OIG Survey Reports Insufficient Oversight of Cybersecurity of Networked Medical Devices in Hospitals

The HHS’ Office of Inspector General (OIG) has done an audit to find out the level to which the Medicare Accreditation Organizations (AOs) and Centers for Medicare and Medicaid Services (CMS) demand healthcare providers implement a cybersecurity strategy for networked devices and the strategies utilized to evaluate the cybersecurity of networked medical devices.

Cybersecurity controls are necessary to safeguard medical devices that are linked to the web, internal hospital systems, or other medical devices. With no such controls, unauthorized individuals could access the devices and cause harm to patients. Networked medical devices can include MRIs, ultrasound, computed tomography, endoscopy, and nuclear medicine systems, in addition to systems that connect with clinical lab analyzers like laboratory data systems. OIG reported that a big hospital may have approximately 85,000 medical devices linked to its system.

These devices are typically isolated from other systems, they could link to a similar system as the electronic health record (EHR) system. When there are inadequate cybersecurity controls, they may be possibly vulnerable to an attack that may affect critical healthcare systems. Although there were no identified instances of cyberattacks carried out particularly to cause problems to patients, patients may unintentionally be hurt as a consequence of an attack done for other motives. In Germany in 2020, a patient passed away due to a ransomware attack. With no access to hospitals, the patient was brought to another facility and died prior to getting treatment.

The CMS has some cybersecurity prerequisites for hospitals but depends on state survey organizations and Medicare accreditation organizations (AOs) to examine Medicare-partner hospitals. Those surveys are done once in 3 years. The Social Security Act calls for AOs’ survey protocols to be comparable to or stricter than those by CMS.

For the study, OIG provided written interview questions to the CMS and performed phone interviews with 4 AOs. The study showed the CMS survey protocol doesn’t include cybersecurity specifications for networked medical devices and AOs don’t ask hospitals to use cybersecurity programs addressing networked medical devices.

OIG found that AOs at times assess selected facets of device cybersecurity. The study showed two AOs had equipment servicing specifications, which may give minimal information about medical device cybersecurity. In case hospitals determined networked device cybersecurity in their emergency-preparedness risk checks, AOs would evaluate their mitigation programs; but the majority of hospitals didn’t determine device cybersecurity in the risk assessments regularly. AOs might additionally look at networked devices when evaluating hospital safety measures for medical record privacy. Neither the CMS nor the AOs had any programs to revise their survey prerequisites, later on, to include networked devices or cybersecurity in general.

OIG has proposed the CMS to determine and apply a way of managing the cybersecurity of networked medical devices in its quality supervision of hospitals, in consultation with HHS and other partners. CMS agreed with the proposition and is thinking about more ways to properly highlight the value of implementing cybersecurity on networked medical devices by healthcare providers.

OIG recommended a number of ways that the CMS can enhance its monitoring and evaluation of medical device cybersecurity. For instance, the CMS can utilize language as it looks at cybersecurity being part of maintaining device security during operating situations, emphasize the risk that unsecured medical devices linked to the EHR can be a threat to protected health information (PHI), and may additionally tell hospitals to comply with HIPAA specifications, such as the HIPAA Security Rule. The CMS can additionally advise surveyors to inquire hospitals whether they have cybersecurity of networked devices in place when they conducted their hazard vulnerability analyses.