The Centers for Medicare and Medicaid Services not only pay for health care but they accredit the organizations that deliver the programs. Now the Department of Health and Human Services Office of Inspector General has found CMS needs to improve its oversight of a critical piece of health care infrastructure — namely, the cybersecurity of networked medical devices. For more, Federal Drive with Tom Temin turned to social science research analyst Ivan Troy.
Insight by Verizon: Learn about the progress that the Pentagon is making in finding real value out of 5G and its future across DoD.
Tom Temin: Mr. Troy, good to have you on.
Ivan Troy: Thank you. Thanks for having me on.
Tom Temin: Let’s begin with what CMS’s responsibility is here for oversight of cyber, of medical devices, I guess this is part of when they accredit organizations that they’re going to pay to deliver health services.
Ivan Troy: Yeah, so, it’s two parts here. So CMS, obviously is the agency in charge of Medicare and that’s the requirements hospitals have to meet to participate in the program. CMS does not have any requirements at all for hospitals to secure their network medical devices against cyber attacks. However, most hospitals, about 85% of all Medicare participating hospitals, instead of having CMS, or through the state survey agencies who work on behalf of CMS to make sure those hospitals are meeting the requirements, they choose to be accredited by these private entities called accreditation organizations, there’s four of them who work in Medicare, and the accreditation organizations, they must use all of CMS’s requirements, but they also have the discretion, the ability to require more than what CMS requires. So for this study, we looked to see what those accreditors were doing, because we already knew going into this that CMS had no requirements.
Tom Temin: So you were looking at the accreditors, or at CMS’s is oversight of the accreditors?
Ivan Troy: It’s really what the accreditors were or weren’t doing with regards to requiring hospitals to secure the devices.
Tom Temin: Got it. And what did you find?
Ivan Troy: Basically, because CMS has no requirements, the accreditors have no requirements. They are looking for CMS to take the lead and sort of set the bar here. And unless and until CMS does so, the accreditors are just gonna wait.
Tom Temin: Got it. And did you get any sense of whether devices tend to be secure at all? Or you probably didn’t go that far downstream?
Ivan Troy: Correct. Yeah, we didn’t look at what the hospitals were doing. We’re looking more at this oversight system that sees what hospitals are doing. So then the accreditors are doing some things, sort of in certain circumstances, there’s just no specific requirements that they have to have hospitals secure the devices.
Tom Temin: Right, so the given hospital could be totally secure or totally insecure. But that would not be known necessarily to the accrediting organization, and therefore, there’s no way CMS could know it.
Ivan Troy: Right. And there are a lot of reasons why these devices are challenging for hospitals to secure all of them.
Tom Temin: Got it. And so is there a health risk with unsecured devices that are networked?
Ivan Troy: There certainly could be. A ransomware attack or other cyber attack, it could take these devices offline, which could impact the hospital’s ability to deliver care.
Tom Temin: Because we have seen ransomware attacks effect health care organizations in the last year or so. Correct?
Ivan Troy: Yeah, since we started this study last year, the number has gone way up. And in fact, I believe it was last fall, that department and the FBI issued a joint warning to the health care sector, warning of a huge increase in attacks. And I think cybersecurity researchers have verify that it’s something like twice as many attacks in the health care sector than in other sectors combined.
Tom Temin: Yeah. So there’s real potential there. And in looking at organizations, do the accreditors then look at cybersecurity of their basic information systems, or that part of their infrastructure and just leave out the devices?
Ivan Troy: Sometimes, yeah. At least one of the accreditors told us that when they are looking to see how hospitals are securing those EHR’s is in their patients health information, and then because some of the medical devices are feeding information into those EHR’s, the accreditor might look to see, okay, well, is anything happening to secure those devices or at least how they transmit data into the EHR’s.
Tom Temin: Yeah, so the potential dangers there are, one, hacking of devices for whatever purpose and we’ve all heard lurid nightmare scenarios there. But there’s also the threat of privacy violations and loss of HIPAA protected data to I guess.
