Remote access exploits claim top technology hazard in ECRI's 2019 threat list

Doctor on computer
Remote access systems enable clinicians and IT staff to access critical systems while off-site. But malicious actors can take advantage of these systems. (Getty/Vladdeep)

Remote access exploits are the top IT hazard facing providers in 2019, according to the ECRI Institute.

The vulnerability, wherein malicious actors infiltrate a network through remote access systems, is extremely common because the systems are publicly accessible by design. To make matters worse, they often give users a large degree of control over the remote system being accessed.

"Intended to meet legitimate business needs, such as allowing off-site clinicians to access clinical data or vendors to troubleshoot systems installed at the facility, remote access systems can be exploited for illegitimate purposes," ECRI said in its annual report on top tech hazards. "Once they gain access, … attackers can move to other connected devices or systems, installing ransomware or other malware, stealing data or rendering it unusable, or hijacking computing resources for other purposes, such as to generate cryptocurrency."

IT staff should consistently monitor and identify all remote access points, the report said—to make sure only trusted individuals are accessing these systems. In addition, the institute recommended a strong password policy and frequent system patches to keep accounts in the right hands.

Cybersecurity threats have topped ECRI's list in previous years, but the mention of a specific threat vector this time around suggests the organization is narrowing down the most dangerous threats to providers. 

"The consequences of an attack can be widespread and severe, making this a priority concern for all healthcare organizations," David Jamison, executive director of ECRI's Health Devices program, said in a release. "In critical situations, this could cause harm or death." 

RELATED: Cybersecurity tops ECRI’s list of technology hazards in 2018

In addition to the top cyberthreat, ECRI's top 10 list included several common problems such as proper cleaning and maintenance of equipment. But it also touched on a few IT issues concerning infusion pumps and patient monitoring alarms:

  • Mechanical ventilator alarms: In two cases early this year, alarms on mechanical ventilators were improperly set, putting patients at significant risk. ECRI recommended verifying the policies around setting alarms on the devices.
  • Infusion pump errors: Manual entry errors in infusion pumps, such as inputting the intended flow rate in the dose rate field, can put patients at high risk for dangerous medication errors. Clinicians said these errors occur relatively frequently, but the incidents are rarely reported.
  • Monitor alarm customization mistakes: Physiological monitoring alarms should strike a balance so they don't activate too frequently (which causes alarm fatigue) or too rarely (which can put patients at harm). This setting has to be customized to each patient's needs, so ECRI suggested that providers need "thoughtful policies" about how to set them.

ECRI's list, it should be said, is based on threats the institute believes are most threatening to providers, not necessarily which threats are most common among providers.

"The list does not enumerate the most frequently reported problems or the ones associated with the most severe consequences—although we do consider such information in our analysis. Rather, the list reflects our judgment about which risks should receive priority now," the report said.