Medicare Lacks Consistent Oversight of Cybersecurity for Networked Medical Devices in Hospitals
WHY WE DID THIS STUDY
Without proper cybersecurity controls, hospitals' networked medical devices (i.e., devices designed to connect to the internet, hospital networks, and other medical devices) can be compromised, which can lead to patient harm. CMS's survey protocol for overseeing hospitals is silent with respect to the cybersecurity of these devices. This evaluation sheds new light on the extent to which Medicare accreditation organizations (AOs) use their discretion to address cybersecurity of networked devices during hospital surveys. As hospitals continue to be targeted in cyberattacks that risk patient harm, it is important to know whether and how AOs evaluate and hold hospitals accountable for cybersecurity of their devices.
HOW WE DID THIS STUDY
We conducted structured telephone interviews with leadership at the four AOs and sent written questions to CMS. We asked AOs about the extent to which their survey standards required hospitals to have a cybersecurity plan for networked devices as well as other ways in which their surveys might cover cybersecurity for networked devices. We also reviewed documentation of relevant survey standards and procedures from the AOs.
WHAT WE FOUND
CMS's survey protocol does not include requirements for networked device cybersecurity, and the AOs do not use their discretion to require hospitals to have such cybersecurity plans. However, AOs sometimes review limited aspects of device cybersecurity. For example, two AOs have equipment-maintenance requirements that may yield limited insight into device cybersecurity. If hospitals identify networked device cybersecurity as part of their emergency preparedness risk assessments, AOs will review the hospitals' mitigation plans. AOs told us that in practice, however, hospitals did not identify device cybersecurity in these risk assessments very often. Assessing hospital safeguards for the privacy of medical records may prompt AOs to examine networked devices. Finally, CMS and the AOs do not plan to update their survey requirements to address networked devices or general cybersecurity.
WHAT WE RECOMMEND
As health care delivery becomes more reliant on technology, cyberattacks on hospitals are increasing. Yet CMS's requirements are silent on networked device cybersecurity as well as cybersecurity in general. As a result, Medicare lacks consistent oversight of networked device cybersecurity in hospitals. Therefore, we recommend that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals, in consultation with Department of Health and Human Services (HHS) partners and others. CMS stated that it concurred with considering additional ways to appropriately highlight the importance of cybersecurity of networked medical devices for providers in consultation with its HHS partners that have specific oversight authority regarding cybersecurity. We look forward to CMS's sharing, in its Final Management Decision, its plan for addressing cybersecurity of networked medical devices under its own authority for quality oversight of hospitals.