The Office of Inspector General has found Medicare lacks consistent cybersecurity oversight of networked medical devices in hospitals. Without proper cybersecurity controls, these devices can be compromised with the potential for patient harm, according to OIG.
CMS' survey protocol is devoid of requirements for networked device cybersecurity. OIG's review revealed Medicare accreditation organizations (AOs) that could use their discretion to assess cybersecurity during hospital surveys rarely use that power.
The shortcomings in oversight led OIG to recommend that CMS works with HHS and others to address cybersecurity as part of its quality oversight of hospitals. CMS concurred with the need to consider ways to highlight cybersecurity but OIG wants the agency to go further.
The OIG report's findings highlight potential cybersecurity vulnerabilities as ransomware attacks on hospitals have jumped during the COVID-19 pandemic. Networked medical devices, which connect to the internet, hospital networks and other devices, are particularly vulnerable to hackers putting patients at risk.
The HHS watchdog noted that a large hospital might have about 85,000 medical devices connected to its network, providing a potential entry point for cybercriminals to access a health system's electronic health records and sensitive patient data.
"Although they are distinct from hospitals’ electronic health record (EHR) systems, these devices may connect to the same network as a hospital’s EHR system, and thus can be connected to the EHR system as well as to other devices on the same network," OIG warned. "As a result, networked devices that lack proper cybersecurity may have vulnerabilities that could lead to adverse outcomes."
OIG went into its review knowing that the CMS survey protocol for hospital oversight lacks rules for medical devices that connect to the internet, hospital networks and other devices. The question was whether AOs use their discretion to examine cybersecurity and thereby hold hospitals to account. OIG interviewed leaders at four AOs to answer the question.
The interviews showed AOs do not require hospitals to have cybersecurity plans. OIG found AOs "sometimes review limited aspects of device cybersecurity," for example through maintenance requirements that may shed some light on the vulnerabilities of products.
AOs also review mitigation plans from hospitals that identify cybersecurity issues in emergency-preparedness risk assessments, but such problems are rarely identified.
Other assessments suggest such problems exist. The life cycles of software and medtech equipment such as MRI machines are out of sync, meaning hospitals continue to use devices after they stop receiving security patches. The vulnerabilities expose hospitals to ransomware attacks and could threaten patient safety.
The first known ransomware attack to affect networked medical devices occurred in May 2017 when the WannaCry ransomware attack impacted radiological devices in some hospitals, according to OIG. The first death resulting from a ransomware attack occurred in September 2020 when a German hospital was forced to turn away a patient in need of critical care.
OIG wants CMS to do more to address hospital cybersecurity vulnerabilities. The government oversight body proposed several ways CMS could improve practices, such as the use of interpretive guidelines to raise the profile of the topic or the creation of a new cybersecurity-focused Condition of Participation. CoPs set out the minimum health and safety requirements for acute-care hospitals in the Medicare program.
In response, CMS said the all-hazards approach of the CoPs' emergency-preparedness requirements can cover cyberattacks but agreed that it needs to consider other ways to highlight the threat.
"CMS told us that it is revising the Interpretive Guidelines for both the emergency preparedness CoP and the physical-environment CoP, but it said that its timeframes have been delayed because of the COVID-19 pandemic. Although CMS does not plan to address cybersecurity of networked devices in this revision, we ask that it reconsider," OIG wrote.
As OIG sees it, CMS' plan "does not commit the agency to changing its quality oversight" and therefore fails to fulfill the recommendations of the review.
OIG is awaiting further details of CMS’ cybersecurity plan in its Final Management Decision.