On June 21, 2021, OIG released a report titled “Medicare Lacks Consistent Oversight of Cybersecurity for Networked Medical Devices in Hospitals” (OEI-01-20-00220) (the OIG Report). OIG determined that CMS’s accreditation survey protocol does not include requirements for networked device cybersecurity, and Medicare Accreditation Organizations (AOs) do not employ their discretion to require hospitals to have cybersecurity plans. OIG recommended that CMS take additional steps to address cybersecurity of networked medical devices in its quality oversight of hospitals.

The OIG Report explains that CMS’s survey protocol for overseeing hospitals is silent with respect to the cybersecurity of networked medical devices (i.e., devices designed to connect to the internet, hospital networks, and other medical devices). These devices can be compromised which can lead to patient harm. OIG conducted interviews with various Medicare AOs, and found that the AOs did not use their discretion to require hospitals to have cybersecurity plans. However, AOs sometimes reviewed limited aspects of device cybersecurity. The OIG Report stated that AOs did not plan to update their survey requirements to address such issues.

In light of the increased use of technology in healthcare, as well as the increased cyberattacks on hospitals, OIG recommended that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals in consultation with HHS partners. In response to the OIG Report, CMS stated that it agreed with considering additional ways to highlight the importance of cybersecurity of networked medical devices for providers.

The OIG Report is available here.