Part One: ECRI Tech Hazards 2019

This member-only article appears in the January issue of Patient Safety Monitor Journal.

The ECRI Institute published its annual list of the top 10 health technology hazards facing healthcare in 2019. Longtime readers will recognize several hazards from ECRI’s 2018 and 2017 lists, such as cybersecurity and mattresses oozing body fluids.
But we have some new additions to this year’s list, including retained surgical items and patient lift systems. PSMJ spoke to several experts on the top 10 issues and about steps that can be taken to prevent them to guide readers in the upcoming year.
This article contains hazards one through five. The remaining hazards will appear in upcoming editions of PSMJ.
1. Cybersecurity and hacking
Summary: In its latest update on this problem, ECRI pointed to the vulnerability of remote access points: connections to hospital devices and systems that are off-site. These points are often missed in regular security maintenance, leaving them exposed.
In a healthcare environment, a malware attack can cause procedures to be canceled, damage equipment and systems, expose or corrupt sensitive data, and force closures of entire care units. Ultimately, they can compromise or delay patient care, leading to patient harm.
“Malware is a term that refers to a category of software that can compromise the security and privacy of a computer system,” says Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona. “Ransomware is unique to other malware in that when it infects a computer or computer system, it encrypts files, which makes them unusable. Ransomware then displays a notice to the user that by paying a ransom, the user will then receive a key that will unencrypt the infected files.”
An increasingly common type of malware used against hospitals is called ransomware. In 2017 the WannaCry and NotPetya ransomware attacks struck hospitals worldwide, disrupting medical services to tens of thousands.
Solution: “Dealing with ransomware is a classic example of the saying, ‘An ounce of prevention is worth a pound of cure,’ ” Ruelas says. “An organization’s best line of defense regarding ransomware [and other malware] includes efforts to train users on how to identify emails that may present a malware attack.”
“Often these emails have telltale signs such as poor grammar, typing errors, generic greetings, and are received by unknown senders of an email. Having an effective training and awareness campaign to alert users on how to identify an email that may contain one or more of these telltale signs and on what to do when they encounter one of these emails may be one of the best ways to prevent a ransomware attack.”
“Should a ransomware attack infect a computer system, information technology (IT) staff should have an established and tested (through drills or other simulations) process on how to shut down the computer system and restore it from available backup copies. The key is to plan what to do in the event of a ransomware attack before it happens rather than trying to scramble and figure out what to do after a system is infected.”
Resources:
NotPetya and ransomware: Six steps to help you beat hackers
The impact of cybersecurity on patient safety
Phishing with staff: Using fear to teach cybersecurity
HHS update: International cyber threat to healthcare organizations
AHA: Cybersecurity advisory page
FBI ransomware prevention and response for CISOs

2. Mattresses and covers oozing body fluids and contaminants
Summary: “This is a really simple risk from a concept standpoint,” says Steven A. MacArthur, senior consultant with The Greeley Company in Danvers, Massachusetts, and the author of the blog “Mac’s Safety Space” for HCPro. “Mattresses and covers are ostensibly designed to be impervious to moisture intrusion/infiltration. I suspect that not all mattresses and covers are created equally in this regard, but I’ve been out of the mattress cleaning business for a while now.”
“But the moment that impervious barrier is breached/compromised, then ‘stuff’ can get in. The fact of the matter is that mattresses are not inexpensive and they are bulky to store, so organizations tend to have minimal backup,” MacArthur says. “I have certainly witnessed ‘oozing’ of mattresses with non-intact surfaces in the past, so the ‘reports’ noted in the ECRI report are not unfamiliar to me.”
Solution: To safeguard against this, says ECRI, you need to talk with the makers of the mattress covers to find out the best cleaning materials and procedures for their products. Hospitals should also regularly inspect mattresses and covers for signs of contamination or damage.
“To be honest, in looking at the recommendations, I’m not quite sure how extensively mattress covers are used,” says MacArthur. “Though I suppose if the cover is a way to forgo replacing an entire mattress, that kind of makes sense. But once a mattress’ surface is breached, it’s really a crapshoot to go with a cover—there’s really no way to inspect the inside of the mattress to determine if there has been any contamination. You could just be sealing in an ugly mess.”
“I suppose the other piece of this is that mattresses are a pain in the keister to get rid of—do you dispose of them as regular waste, or do they need to be managed as contaminated? For the purposes of disposal, the whole definition of contamination via the Bloodborne Pathogens standard doesn’t necessarily apply because it is ultimately the call of whoever is managing your waste stream—and they tend to err on the side of caution.”
Resources:
FDA medical bed mattress safety communication
Clean patch mattress inspection protocol

This is an excerpt from a member-only article. To read the article in its entirety, please login or subscribe to Patient Safety Monitor Journal.