Hospitals Need to Strengthen Cybersecurity for Networked Medical Devices
According to a recent report from the Department of Health and Human Services (HHS) Office of Inspector General (OIG), Medicare accreditation organizations (AO) need to drastically improve their cybersecurity posture. The report found the Medicare AOs, which derive their requirements from the Conditions of Participation and oversee most Medicare-participating hospitals, rarely use their discretion to examine the cybersecurity of networked devices during their hospital surveys. As a result, Medicare lacks consistent oversight of networked device cybersecurity in hospitals.
The OIG conducted telephone interviews with leadership at the four AOs and sent written questions to Centers for Medicare & Medicaid (CMS) to develop this report. Based on the findings, the OIG recommends that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals in consultation with HHS partners and others.
Networked medical devices connect to the internet, hospital networks and other medical devices to provide features that improve healthcare and increase the ability of healthcare providers to treat patients. Examples of such devices include systems that obtain archive and communicate with pictures on networks within healthcare facilities like MRIs, systems that monitor patient activity like EKGs, and systems that communicate with clinical laboratory analyzers.
One expert estimated that a large hospital may have as many as 85,000 medical devices connected to its network, providing a massive attack surface for cybercrooks. In fact, cyberattacks on hospitals increased in 2020, and the first death resulting from a ransomware attack occurred in Germany last September when an attack forced a hospital to turn away a patient in need of a critical care.
The OIG suggests CMS should work with partners inside and outside the HHS to determine the best method for addressing cybersecurity of networked medical devices in hospitals. For external partners, the National Institute of Standards and Technology (NIST) and the Health Information Trust Alliance (HITRUST) are two cybersecurity agencies CMS should work with. AOs are also available for assistance.
HITRUST and NIST frameworks can be overwhelming for any organization to tackle on their own. If you need assistance, contact 2W Tech. We have a robust Cybersecurity Compliance Program that will make sure you comply with your industry’s regulations, including HIPAA, HITRUST and NIST. Contact us today to get started.