Returning to Patient Safety Concerns Based on ECRI Top 10 Lists
I wasn’t sure about bringing this ECRI topic up, but in some ways we should all be thinking about how to maintain security of our various online devices. The implications of breaches of your own computers can be devastating to you personally, but in the case of healthcare breaches, the impacts can be life threatening. The fact that ECRI ranked medical error and delay in care resulting from cybersecurity breaches as fourth on its list of the top patient safety concerns for 2025, reflects the potential for these breaches to cause patients to “experience poor outcomes from delays in tests and procedures, longer lengths of stay, more complications from medical procedures, and higher mortality rates.”
In a survey of healthcare cybersecurity professionals, 88% reported that their organizations experienced cyberattacks in the past year, with an average of 40 attacks per organization. Successful breaches can cost organizations millions of dollars.
Why Target Healthcare?
Healthcare organizations are vulnerable because they sit at an intersection of highly sensitive personal data, life-critical operational systems, and underfunded IT infrastructure. Maintenance of security systems is costly, and healthcare organizations may not see themselves as targets. However, if a ransomware attack locks down an electronic health record (EHR) system, the consequences can be immediate and widespread — clinicians lose access to medication histories, lab results, allergy records, and imaging. Orders cannot be placed or verified digitally, forcing staff to revert to paper-based workarounds they rarely practice. Cybersecurity breaches in healthcare can lead to critical delays in care delivery and compromise sensitive patient information, while patients may also experience longer lengths of stay, delays in needed procedures and tests, more complications from medical procedures, more transfers, and higher mortality rates.
The threat landscape is not just ransomware. Phishing attacks, third-party vendor compromises, and vulnerabilities in networked medical devices all are vector targets. When systems go offline — even temporarily — the margin for human error in medication administration, test ordering and results, surgical scheduling, and emergency triage expands dramatically.
Mitigation Steps for Hospitals and Physicians
Hospitals must treat cybersecurity as a patient safety issue — not just an IT problem. Institutions must invest in advanced cybersecurity measures, conduct regular vulnerability assessments, and train staff to recognize and respond to cyber threats, and effective incident response plans and continuous monitoring can help mitigate the impact of potential breaches. Concretely, this means:
- Regular Risk Assessments. ECRI has advised healthcare providers to regularly assess cybersecurity risks and their adherence to best practices. This should include penetration testing and evaluation of medical devices connected to the network.
- Network Segmentation. Isolating clinical systems, administrative systems, and medical devices from one another limits the blast radius of any breach.
- Multi-factor Authentication (MFA). Requiring MFA for all access to EHRs, email, and administrative portals significantly reduces the risk of credential-based attacks. More and more consumer systems have this at sign in, you should use it!
- Offline and Encrypted Backups. Maintaining immutable, air-gapped backups of patient data ensures that a ransomware attack does not result in permanent data loss or indefinite downtime (I totally don’t know this means, but it sounds very cool).
- Incident Response Drills. Hospitals should regularly rehearse downtime procedures — the manual, paper-based workflows that must be activated when digital systems fail. Staff who practice these drills are far less likely to make errors under real downtime conditions.
- Vendor and Supply Chain Audits. Third-party vendors with network access must be vetted and held to the same cybersecurity standards as internal systems. The Change Healthcare breach demonstrated how a single vendor compromise can ripple across thousands of facilities.
Physician and Clinical Staff Responsibilities
- All employees of healthcare systems should be trained to recognize phishing emails and social engineering attempts, which remain the most common initial attack vectors. Many healthcare systems routinely send out fake phishing emails to catch staff and train them to better recognize email scams.
- Clinicians must follow strong password hygiene, log out of systems when not in use, and avoid accessing patient records on unsecured public Wi-Fi networks.
- Physicians should report suspicious system behavior immediately to IT — early detection is one of the most powerful tools for limiting damage.
These first three bullets are good practices for everyone – not just hospital personnel. Everyone should be aware of scams that come in the form of emails, texts, and instant messaging.
- Hospital staff also need to be trained and practice downtime procedures so they can respond quickly if needed. During these declared cyber downtime events, physicians should apply extra caution in verifying patient identities, medication orders, and allergies through manual processes, never assuming prior digital records are correct or available.
Steps Patients and Families Can Take to Protect Themselves
While much of the burden of cybersecurity falls on healthcare institutions, patients are not just passive actors. Here is what individuals and families can do:
Protect Your Health Data at the Source
- Use strong, unique passwords for all patient portal accounts that you might have(e.g., MyChart). Enable multi-factor authentication wherever it is offered.
- Be cautious about what you share. Limit the personal and financial information stored in patient portals to what is strictly necessary for your care.
- Review your health records regularly. Log into patient portals periodically to check for any errors or unfamiliar entries — these can be signs that your data has been altered or accessed by an unauthorized party.
Be Prepared for System Downtime
- Keep a personal health summary. Maintain a current list of your medications (including doses), allergies, chronic conditions, recent diagnoses, and the names and contact information of your care team. In a cyberattack, providers may not be able to access your records electronically and this document could be life-saving. This is a good practice for everyone and not just for a crisis. If you get ill when you travel, it is often difficult to access your medical records, so having some critical information on hand is always helpful.
- Bring your medication bottles or a medication list to every appointment and hospital visit, especially in emergency situations, so staff can verify your regimen without relying on potentially inaccessible digital records.
- Know your medical history. Patients who can clearly communicate their own health history provide an important safety net when hospital systems are down.
Monitor for Signs of Data Breach
- If your healthcare provider notifies you of a breach, act quickly — place a fraud alert or credit freeze with the major credit bureaus, as stolen health data is often bundled with financial and Social Security information.
- Monitor your Explanation of Benefits (EOB) statements from your insurer for unfamiliar claims, which can indicate that someone is using your identity to fraudulently obtain medical services.
- Consider an identity protection service that monitors the dark web for your Social Security number and health insurance ID.
Advocate for Yourself During a Downtime Event
- A few last thoughts. If a hospital or clinic tells you they are experiencing a “system outage,” don’t hesitate to ask how it might affect your care. Ask staff how they are verifying your medications and allergies. If something feels wrong or you believe an error has been made, speak up — your voice is your last line of defense.
- This last point is always true. Anytime you or someone you love is in the hospital, it is important to stay aware, ask questions, and advocate for yourself or others.