CMS Should Improve Oversight of Cybersecurity for Networked Medical Devices in Hospitals, OIG Says
- June 25, 2021
The Centers for Medicare & Medicaid Services (CMS) should do more to ensure hospitals are addressing cybersecurity of their networked medical devices, the Department of Health and Human Services Office of Inspector General (OIG) recommended in an issue brief posted June 23.
The report comes as hospitals saw an uptick in cyberattacks in 2020. Networked medical devices are connected to the internet, hospital networks, and other medical devices and include systems that archive and communicate patient diagnostic images, monitor patient activity, and communicate with laboratory information systems. Because they are connected to other hospital systems, “networked devices that lack proper cybersecurity may have vulnerabilities that could lead to adverse outcomes,” OIG said.
Despite the major threat that hackers can gain access to a hospital’s entire network through a networked device, which in a large organization may number in the tens of thousands, the Medicare Conditions of Participation (CoPs) do not include specific requirements for the cybersecurity of networked devices.
Medicare accreditation organizations (AOs) may use discretion to review device cybersecurity during hospital surveys, but OIG found they only did so to a limited extent and not as part of any standard procedure.
“To date, neither CMS nor AOs have plans to update their approaches to oversight of hospitals’ cybersecurity in general or of networked device cybersecurity specifically,” OIG said. According to CMS, hospitals are already required to maintain networked devices in a manner that ensures an acceptable level of safety and quality for patients pursuant to the physical-environment CoP.
However, OIG urged CMS to explicitly single out cybersecurity of networked medical devices for oversight; for example, through amending interpretative guidelines or other nonbinding guidelines, or by adding through rulemaking standards to existing CoPs specifically focused on cybersecurity.
The report is Medicare Lacks Consistent Oversight of Cybersecurity for Networked Medical Devices in Hospitals (OEI-01-20-00220).