Given the increased emphasis on connectivity in the medical device industry, it's not too surprising that cybersecurity attacks has been identified as the top health technology hazard for 2022 by ECRI.

The Plymouth Meeting, PA-based independent, nonprofit patient safety organization just released its annual report of health technology hazards for the year. In the report, the organization warns that cybersecurity incidents can disrupt patient care, and thus pose a real threat of physical harm.

“The question is not whether a given facility will be attacked, but when,” said Marcus Schabacker, MD, PhD, president and CEO of ECRI. “Responding to these risks requires not only a robust security program to prevent attacks from reaching critical devices and systems, but also a plan for maintaining patient care when they do. ECRI’s new guidance can help leaders be better prepared to protect their facilities and keep patients safe.”

Healthcare providers today depend on network-connected medical devices and data systems to deliver safe and effective patient care. A cybersecurity incident that compromises those devices or systems could lead to the rescheduling of appointments and surgeries, the diversion of emergency vehicles, or the closure of care units or even whole organizations—all of which could put patients at risk, the organization noted.

During the past five years, ECRI's healthcare recall, hazards, and cyber alert notification service has included 173 medical device cybersecurity alerts; 13 of those have been cybersecurity-related FDA recalls. Affected devices and systems include MRI systems, physiologic monitors, infusion pumps, and lab analyzers.

Last year, for example, FDA alerted patients, providers, and medtech manufacturers that cybersecurity vulnerabilities reported by BlackBerry may affect certain medical devices. The company reportedly kept the software flaw secret for months.

“ECRI remains committed to building awareness about technology hazards to keep patients safe, especially for those technologies that may not have gotten the needed attention during the pandemic,” Schabacker said.

ECRI’s annual report, now in its 15th year, identifies health technology concerns that warrant attention by healthcare leaders. ECRI’s team of biomedical engineers, clinicians, and healthcare management experts follows a rigorous review process to select topics for the annual list, drawing insight from incident investigations, reporting databases, and independent medical device testing.

The full list of health tech hazards identified in ECRI's latest report is below.

Top 10 Health Technology Hazards for 2022

1. Cybersecurity attacks can disrupt healthcare delivery, impacting patient safety           

2. Supply chain shortfalls pose risks to patient care  

3. Damaged infusion pumps can cause medication errors     

4. Inadequate emergency stockpiles could disrupt patient care during a public health emergency        

5. Telehealth workflow and human factors shortcomings can cause poor outcomes  

6. Failure to adhere to syringe pump best practices can lead to dangerous medication delivery errors  

7. AI-based reconstruction can distort images, threatening diagnostic outcomes   

8. Poor duodenoscope reprocessing ergonomics and workflows put healthcare workers and patients at risk      

9. Disposable gowns with insufficient barrier protection put wearers at risk

10. Wi-Fi dropouts and dead zones can lead to patient care delays, injuries, and deaths

The full Top 10 Health Technology Hazards report, accessible to ECRI members, provides detailed steps that organizations can proactively take to prevent adverse incidents. An executive brief version is available for complimentary download at www.ecri.org/2022hazards.

On January 26, ECRI is presenting a top 10 health technology hazards lab webcast, Cybersecurity Incidents: A Threat to Patient Safety and Healthcare Delivery. Speakers include experts from the organization as well as national cybersecurity authorities, including Kevin Fu, acting director of medical device cybersecurity at FDA’s Center for Devices and Radiological Health and program director for cybersecurity, digital health center of excellence and Christian Dameff, MD, medical director of cybersecurity and assistant professor of emergency medicine, biomedical informatics, and computer science (affiliate) at the University of California San Diego. The webcast is free with advance registration.