ECRI Institute Publishes Guidance for Protecting Medical Devices from Ransomware Attacks | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

ECRI Institute Publishes Guidance for Protecting Medical Devices from Ransomware Attacks

May 26, 2017
by Heather Landi
| Reprints

The ECRI Institute has released a new guidance article, "Ransomware Attacks: How to Protect Your Medical Device Systems, with recommendations to help hospitals identify and protect against ransomware attacks.

Ransomware is a form of computer malware that holds systems hostage with a ransom demand. Medical systems are vulnerable to such attacks, which can damage hospital operations and compromise patient care by barring users from accessing critical functions and data.

“With the recent news of nationwide cyberattacks, we thought it was very important to make this information available to the public as quickly as possible," Juuso Leinonen, project officer, Health Devices Group, ECRI Institute, said in a statement. "Following these recommendations will allow hospitals to minimize impact to normal operations and mitigate the risk of a ransomware infection with your medical devices."

The report provides recommendations for adapting general cybersecurity principles to the particular requirements of medical device systems, including a list of immediate do's and don'ts for quickly responding to emerging threats.

Among the “dos” on the ECRI Institute’s list of recommendations are identifying networked medical devices/servers/workstations that are operating on a Windows OS and identifying whether connected medical devices/device servers have gotten the relevant Microsoft Windows OS MS17-010 security patch. The ECRI Institute notes that all unpatched Windows versions may be vulnerable to the WannaCry ransomware.

Healthcare organizations should also consider running a vulnerability scan in their medical device networks to identify affected medical devices and then contact device vendors if there are medical devices/servers that didn’t receive the security patch to determine the recommended action for dealing with current ransomware threats. “If your device is managed by a third party or independent service organization, request prompt installation of appropriate security patches and documentation to support risk mitigation,” the ECRI Institute wrote in the guidance.

Among the “don’ts” that the organization identified: “Don’t overreact.” The guidance authors further note, “Even with good software update practices, it's not unusual to find medical device systems running outdated OS software. Don't assume that the presence of outdated software on your systems is a threat in its own right. These systems should already be noted as exceptions in your facility's IT patch update policy, and risk mitigation measures should already be in place.”

At the end of 2016, ECRI Institute launched its Cybersecurity Gap Analysis service to help hospitals and health systems develop a program to protect their medical devices from being used against them in a cyberattack.

"Patching medical devices' software and routinely training staff members about phishing emails are just two aspects of a medical device cybersecurity program; there are many other issues that every hospital has to address," Robert Maliff, director, Applied Solutions Group, ECRI Institute, said.

Software management gaps putting patients and patient data at risk is No. 6 on ECRI Institute's annual Top 10 Health Technology Hazards list for 2017; Medical Device Cybersecurity was No. 2 on ECRI Institute's 2016 Top 10 Hospital C-Suite Watch List.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.

Report: Healthcare Accounted for 45% of All Ransomware Attacks in 2017

Healthcare fell victim to more ransomware attacks than any other industry in 2017, according to a new report from global cybersecurity insurance company Beazley.

Study: Use of EHRs Does Not Reduce Administrative Costs

A recent study by Duke University and Harvard Business School researchers found that costs for processing a single bill ranged from $20 for a primary care visit to $215 for an inpatient surgical procedure, or up to 25 percent of revenue.

Kibbe to Step Down as CEO of DirectTrust

David Kibbe, M.D., M.B.A., announced he would step down as president and CEO of DirectTrust at the end of the year.