OIG report says Medicare lacks consistent oversight of cybersecurity for networked medical devices in hospitals
A Centers of Medicare & Medicaid Services (CMS) survey protocol for overseeing hospitals is silent with respect to the cybersecurity of medical devices (i.e., devices designed to connect to the internet, hospital networks and other medical devices), according to a report from the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS), announced the office.
This evaluation sheds new light on the extent to which Medicare accreditation organizations (AOs) use their discretion to address cybersecurity of networked devices during hospital surveys. As hospitals continue to be targeted in cyberattacks that risk patient harm, it is important to know whether and how AOs evaluate and hold hospitals accountable for cybersecurity of their devices.
CMS's survey protocol does not include requirements for networked device cybersecurity, and the AOs do not use their discretion to require hospitals to have such cybersecurity plans. However, AOs sometimes review limited aspects of device cybersecurity. For example, two AOs have equipment-maintenance requirements that may yield limited insight into device cybersecurity. If hospitals identify networked device cybersecurity as part of their emergency preparedness risk assessments, AOs will review the hospitals' mitigation plans. AOs told OIG that in practice, however, hospitals did not identify device cybersecurity in these risk assessments very often.
Assessing hospital safeguards for the privacy of medical records may prompt AOs to examine networked devices. Finally, CMS and the AOs do not plan to update their survey requirements to address networked devices or general cybersecurity.
As healthcare delivery becomes more reliant on technology, cyberattacks on hospitals are increasing. Yet CMS's requirements are silent on networked device cybersecurity as well as cybersecurity in general. As a result, Medicare lacks consistent oversight of networked device cybersecurity in hospitals.
Therefore, OIG recommends that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals, in consultation with HHS partners and others. CMS stated that it concurred with considering additional ways to appropriately highlight the importance of cybersecurity of networked medical devices for providers in consultation with its HHS partners that have specific oversight authority regarding cybersecurity.
