To determine how well Medicare accreditation organizations (AOs) “hold hospitals accountable for cybersecurity of their devices,” the U.S. Department of Health and Human Services Office of Inspector General (OIG) surveyed AOs and found that they rarely use the discretion afforded them to examine the cybersecurity of networked devices during their hospital surveys. As a result, Medicare lacks consistent oversight of networked device cybersecurity in hospitals, according to the OIG. This could leave healthcare organizations vulnerable to the mounting threat of cyberattacks.
This gap in oversight appears to largely be an issue of government protocol not keeping up with current technology. When conducting hospital surveys, AOs look to requirements from the Centers for Medicare & Medicaid’s (CMS’s) Conditions of Participation (CoPs) to determine what to look for. And the CoPs do not mention networked device cybersecurity or even cybersecurity in general.
AOs must meet requirements within the CoPs, but can also exceed them. So it would definitely be within their power to take it upon themselves to probe hospitals about cybersecurity. Those surveyed do sometimes review limited aspects of device cybersecurity; for example, to assess hospital safeguards for the privacy of medical records or as part of a review of a hospital’s mitigation plans that include networked device cybersecurity in its emergency preparedness risk assessments. But that is the exception and not the rule.
When asked why they did not use their discretion to more closely scrutinize hospitals’ device and network security, AOs indicated in the survey that they are not confident in their abilities to do so because it falls outside of their realm of expertise. Therefore, it appears AOs would benefit from specific guidelines that would help them determine whether a health organization’s cybersecurity can adequately protect against attacks.
Despite all this, CMS and the AOs do not plan to update their survey requirements to address networked devices or general cybersecurity—a stance the OIG disagrees with.
“The OIG recommends that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals, in consultation with HHS partners and others.”
This could include expanding upon the CoPs already in place by adding specific survey questions related to cybersecurity, adding standards to existing CoPs, or even creating a new CoP specifically focused on cybersecurity.