- Cybersecurity incidents are the top safety concern for medical devices as cyberattacks on healthcare organizations continue to be a threat to the industry, according to ECRI's latest report on health technology risks.
- ECRI, a nonprofit that evaluates medical devices for safety and efficacy, based the list on problem reports the organization received and device tests. The watchdog group specifically focused on hazards that are preventable, noting that having a strong security plan can prevent patient care from becoming compromised.
- Other hazards on ECRI's list include supply chain shortfalls, damaged infusion pumps and inadequate emergency stockpiles of supplies and equipment.
Hospitals are a growing target for cybersecurity attacks, with several health systems facing high-profile ransomware attacks in the last year. According to a report by IBM Security, the number of cyberattacks against healthcare organizations doubled between 2020 and 2021.
Not only do these attacks disrupt patient care, but they can also affect hospitals' data systems and medical devices connected to a hospital network, according to ECRI's report, which was released on Tuesday.
The watchdog group focused more on the potential harm to patients in the midst of an attack, rather than the effects of a data breach. For instance, breaches could result in appointments or surgeries being rescheduled, emergency vehicles being diverted, or even entire care units being closed, ECRI noted.
At this point, healthcare organizations should anticipate attacks — it's just a matter of when. The good news is that the worst consequences of a cybersecurity incident can be prevented by having a robust security plan in place and a plan for maintaining patient care if an attack reaches critical devices or systems.
Both hospitals and device manufacturers have a shared responsibility to secure devices from potential attacks. But it gets complicated as devices get older, and the software they run on is no longer supported. The FDA is considering requirements for manufacturers to build in capabilities to update and patch their devices, but hasn't implemented them yet.
Here are the other risks highlighted in the ECRI report:
Supply chain shortfalls: Coming in second on the ECRI's list, supply chain challenges are particularly relevant as the latest surge in COVID-19 cases has snarled shipping and led to supply shortages. This has affected the availability of devices, which could hamper healthcare organizations' ability to treat patients and protect their staff. Device manufacturers often source their products from offshore manufacturers and maintain lean inventories. They also have contracts with a smaller number of manufacturers and distributors.
Damaged infusion pumps: Damaged infusion pumps can lead to dangerous problems with medication administration. ECRI said it continues to receive reports of damaged pumps being used for patient care. In several of these incidents, the infusion pump failed to regulate the flow of medication, leading to an over-infusion and harming patients. Pumps can be damaged from the usual wear and tear, improper cleaning, mishandling or poor device design. In addition, damaged pumps can be difficult to identify, and may not trigger an alarm.
Inadequate emergency stockpiles: Since the start of the COVID-19 pandemic, the importance of emergency stockpiles of medical supplies and equipment has become clear. Facing a shortage of equipment, hospitals have turned to products that are expired, intended for a different use, and needed products that were not included in the stockpile. Local and national emergency stockpiles fell short, and in some cases, included equipment that was unusable. During the initial surge of the pandemic, many healthcare providers had to use expired respirators and reuse masks.
Telehealth workflows: Telehealth programs were rapidly implemented during the pandemic, and in many cases, have stuck as a modality for patients to get care. However, because they were put together so quickly, many of these programs don't consider clinician workflows. Telehealth programs should be easy to use, and shouldn't overwhelm providers with large amounts of data that doesn't serve a clinical purpose, according to ECRI.
Failure to adhere to syringe pump best practices: Misconceptions about how to deliver low flows of drugs using syringe pumps can worsen patient care. When pumps are programmed at a low flow rate, there is a significant lag between when the infusion starts at the pump and the drug delivery to the patient. If a clinician perceives this delayed response from a patient as an inadequate dose, they may risk overinfusion of medications.
AI-based reconstruction: Artificial intelligence is increasingly used to reconstruct images from MRIs, CTs and other scans. While it can reconstruct images faster, it also comes with some limitations. For instance, tiny perturbations can obscure features, tumors and other notable information. In some cases, the use of AI reconstruction instead of standard algorithms can actually degrade image quality.
Poor duodenoscope reprocessing: In the past, the ECRI has highlighted problems with reusing duodenoscopes, which if not cleaned properly, can result in infection. A survey of healthcare workers last year said they faced time pressures, challenges with workplace ergonomics, and the use of duodenoscopes with fixed distal encaps, as challenges with cleaning and disinfecting these devices.
Disposable gowns with insufficient barrier protection: Manufacturing flaws and the wrong choice of gowns can lead to healthcare workers not being adequately protected. ECRI said labeling of gowns may not always be consistent, and manufacturing quality can vary. Roughly half of the disposable gowns the organization tested did not meet the required protection levels.
Wi-fi dropouts and dead zones: As more medical devices connect to a facility's Wi-Fi network, connectivity is increasingly important for patient care. For instance, the ability to transmit alarms to a nurse's phone, or access an electronic health record may depend on Wi-Fi. Wi-Fi outages or poor signals in parts of a facility could result in critical alerts not being received.