OIG: Medicare Lacks Oversight of Cybersecurity for Medical Devices

June 25, 2021 - Medicare accreditation organizations (AOs) rarely use their discretion to assess the cybersecurity of networked medical devices through their regular hospital surveys, according to a study conducted by HHS’ Office of the Inspector General (OIG).

Without adequate cybersecurity, networked medical devices can be hacked and cause harm to patients. The growing number of cyberattacks in the healthcare sector pose a real threat, which is why it is crucial that AOs increase accountability and monitor medical device cybersecurity, according to OIG.

Networked medical devices include systems that connect to the internet and hospital networks, including electrocardiographic, laboratory information, magnetic resonance, ultrasound, and endoscopy systems. These devices often connect to a hospital’s EHR system, meaning they are another entry point for hackers to get access to valuable health data.

OIG sent written interview questions to CMS and conducted telephone interviews with the four AOs to determine the nature of their hospital survey protocols. Researchers found that CMS’ survey protocol does not include any rigid guidelines for networked medical device cybersecurity, although it does encourage providers to consider cybersecurity while creating emergency plans.

CMS relies on onsite surveys conducted once every three years by AOs and state survey agencies to confirm compliance. The Social Security Act requires AOs to have survey standards that are at least equivalent to CMS’ standards.

While AOs typically do not require hospitals to have cybersecurity plans regarding networked medical devices, they do occasionally review certain elements of device cybersecurity.

“For example, two AOs have equipment-maintenance requirements that may yield limited insight into device cybersecurity. If hospitals identify networked device cybersecurity as part of their emergency-preparedness risk assessments, AOs will review the mitigation plans,” the study stated.

“AOs told us that in practice, however, hospitals did not identify device cybersecurity in these risk assessments very often. Assessing hospital safeguards for the privacy of medical records may prompt AOs to examine networked devices.”

As of now, both CMS and the four AOs do not have plans to update their survey protocols to address cybersecurity. OIG recommends that CMS implement a cybersecurity protocol as part of its hospital quality oversight.

Two of the four AOs do have requirements for equipment maintenance, which could lead to cybersecurity insights. Three of the four require hospitals to consider cybersecurity in some capacity when conducting risk planning.

Hospitals may include networked device cybersecurity as part of their risk assessments, but AOs reported that they typically do not include device cybersecurity in their all-hazards emergency-preparedness planning.

Protecting networked medical devices could be as simple as applying the hospital’s broader cybersecurity frameworks. Network segmentation, regular software updates, and patching would provide additional security. In addition, OIG recommends that organizations follow existing guidelines from the National Institute of Standards and Technology (NIST) and the Health Information Trust Alliance (HITRUST).

OIG emphasized that it is “more important than ever that hospitals have a plan for securing their networked devices—which can number in the tens of thousands in a large organization—before those devices are compromised in a cyberattack.”

OIG called on CMS to improve survey protocols to reflect the legitimate risks that a lack of cybersecurity poses to healthcare organizations. CMS should warn hospitals of cybersecurity risks and encourage surveyors to ask hospitals if they have considered the cybersecurity of their networked medical devices.