ECRI Institute Publishes Guidance for Protecting Medical Devices from Ransomware Attacks | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

ECRI Institute Publishes Guidance for Protecting Medical Devices from Ransomware Attacks

May 26, 2017
by Heather Landi
| Reprints

The ECRI Institute has released a new guidance article, "Ransomware Attacks: How to Protect Your Medical Device Systems, with recommendations to help hospitals identify and protect against ransomware attacks.

Ransomware is a form of computer malware that holds systems hostage with a ransom demand. Medical systems are vulnerable to such attacks, which can damage hospital operations and compromise patient care by barring users from accessing critical functions and data.

“With the recent news of nationwide cyberattacks, we thought it was very important to make this information available to the public as quickly as possible," Juuso Leinonen, project officer, Health Devices Group, ECRI Institute, said in a statement. "Following these recommendations will allow hospitals to minimize impact to normal operations and mitigate the risk of a ransomware infection with your medical devices."

The report provides recommendations for adapting general cybersecurity principles to the particular requirements of medical device systems, including a list of immediate do's and don'ts for quickly responding to emerging threats.

Among the “dos” on the ECRI Institute’s list of recommendations are identifying networked medical devices/servers/workstations that are operating on a Windows OS and identifying whether connected medical devices/device servers have gotten the relevant Microsoft Windows OS MS17-010 security patch. The ECRI Institute notes that all unpatched Windows versions may be vulnerable to the WannaCry ransomware.

Healthcare organizations should also consider running a vulnerability scan in their medical device networks to identify affected medical devices and then contact device vendors if there are medical devices/servers that didn’t receive the security patch to determine the recommended action for dealing with current ransomware threats. “If your device is managed by a third party or independent service organization, request prompt installation of appropriate security patches and documentation to support risk mitigation,” the ECRI Institute wrote in the guidance.

Among the “don’ts” that the organization identified: “Don’t overreact.” The guidance authors further note, “Even with good software update practices, it's not unusual to find medical device systems running outdated OS software. Don't assume that the presence of outdated software on your systems is a threat in its own right. These systems should already be noted as exceptions in your facility's IT patch update policy, and risk mitigation measures should already be in place.”

At the end of 2016, ECRI Institute launched its Cybersecurity Gap Analysis service to help hospitals and health systems develop a program to protect their medical devices from being used against them in a cyberattack.

"Patching medical devices' software and routinely training staff members about phishing emails are just two aspects of a medical device cybersecurity program; there are many other issues that every hospital has to address," Robert Maliff, director, Applied Solutions Group, ECRI Institute, said.

Software management gaps putting patients and patient data at risk is No. 6 on ECRI Institute's annual Top 10 Health Technology Hazards list for 2017; Medical Device Cybersecurity was No. 2 on ECRI Institute's 2016 Top 10 Hospital C-Suite Watch List.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.

Cedars-Sinai Accelerator Program Presents Fourth Class of Startups

The Cedars-Sinai Accelerator, a program that helps entrepreneurs bring their innovative technology products to market, has brought in nine more health tech startups as part of its fourth class.

DirectTrust Adds Five Board Members

DirectTrust, a nonprofit organization that support health information exchange, announced the appointment of five new executives to its board of directors.

Analysis: Many States Continue to Have Restrictive Telemedicine Policies

State Medicaid programs are evolving to accelerate the adoption of telemedicine models, this evolution is occurring more quickly in some states than others, according to a recent analysis by Manatt Health.