Report Lists “Security Hacking” as Top Threat to Medical Patients

The Pennsylvania-based research organization recently published 50 cybersecurity alerts or related problems recorded over a period of 18 months, with the number of such events representing a dramatic increase noted during the previous period. According to David Jamison, the executive director of the ECRI Health Devices Program, the consequences of cyber attacks could be dire, including the physical harm or even death of patients. The ECRI report noted that after gaining access to medical transcription systems, hackers can fraudulently obtain personal records and, through the use of so-called ransomware software, can even threaten to publicly release the information.

Remote systems are designed to be readily accessible to allow for easy review by those seeking medical information for legitimate reasons. However, this accessibility also makes them good targets for hackers. It was recommended in the report that health care organizations monitor and take steps to protect such systems. Improved security can be accomplished in various ways, including the enforcement of password policies, the constant monitoring of access activity and the proper maintenance of the systems themselves.

In a survey conducted by the professional services firm Marsh & McLennan, approximately half of the healthcare executives who were asked, reported implementing multifactor authentication methods for the purpose of protecting private networks. With regard to the threat posed by SamSam ransomware, the U.S. Department of Health and Human Services (HHS) had previously issued a warning that attackers using the software were breaking into network systems and exploiting open remote desktop protocol connections. In dealing with this problem, the HHS made several safety recommendations, including the placement of restrictions on who can remotely access computerized systems.

Other risks to patients appearing in the ECRI report included the contamination of mattresses with bodily fluids, the retaining of medical sponges in patients after surgical procedures, patient infections caused by the improper use of endoscopes and injuries caused by overhead patient lift systems. However, the hacking of medical transcription information was one of few threats that did not involve direct contact with the patients themselves.