Medicare needs to keep a closer eye on the cybersecurity of hospitals' internet-connected medical devices, an HHS' Office of Inspector General report found Wednesday.
The agency recommended that CMS change its hospital quality reviews to address the issue, noting that Medicare accrediting organizations, which CMS relies on to monitor hospital quality, rarely use their power to examine networked devices' cybersecurity during routine hospital surveys.
"Such a requirement would allow the (accrediting organizations) to consistently and routinely review hospitals' cybersecurity protections for their networked devices," the report said.
But CMS wouldn't commit to improving its oversight, despite the growing threat of cybersecurity attacks against hospitals and health systems. CMS told OIG that it encourages providers to include cybersecurity in their emergency preparedness plans and will continue to provide continuing education and technical support about planning for and responding to cyberattacks. But neither CMS nor its Medicare accrediting organizations have plans to develop new requirements.
"CMS' proposed action would not implement our recommendation because it does not commit the agency to changing its quality oversight," the report said.
While patient privacy has been a key concern for recent cyberattacks, patient safety and quality are rising in prominence when health providers can't access electronic health records or scheduling information. That could cause medical errors, but the issue hasn't been studied much. Earlier hacks were mainly focused on obtaining patient records for old-fashioned financial fraud or medical identity theft, not holding data for ransom.
"Without proper cybersecurity controls, hospitals' networked medical devices (i.e., devices designed to connect to the internet, hospital networks, and other medical devices) can be compromised, which can lead to patient harm," the report said.
Data breaches often stem from hacks on email accounts, electronic health records and other digital repositories. But medical devices create additional access points that hackers could target to enter a hospital's network and steal data, cybersecurity experts warn. The COVID-19 pandemic may have exacerbated the problem, as providers rapidly added web-connected equipment to increase patient data collection and minimize touchpoints. The problem will only get worse because providers often overlook medical devices during their security risk assesments, said Beth Pitman, a partner at law firm Waller Lansden Dortch & Davis.
"They don't always think about whether the wireless pulse oximeter on a patient's finger had its software updated or is old and needs to be replaced," she said.
Pitman thought it made sense for CMS to further examine providers' cybersecurity through its hospital surveys since healthcare facilities already have to protect health information under the Health Insurance Portability and Accountability Act. But she was wary of piling more regulations onto providers.
"That would be difficult for the industry to bear," she said.
While someone might access a networked device to harm a patient, it's more likely a hacker would take advantage of a medical device vulnerability to sneak into a hospital's broader network or deploy malware at a hospital. That could unintentionally spread to critical patient care devices that are linked to the same network. It's not uncommon for larger systems to have more than 100,000 devices connected to their internal networks.
The American Hospital Association has argued that ransomware attacks against hospitals should be prosecuted as threat-to-life crimes, not economic crimes, because ransomware attacks often hit critical medical systems.
OIG suggested several ways that CMS could add cybersecurity requirements to its existing oversight activities. For instance, CMS could consider cybersecurity as part of device safety standards or highlight the risk that unsecured devices threaten protected health information.