The Centers for Medicare & Medicaid Services’ protocol for assessing the cybersecurity of networked medical devices in hospital environments fails to impose required standards and lacks consistent oversight, according to a U.S. Department of Health and Human Services Office of the Inspector General report.
For its report, networked devices are defined as systems that obtain, archive, and communicate pictures, monitor patient activity, and clinical laboratory information systems. On average, a large hospital employs at least 85,000 connected medical devices.
CMS relies on state agencies and Medicare accreditation organizations to inspect hospitals participating in Medicare, through onsite surveys that are performed every three years. States follow CMS’ survey protocol, which does not specifically require entities to employ cybersecurity protection for networked devices.
A 2017 agency letter to participating entities encouraged cybersecurity as part of development plans but did not require it. The CMS survey guidelines do include some cybersecurity requirements, but it’s tied to protected health information and not specific to medical devices.
Industry stakeholders and security researchers have long stressed the risk vulnerable, connected medical devices impose on the overall health care enterprise network.
A lack of real-time data on inventories, connections, and device communications, combined with reliance on legacy platforms and slow patch management processes have resulted in many providers leaving the door open to attackers.
As noted by the OIG, hospitals failing to implement proper cybersecurity controls on medical devices connected to the hospital network, the internet, and other medical devices are increasing risks to patient safety.
To determine how CMS and Medicare accredited entities are addressing network device cybersecurity and reliance on their own discretion, OIG auditors conducted structured phone interviews with leadership at four accredited organizations to determine the extent to which survey standards included hospital requirements to implement a cybersecurity plan for networked devices and other means these surveys assess cybersecurity.
The agency also sent CMS written inquiries into its processes and reviewed documentation of relevant survey standards and procedures from the accredited organizations.
OIG found the CMS survey protocol for hospital oversight is silent on device security. These security gaps have spurred inconsistent oversight of networked device cybersecurity in hospitals.
“Accredited organizations’ requirements must meet or exceed those of the conditions of participation (CoPs), and the CoPs do not include any requirements for the cybersecurity of networked devices,” according to the report. “This means that CMS does not expect or require AOs to ask hospitals about the methods they use to secure networked devices from cyberattacks.”
“[The entities] told us they base their hospital requirements on the CoPs and look to CMS for guidance about how to assess hospital compliance with the requirements,” it added. “Therefore the entities do not require hospitals to have a plan for networked device cybersecurity.”
By adding the requirement to the CoPs, the accredited organizations would be able to consistently and routinely review the cybersecurity of hospitals’ networked devices.
OIG further noted that without a requirement, reviews of networked devices only occur under certain circumstances.
For example, one evaluated accredited organization, The Joint Commission (TJC) does specifically prompt surveyors to ask about devices cybersecurity, but only in response to certain topics that emerge during hospital staff interviews. As such, the standard procedures don’t ensure networked device cybersecurity is assessed.
Not only does the CMS protocol fail to include requirements for networked device security, but the accredited organizations don’t use their discretion to require hospitals to implement cybersecurity plans.
The entities do, however, review limited aspects of device cybersecurity.
“For example, two accredited organizations have equipment-maintenance requirements that may yield limited insight into device cybersecurity,” according to the report. “If hospitals identify networked device cybersecurity as part of their emergency preparedness risk assessments, accredited organizations will review the hospitals' mitigation plans.”
“[The entities] told us that in practice, however, hospitals did not identify device cybersecurity in these risk assessments very often,” the OIG auditors added. “Assessing hospital safeguards for the privacy of medical records may prompt AOs to examine networked devices.”
Lastly, OIG found that some accredited organizations felt devices could come under scrutiny during an assessment of a hospital’s safeguards for protecting medical records. These entities commonly focus on passwords, encryption, and access monitoring. But again, it’s not specific to medical devices.
Despite these gaps, OIG reported that CMS and the accredited organizations have no plan to update survey requirements that would address networked devices or general cybersecurity. Some accredited organizations did note that they would add networked device cybersecurity as a requirement, only if CMS added it to the CoPs.
For the entities, the challenge with assessing networked device cybersecurity lies in their ability to apply standards to health care.
“Although external cybersecurity frameworks exist, some [entities] expressed doubts as to their suitability for hospitals,” according to the report. “Another challenge was [the] capacity to assess hospitals’ cybersecurity practices. Because surveyors are not cybersecurity experts, AOs were concerned about their ability to assess the sufficiency of hospitals’ cybersecurity defenses.”
As cyberattacks continue to target the hospital environment, officials warned that it is critical for CMS to understand and hold accountable Medicare accredited organizations’ processes for device cybersecurity.
To reduce these risks, OIG provided CMS with several recommendations. CMS should identify and implement an appropriate way to address cybersecurity in networked medical devices as part of its quality oversight of hospitals, consulting with HHS and other industry stakeholders.
CMS concurred with the recommendation and is considering ways to highlight the importance of cybersecurity of networked devices, as part a collaboration with HHS partners tasked with cybersecurity oversight authority.
OIG noted that CMS will share its final management decision plan around the critical issue in the near future.
For now, the burden of securing medical devices continues to fall on covered entities. As such, providers should review previous HHS voluntary cybersecurity guidance, which includes a section dedicated to medical device security.