Centers for Medicare and Medicaid Services Issues Emergency Preparedness Requirements That Address Cyber-Attacks

Alston & Bird
Contact

The Centers for Medicare and Medicaid Services (“CMS”) issued a final rule on September 8th, 2016 establishing national emergency preparedness requirements for providers and suppliers participating in Medicare and Medicaid in response to “inconsistency in the level of emergency preparedness amongst healthcare providers.”  The rule will be officially published in the Federal Register on September 16th, 2016, and providers and suppliers subject to the rule must comply by November 15th, 2017.  Notably, CMS describes cyber-attacks as a potential risk to assess when implementing the emergency preparedness requirements.

The rule imposes wide-ranging emergency preparedness obligations on 17 types of providers and suppliers.  These obligations consist of four core elements “that are central to an effective and comprehensive framework of emergency preparedness”:  risk assessment and emergency planning, policies and procedures, communication plans, and training and testing.  Specifically, the rule requires providers and suppliers to:

  • Conduct a risk assessment and create an emergency plan based on that assessment;
  • Implement policies and procedures in support of the risk assessment and emergency plan;
  • Establish a communication plan for staff and other necessary persons in the case of an emergency; and
  • Institute training and testing programs, including emergency drills and exercises, for all staff members.

While the rule does not mandate specific cyber security requirements on providers and suppliers, CMS advocates an “all-hazards approach” to risk assessment, and references “cyber-attacks” as a possible risk to communication systems.  Furthermore, CMS encourages providers and suppliers to “assess whether their specific facility can benefit” from cyber-attack preparedness plans.

Given the increase in cyber-attacks in the medical industry, many providers and suppliers could indeed benefit from cyber-attack preparedness plans.  For example, a recent ransomware attack on MedStar Health compromised hundreds of programs and systems across the entire MedStar network at the same time.  Staff members of medical facilities affected by such comprehensive attacks could benefit from the preparation, coordination, and training a cyber-attack preparedness plan would provide.  In particular, the use of drills and exercises may prepare staff members for the potential difficulties of working during an ongoing cyber-attack.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Contact
more
less

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide