CMS is considering adding new medical device cybersecurity requirements for hospitals participating in Medicare after receiving recommendations from the HHS Office of Inspector General, according to a June 30 GovInfoSecurity report.
Five details:
1. CMS does not require accreditation organizations that review acute care hospitals for Medicare participation to ask about methods they use for securing network devices from cybersecurity threats, according to a June inspector general report cited by GovInfoSecurity.
2. Since CMS guidance on assessing hospitals' compliance with its 23 conditions of participation in Medicare does not address medical device cybersecurity, the accreditation organizations don't require hospitals to have cybersecurity plans for devices in place.
3. While accreditation organizations "sometimes review limited aspects of networked device cybersecurity under certain circumstances … [accreditation organizations said] that in practice, however, hospitals did not identify device cybersecurity in these risk assessments very often," the report states.
4. The inspector general recommended that CMS consult with HHS partners to establish an effective method to address cybersecurity of networked medical devices in its quality oversight of hospitals.
5. In response to the inspector general's recommendations, CMS said it is considering "additional ways to appropriately highlight the importance of cybersecurity of networked medical devices for providers in consultation with its HHS partners that have specific oversight authority regarding cybersecurity," according to the report.