date with the recommended operating system (OS) patches and anti-malware protections.”

Delays in the availability of OS patches were one of the obstacles that could hinder the update of medical devices, according to researchers. Moreover, being unable to apply those patches – or anti-malware software – to certain medical devices due to concern that any changes will affect the devices’ functionality was another hindrance listed.

“Another key cybersecurity measure involves protecting the patient data that is collected and transmitted by medical devices and systems,” read the report. “While data breaches do not pose a direct threat to the patient’s health, they nevertheless need to be addressed in a healthcare facility’s cybersecurity program.”

Not only are laptops, USB devices, and cell phones being used more often to exchange and transport sensitive data, but they can easily be lost, stolen or accessed by unauthorized users. Because of this, it’s essential that healthcare facilities consider security measures such as encryption and access control for these and any other devices that can access and store patient information.

ECRI recommended that clinical engineering, IT, and risk management departments collaborate on reviewing cybersecurity management policies. Additionally, those departments should update any policies if necessary.

Auditing the long-in access to all medical devices is also something that healthcare organizations should do, according to the report. Having an appropriate password policy, or a type of access-control method, will also help potentially curb cybersecurity issues.

Overall though, facilities are well-advised to implement a medical device security program that parallels, or is even incorporated into, the organization’s IT security program, ECRI stated. Such a plan should include, reliable safeguards against security threats, along with a mitigation plan in case the network is infiltrated with malware. Additionally, a cybersecurity risk assessment should be included. An assessment that is based on the organization’s current inventory of devices and systems will be more comprehensive and helpful.

Some of the other top health technology hazards listed by ECRI were alarm hazards, data integrity, ventilator disconnections and robotic surgery complications.

According to ECRI Institute Vice President of Technology Evaluation and Safety James Keller, Jr., technology safety can often be overlooked.

“Based on our experience, there are serious safety problems that need to be addressed. ECRI Institute recommends that hospitals use our list as a guide to help prioritize their technology-related safety initiatives,” Keller said in a statement.