Cybersecurity tops ECRI’s list of technology hazards in 2018

Ransomware and other disruptive cybersecurity attacks are the leading health IT hazard for hospitals in the coming year, according to the ECRI Institute.

ECRI ranked “ransomware and other cybersecurity threats” No. 1 on its annual list of technology hazards across the healthcare industry. The organization argues that given the prevalence of large-scale attacks that shut down hospital networks and significantly disrupt care, cybersecurity has become a prominent patient safety issue.

In the past, ECRI's list has mentioned cybersecurity issues as part of broader concerns, but this is the first time cybersecurity has been ranked as a top priority. 

“Such disruptions can lead to canceled procedures and altered workflows (e.g., reverting to paper records),” the report states. “They can also damage equipment and systems, expose sensitive data and force closures of entire care units. Ultimately, they can compromise or delay patient care, leading to patient harm.”

RELATED: Should hospitals pay up following a ransomware attack? The answer is far from simple

ECRI’s annual list is drawn from engineers, scientists and analysts that rank health IT hazards based on investigations and anecdotal evidence from clinicians, as well as thousands of reports generated through the organization’s Problem Reporting Network. Analysts and external advisors build the lists based on the severity, frequency and insidiousness of identified hazards.

The top ranking shouldn't be a surprise for hospital executives. It’s been a landmark year for cyberattacks in the healthcare industry. In May a global attack known as WannaCry shut down large portions of the United Kingdom’s NHS system, offering a “global wakeup call” for providers.

RELATED: After WannaCry, experts worry healthcare’s vulnerabilities will make the next ransomware attack even worse

A month later, another attack known as NotPetya forced on West Virginia hospital to rebuild its system from scratch and shut down transcription services provided by Nuance. In between those attacks, a Department of Health and Human Services Cybersecurity Task Force unveiled a comprehensive report outlining some of the most pressing concerns for the industry.

Many of the other threats identified on the ECRI’s list were repeats from last year's top 10, including: 

  • Improperly cleaning medical devices leading to malfunctions or equipment failures
  • Missed alarms from inappropriately configured devices
  • Inadequate use of digital imaging tools that can lead to unnecessary radiation exposure
  • Workarounds associated with bar-code medication administration
  • Poor medical device networking that prevents prompt data transfers, leading to a delay in diagnosis and treatment