3rd Party Risk Management , Endpoint Security , Governance & Risk Management
HHS OIG: Medicare Should Require Hospital Device Security
CMS Says It's Considering New Cybersecurity RequirementsThe Centers for Medicare and Medicaid Services is considering new cybersecurity requirements for hospitals participating in Medicare after a watchdog agency recommended CMS should require the facilities to address the cybersecurity of their networked medical devices.
See Also: OnDemand | CISO Leadership Blueprint to Managing Budgets, Third-Party Risks & Breaches
CMS does not require accreditation organizations that review most acute care hospitals for participation in Medicare to ask them about the methods they use to secure network devices from cyberattacks, the Department of Health and Human Services' Office of Inspector General says in a June report.
"As hospitals continue to be targeted in cyberattacks that risk patient harm, it is important to know whether and how AOs [accreditation organizations] evaluate and hold hospitals accountable for cybersecurity of their devices," HHS OIG writes. "CMS's survey protocol for overseeing hospitals is silent with respect to the cybersecurity of these devices."
Lack of Standards
Accreditation organizations told HHS OIG during its study that they base their hospital requirements on CMS' 23 "conditions of participation" in Medicare, and look to CMS for guidance about how to assess hospital compliance, the report notes.
But because CMS guidance on assessing hospitals' compliance does not address medical device cybersecurity, "the AOs do not require hospitals to have a plan for networked device cybersecurity," HHS OIG writes.
Accreditation organizations "sometimes review limited aspects of networked device cybersecurity under certain circumstances," HHS OIG notes. "AOs told us that in practice, however, hospitals did not identify device cybersecurity in these risk assessments very often."
Assessing hospital safeguards for the privacy of medical records may prompt AOs to examine networked devices, HHS OIG notes.
"Without a consistent requirement across AOs to review networked devices for cybersecurity, such reviews are likely to happen only under certain circumstances. … Such a requirement would allow the AOs to consistently and routinely review hospitals’ cybersecurity protections for their networked devices."
OIG Recommendation
HHS OIG recommends that CMS "identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals, in consultation with HHS partners and others."
In response, CMS said it's considering "additional ways to appropriately highlight the importance of cybersecurity of networked medical devices for providers in consultation with its HHS partners that have specific oversight authority regarding cybersecurity," the watchdog agency says.
CMS did not immediately respond to Information Security Media Group's request for comment.
Leap Forward
Requiring that hospitals address the cybersecurity of connected medical devices as part of their Medicare-accreditation review would be "an outstanding step forward," says former healthcare CISO Mark Johnson, who now leads the healthcare security practice at the consultancy LBMC Information Security.
"HHS OIG has been instrumental in the past maintaining forward momentum addressing industry cybersecurity concerns. I am very hopeful that these recommendations will be that same catalyst on medical device security concerns," he says.
"If CMS implements these recommendations with reasonable requirements, allows for flexibility in achieving the goal of securing these devices, then I think these recommendations will have a broader impact than just on Medicare accredited organizations."
Longstanding Problems
The HHS OIG report notes that about 85 percent of Medicare hospitals are reviewed on site every three years by Medicare accreditation organizations, state agencies conduct similar three-year reviews of the rest.
But when state agencies conduct surveys, HHS OIG notes, "they follow CMS’s survey protocol, which does not specifically require hospitals to have any cybersecurity protections for their networked devices."
"In 2017, CMS sent a memo to state survey agency directors that encouraged - but did not require - providers to consider cybersecurity as an element in the development of their emergency plans," the report says.
The issue of insecure, network-enabled medical device security has been a concern for several years," Johnson says.
"Cybersecurity is not now nor has it been for a very long time, the responsibility of just IT or some cyber professionals," he says. "Cybersecurity is everyone’s responsibility. These recommendations show yet another potential negative impact - i.e. of possibly negatively affecting your CMS accreditation - of not taking that responsibility seriously."
Challenging Issues
Keith Fricke, principal consultant at tw-Security, says the degree to which hospitals pay attention to medical device cybersecurity "varies in range the same as the degree to which patching and vulnerability management varies - some are very disciplined about it and others not so much."
Managing medical device security is challenging, Fricke says, because hospitals may have thousands of networked devices.
"IT departments can manage the delivery of security patches to computer workstations and servers through automation, but most medical devices require manual interaction to upgrade their software with security fixes," he says. "Also, hospitals tend to retire or replace medical devices after about 10 years of service. These older models may not be capable of being secured against emerging and current threats."
HHS' Food and Drug Administration has for several years published pre-market and post-market cybersecurity guidance for medical device manufacturers, Fricke notes. But compliance is voluntary.
Later this year, the FDA plans to release an updated draft of premarket medical device cybersecurity guidance.
Wish List
Fricke says that if CMS were to make medical device cybersecurity part of Medicare-accreditation reviews, its requirements should include: "maintaining an inventory of devices; enabling password protection where applicable; ensuring that critical patches are applied in a timely manner and routine patches and upgrades are applied on a schedule; hardening the operating system against attack; segmenting medical devices on isolated and protected networks; properly securing remote access of vendors providing support; and encrypting data at rest on the devices and in transit."