Cybersecurity attacks top list of health technology hazards for 2022

In January, nonprofit patient-safety organization ECRI released a report of the top 10 health technology hazards for 2022. Health IT concerns made up half of them. Reviewing the list — compiled by the organization each year in response to member surveys, literature reviews, testing medical devices in their lab and investigating patient safety incidents — can provide journalists with a good primer on trends to watch. The annual report identifies potential sources of danger the organization believes warrant the greatest attention.

Perhaps unsurprisingly, cybersecurity attacks ranked at the top of the list. All health care organizations are subject to cybersecurity incidents, the report noted: “The question is not whether a given facility will be attacked but when.” A cybersecurity incident could threaten network-connected medical devices and data systems that have become essential for safe and effective care delivery, the authors wrote. “Consequences may include rescheduling of appointments and surgeries, diversion of emergency vehicles, or closure of care units or even whole organizations — all of which could put patients at risk.”

“Responding to these risks requires not only a robust security program to prevent attacks from reaching critical devices and systems, but also a plan for maintaining patient care when they do,” they said.

Acknowledging this concern, manufacturers are more often building in security features to the design of medical devices, said Kevin Fu, Ph.D., acting director of medical device cybersecurity at the U.S. Food and Drug Administration’s Center for Devices and Radiological Health and program director for the Digital Health Center of Excellence, during a ECRI webcast about cybersecurity.

Several industry initiatives will be prominent this year, said Fu, who is also associate professor of electrical engineering and computer science at the University of Michigan. One is a software bill of materials (SBOM), “basically an ingredient list of third-party software on the inside of a medical device,” he said. Work ongoing at FDA and the International Medical Device Regulators Forum has been focused on how to provide SBOMs for different use cases, such as helping health care delivery organizations better understand risk management for what’s on the inside of a medical device they purchase.

Another key initiative is threat modeling — “the cybersecurity equivalent to hazard analysis,” Fu said. The FDA in November 2021 released a Playbook for Threat Modeling Medical Devices, coauthored by MITRE Corp., and the Medical Device Innovation Consortium. The document serves as a reference guide for medical device manufacturers on how to apply these concepts, such as how to characterize an adversary and what to defend against in their designs. 

“Long gone are the days where a manufacturer can say something like, ‘Well, you’ve just got to put this medical device on a secure hospital network,’” Fu said, “because we know secure hospital networks don’t exist. That’s a fantasy.”

Career development, helping the biomedical engineering community better understand what it can pull from the cybersecurity discipline into their work is another priority, he said. Partnering with the University of California San Francisco-Stanford Center of Excellence in Regulatory Science and Innovation, Fu leads a monthly distinguished speaker series on cybersecurity for biomedical engineering

Other health IT-related items on ECRI’s Top 10 list were:

Damaged infusion pumps (#3). ECRI has received reports of damaged infusion pumps used during patient care, which could lead to dangerous, or possibly fatal, medication administration errors. Improperly working pumps may be unable to properly regulate the flow of medication, leading to over- or under-infusion of medication or complete cessation of medication administration. Clinical staff need to be alert to signs of damage and know how to respond if damage is suspected or observed, the report said.

Telehealth workflow and human factors shortcomings (#5). Telehealth programs proved valuable during the COVID-19 pandemic, the authors said, but some facilities and caregivers are now feeling the strain of using programs rapidly implemented during a crisis. “As facilities seek to optimize telehealth care-delivery models for the long term, they must address factors that could lead to poor outcomes, both for patients (such as misdiagnoses or delays in care) and providers (such as cognitive overload or clinician burnout),” the authors wrote. Factors to consider include ease of use and the amount of data care providers receive.

Artificial intelligence (AI)-based reconstruction of images that could cause distortion (#7). AI is more frequently replacing standard algorithms used to reconstruct images from tests such as MRIs or CT scans. While it may optimize quality and speed, it also has potential instabilities and limitations, the authors noted. Tiny deviations during image capture can result in “severe artifacts” that could obscure a tumor, or cause a subtle alteration or blurring of features, making diagnostic interpretation more difficult. Providers need to be acutely aware of the technology’s limitations and applicability to their patients before using it for imaging, the authors said.

Wi-Fi dropouts and dead zones (#10). Increasing numbers of medical devices depend on facilities’ wireless networks, to the extent that reliable connectivity needs to be viewed as a patient consideration, the authors said. Wireless communication has become essential for tasks such as transmitting clinical alarms to nurses’ phones, accessing electronic health records and updating drug libraries on infusion pumps. Wireless failures can interrupt workflow, thus delaying patient care, and can cause serious injury or death if critical alerts aren’t received, the authors said. Risks can be reduced by actively maintaining Wi-Fi systems, thoughtfully allocating bandwidth and monitoring networks on an ongoing basis, they said.

The other technology hazards rounding out the 2022 list were:

  • Supply chain shortfalls
  • Inadequate emergency stockpiles  
  • Failure to adhere to syringe pump best practices 
  • Poor duodenoscope reprocessing ergonomics and workflows
  • Disposable gowns with insufficient barrier protection 

The full report is available to ECRI members, but journalists can download an executive brief summarizing the main highlights.

Additional resources




Leave a Reply