OIG: Medicare Lacks Cybersecurity Oversight for Hospital-Based Networked Medical Devices

By Scott Mace

The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued a report last week finding that the Centers for Medicare & Medicaid Services’ (CMS) survey protocol does not include requirements for networked device cybersecurity.

Further, the report stated that CMS’ accreditation organizations (AO) do not use powers they possess to require hospitals to have such cybersecurity plans.

The OIG stated that hospitals that identify networked device cybersecurity as part of their emergency preparedness risk assessments can get their mitigation plans reviewed by AOs.

In practice, however, hospitals frequently fail to identify device cybersecurity in these risk assessments, the AOs told the OIG. Assessing hospital safeguards for the privacy of medical records may prompt AOs to examine networked devices.

The OIG also reported that CMS and the AOs do not plan to update their survey requirements to address networked devices or general cybersecurity.

“As hospitals continue to face cyberattacks that risk patient harm, it is important to know whether and how AOs hold hospitals accountable for cybersecurity of their devices,” the OIG stated in an issue brief on its report.

The OIG gathered findings for the report by conducting structured telephone interviews with leadership at the four AOs, and by sending written questions to CMS.

AOs direct their requirements from the Conditions of Participation and oversee most hospitals that participate in Medicare. The OIG says AOs rarely use their discretion to examine the cybersecurity of networked devices during their surveys of hospitals.

“We recommend that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals in consultation with HHS partners and others,” the OIG stated.

CMS stated that it agreed to consider additional ways to appropriately highlight the importance of cybersecurity of networked medical devices for providers, consulting with its HHS partners having specific oversight authority regarding cybersecurity.

The report stated that one expert estimates that a large hospital may have around 85,000 medical devices connected to its network and capable of being connected to hospital EHR systems.

Scott Mace is a contributing writer for HealthLeaders.