Safety

OIG: Medicare lacks cybersecurity oversight for hospital-based networked medical devices

Hospital Safety Insider, July 1, 2021

Want to receive articles like this one in your inbox? Subscribe to Hospital Safety Insider!

By Scott Mace, Health Leaders Media

The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued a report last week finding that the Centers for Medicare & Medicaid Services’ (CMS) survey protocol does not include requirements for networked device cybersecurity.

Further, the report stated that CMS’ accreditation organizations (AO) do not use powers they possess to require hospitals to have such cybersecurity plans.

The OIG stated that hospitals that identify networked device cybersecurity as part of their emergency preparedness risk assessments can get their mitigation plans reviewed by AOs.

In practice, however, hospitals frequently fail to identify device cybersecurity in these risk assessments, the AOs told the OIG. Assessing hospital safeguards for the privacy of medical records may prompt AOs to examine networked devices.

The OIG also reported that CMS and the AOs do not plan to update their survey requirements to address networked devices or general cybersecurity.

“As hospitals continue to face cyberattacks that risk patient harm, it is important to know whether and how AOs hold hospitals accountable for cybersecurity of their devices,” the OIG stated in an issue brief on its report.

The OIG gathered findings for the report by conducting structured telephone interviews with leadership at the four AOs, and by sending written questions to CMS.

AOs direct their requirements from the Conditions of Participation and oversee most hospitals that participate in Medicare. The OIG says AOs rarely use their discretion to examine the cybersecurity of networked devices during their surveys of hospitals.

“We recommend that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals in consultation with HHS partners and others,” the OIG stated.

CMS stated that it agreed to consider additional ways to appropriately highlight the importance of cybersecurity of networked medical devices for providers, consulting with its HHS partners having specific oversight authority regarding cybersecurity.

The report stated that one expert estimates that a large hospital may have around 85,000 medical devices connected to its network and capable of being connected to hospital EHR systems.

Scott Mace is a contributing writer for HealthLeaders. This story first ran on www.healthleadersmedia.com.



Want to receive articles like this one in your inbox? Subscribe to Hospital Safety Insider!

    Hospital Safety Center
  • Hospital Safety Center

    Improve compliance with hospital safety standards from The Joint Commission, OSHA, and other regulators with this...

  • Healthcare Life Safety Compliance

    Created exclusively for healthcare facility managers, plant operations professionals, and directors of engineering, this...

  • Hospital Safety Insider

    Stay on top of hospital safety requirements and best practices with our free, fast-paced weekly update.

  • Basic OSHA Compliance Manual Kit

    Total compliance has never been easier. This one convenient package contains everything you need to ensure your outpatient...

  • Basic Dental OSHA Compliance Manual Kit

    Total compliance has never been easier. This one convenient package contains everything you need to ensure your dental...

Most Popular