OIG Survey Reveals Lack of Oversight of Cybersecurity of Networked Medical Devices in Hospitals
The HHS’ Office of Inspector General (OIG) has conducted a review to determine the extent to which the Centers for Medicare and Medicaid Services (CMS) and Medicare Accreditation Organizations (AOs) require hospitals to have implemented a cybersecurity plan for networked devices and the methods used to assess the cybersecurity of networked medical devices.
Cybersecurity controls are required to protect medical devices that are connected to the Internet, other medical devices, or internal hospital networks. Without those controls, the devices could be accessed by unauthorized individuals and patients could be at risk of harm. Networked medical devices include MRIs, computed tomography, ultrasound, nuclear medicine, and endoscopy systems, as well as systems that communicate with clinical laboratory analyzers such as laboratory information systems. OIG cited an estimate that a large hospital may have around 85,000 medical devices connected to its network.
These devices are usually separated from other systems, they may connect to the same network as the electronic health record (EHR) system. If cybersecurity controls are lacking, they could be vulnerable to an attack that could potentially impact critical healthcare systems. While there have not been any known cases of cyberattacks being conducted specifically to cause patients harm, patients may inadvertently be harmed as a result of an attack conducted for other reasons. In Germany in 2020, a patient died as a result of a ransomware attack. Without access to hospitals systems, the patient had to be rerouted to an alternative facility and died before treatment could be provided.
The CMS has minimum cybersecurity requirements for hospitals but relies on state survey agencies and Medicare accreditation organizations (AOs) to inspect Medicare-participating hospitals. Those surveys are conducted every 3 years. The Social Security Act requires AOs’ survey protocols to be equivalent to or more stringent than those of CMS.
For the study, OIG sent written interview questions to the CMS and conducted telephone interviews with 4 AOs. The study revealed the CMS survey protocol does not include requirements for networked medical device cybersecurity and AOs do not require hospitals to implement cybersecurity plans covering networked medical devices.
OIG found that AOs sometimes review certain aspects of device cybersecurity. The study revealed two AOs had equipment maintenance requirements, which may provide limited insights into medical device cybersecurity. If hospitals identified networked device cybersecurity in their emergency-preparedness risk assessments, AOs would review their mitigation plans; however, most hospitals did not identify device cybersecurity in the risk assessments very often. AOs may also examine networked devices when assessing hospital safeguards for medical record privacy. Nether the CMS nor the AOs had any plans to update their survey requirements in the future to cover networked devices or general cybersecurity.
OIG has recommended the CMS identify and implement a method of addressing the cybersecurity of networked medical devices in its quality oversight of hospitals, in consultation with HHS partners and others. CMS concurred with the recommendation and is considering additional ways to appropriately highlight the importance of cybersecurity of networked medical devices for providers.
OIG suggested several ways that the CMS could improve its oversight and assess medical device cybersecurity. For example, the CMS could use language stating it considers cybersecurity to be part of keeping devices in safe operating condition, highlight the risk that unsecured medical devices connected to the EHR could be a threat to protected health information, and could also remind hospitals to maintain compliance with HIPAA requirements, including the HIPAA Security Rule. The CMS could also instruct surveyors to ask hospitals if they considered cybersecurity of networked devices when they conducted their hazard vulnerability analyses.