The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued a report dated June 2021 on oversight by the Centers for Medicare and Medicaid (CMS) of hospitals' cybersecurity controls for networked medical devices. The OIG concluded that consistent oversight was lacking. CMS's survey protocols do not explicitly address cybersecurity, nor do audit practices of the accreditation organizations (AOs). The OIG points out that hospitals have increasingly become targets of ransomware attacks. While most such attacks have affected electronic health record (EHR) systems, there was a ransomware attack in 2017 that infected radiology equipment. Because many radiology, laboratory and other systems connect to the EHR, malignant code introduced into networked devices can affect the entire EHR system.
Direct responsibility for hospital surveys rests with the AOs as well as the state survey agencies (typically, the state department of health). State survey agencies follow guidelines in CMS's State Operations Manual, including Appendix A applicable to hospital surveys, which includes the Medicare Conditions of Participation (CoPs) for hospitals and the Interpretive Guidelines, which provide more detailed instructions on application of the CoPs. The AOs establish their own audit guidelines, which are required to be at least as stringent as those contained in the State Operations Manual.
The OIG report notes that while the CoPs are silent regarding cybersecurity, there are several CoPs which are potentially relevant to cybersecurity precautions. These include: (1) physical environment Section 482.41, which requires hospitals to maintain facilities and equipment to ensure an acceptable level of safety and quality; (2) emergency preparedness Section 482.15, which requires planning for disasters and emergencies; (3) patient rights Section 482.13, which requires protection of the confidentiality of patient records; (4) medical records Section 482.24, which requires hospitals to prevent unauthorized access to medical records; and (5) federal, state and local laws Section 482.11, requiring compliance with applicable federal, state and local laws. OIG interviewed representatives of the AOs regarding their audit practices, and found that the AOs do not require hospitals to have a plan for networked device cybersecurity, although they may review limited aspects of cybersecurity, especially regarding equipment maintenance. Also, with respect to emergency preparedness, three AOs (the Joint Commission, the Healthcare Facilities Accreditation Program [HFAP] and DNV) require that hospitals consider cybersecurity when conducting risk assessment. The Joint Commission survey protocol also prompts surveyors to ask about a hospital's risk awareness, detection and response to cyberemergencies.
The OIG stated that neither CMS nor the AOs currently have plans to update survey requirements to address networked device cybersecurity. CMS plans to revise the Interpretive Guidelines for the emergency preparedness and physical environment CoPs, but does not plan to address cybersecurity in these revisions. OIG recommended that CMS reconsider this. The OIG report contains several suggestions for adding nonbinding guidance in the Interpretive Guidelines to highlight cybersecurity risks, and suggests that CMS work with partners inside and outside HHS to access additional expertise.