CMS Oversight of Hospital Management of Networked Medical Device Security Through the Medicare Conditions of Participation
Networked medical devices are common and include infusion pumps, pacemakers, and diagnostic imaging equipment. These devices can be used to deliver care, transfer patient data, and/or remotely monitor patients. However, if hospitals do not have proper cybersecurity controls in place, the devices could be compromised, which could lead to adverse outcomes, such as loss of device functionality and patient harm. The Centers for Medicare & Medicaid Services' (CMS's) protocol for assessing hospitals' compliance with the Conditions of Participation (CoP) does not explicitly address cybersecurity practices for networked medical devices. It is unclear whether the survey protocols of accreditation organizations (AOs), which must meet or exceed those of CMS, evaluate cybersecurity when they review hospitals' compliance with the CoP. We will determine if any of the AOs address cybersecurity of networked medical devices when they assess compliance with accreditation requirements. For those that do, we will describe how they have done so and their experiences with hospitals. We will also identify any changes to their survey protocols that CMS or AOs are considering to address cybersecurity of networked medical devices.
| Announced or Revised | Agency | Title | Component | Report Number(s) | Expected Issue Date (FY) |
|---|---|---|---|---|---|
| Completed | Centers for Medicare and Medicaid Services | CMS Oversight of Hospital Management of Networked Medical Device Security Through the Medicare Conditions of Participation | Office of Evaluation and Inspections | OEI-01-20-00220 | 2021 |