CMS Lacks Consistent Oversight of Networked Device Cybersecurity in Hospitals

The OIG recommends that CMS address cybersecurity of networked medical devices in its quality oversight of hospitals.

Networked medical devices are those that are designed to connect to the internet, hospital networks, and other medical devices. Without proper cybersecurity controls, hospitals’ networked medical devices can be compromised, which can lead to patient harm. Cyberattacks on hospitals are also increasing as health care delivery becomes more reliant on technology. However, the Center for Medicare and Medicaid Services’ (CMS) survey protocol for overseeing hospitals does not include requirements for networked device cybersecurity.

The Department of Health and Human Services (HHS) Office of the Inspector General (OIG) therefore conducted a study to determine whether Medicare accreditation organizations (AOs) use their discretion to evaluate hospitals for cybersecurity of networked devices. The OIG used structured telephone interviews to inquire about the extent to which the AOs’ survey standards require hospitals to have cybersecurity plans for networked devices in place. The OIG also sent written questions to CMS and reviewed documentation of relevant AO survey standards and procedures.

The results of the study indicate that CMS’s survey protocol does not include requirements for networked device cybersecurity, and the AOs do not use their discretion to require hospitals to have related cybersecurity plans. The AOs do review limited aspects of device cybersecurity; for example, if a hospital identifies networked device cybersecurity as part of its emergency preparedness risk assessment, the AO will review the hospital’s mitigation plans. However, the AOs communicated that in practice, hospitals do not often identify device cybersecurity in these risk assessments.

The OIG recommended that CMS, in consultation with HHS and other partners, identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals. CMS concurred with the recommendation to consider ways to highlight the importance of cybersecurity of networked medical devices for providers in consultation with HHS partners that have specific oversight authority related to cybersecurity.

For more information on this topic, please contact Richard Kusserow at [email protected].

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.