Ivan Troy: Correct, yeah. Generally with a ransomware attack they’re just seizing control of the devices on the network, and hospitals can deliver care until they pay whatever ransom.
Tom Temin: They want to empty the pharmacy and send it to us or give us $10 million in Bitcoin. We’re speaking with Ivan Troy. He’s a research analyst in the Office of the Inspector General at the Health and Human Services Department. So does this point to some policy gap then, in the relationship do you think between CMS and the accrediting organizations, or between the accrediting organizations and the organizations delivering health care, or is this a whole stream issue that needs to be addressed do you think?
Ivan Troy: Yeah, we definitely think so. We talked about it. We think this is a patient safety issue, because an attack on these devices could be an attack on the hospital’s ability to deliver patient care. And so yeah, CMS right now doesn’t really have any requirements around this and we think that’s an opportunity for them to do so.
Tom Temin: Alright, so what are your specific recommendations then?
Ivan Troy: Basically, what we think now is that as healthcare and technology have become more and more intertwined, an attack on devices, that we just said, is an attack on patient care. And so we recommended that CMS find and implement an appropriate way to add the security, the cybersecurity of these devices to its routine quality oversight of hospitals. And we offered some options to CMS, for example, there are some requirements CMS has around emergency preparedness planning, where hospitals have to kind of identify what they think are their most pressing concerns, and they come up with mitigation strategies to address that. And so, in this case, the accreditors, if the hospital lists devices that’s one of those concerns, the accreditor will talk about it, but it doesn’t happen very often. And so there was an opportunity for CMS to have the surveyors proactively ask the hospitals, okay, what about devices, what are you doing to secure those? Yeah, and then alternatively, CMS could even have an entire requirement for hospitals to secure the devices, like a very strict condition of participation as part of its Medicare requirements for hospitals. So there are options here.
Tom Temin: And CMS can avail itself of standards published by NIST too, the National Institute of Standards and Technology I’m sure has one of their special publications on network medical devices and standards for those kinds of hardware. So there is something that CMS could reference if it wanted to, and impose that…
Ivan Troy: That’s part of our recommendation was for CMS to talk to these both internal expertise in the department and external expertise. So NIST was also high trust to heath IT trust alliance and similar kinds of guidance like that. There’s also agencies in the department that have a role, like the FDA looks at the cybersecurity of the devices themselves. So there is opportunity for CMS to use some expertise as it develops its path forward.
Tom Temin: And CMS must have a big enough footprint over the health care system that a move they would potentially make to make more security in these devices could really change the whole industry, couldn’t it?
Ivan Troy: Yeah, and that’s why, with these options, like even something as guidance for surveyors, not requirements for hospitals, but just CMS showing that they’re taking this seriously, it’s gonna send that message out to the entire industry that okay, we take this seriously too.
Tom Temin: And what was the CMS reaction to the report and to the recommendations?
Ivan Troy: I think that question would best be answered fully by CMS, but I can tell you that in their response that they shared with us, CMS stated that they concurred with considering additional ways to appropriately highlight the importance of cybersecurity of network devices for providers in consultation with its HHS partners that have specific oversight authority regarding cybersecurity.
Tom Temin: Got it. So they want a little bit of firepower to go along with this new regime of oversight. So what happens next? Will they issue a plan for that? Or do they have a specific assignment?
Ivan Troy: Yeah. We have an internal recommendation tracking policy where the agencies will send us their plan a few months after the report is finalized. So we look to see what they’re gonna come back with.
Tom Temin: Got it. And earlier, we asked whether you had looked at the actual state of cybersecurity, and that was beyond the scope of this report of this study of the medical devices, is that something that you think you might be looking at, some sort of a survey of payees of CMS just to see what their state of cybersecurity is in general?
Ivan Troy: There is future work that has begun, you can see the details on the OIG work plan on our website, but there is work being done that’s going to look at CMS’s as role again, the role of the Office for Civil Rights that has some role in this, and looking at protections for protected health information. But I think that study will also do some of its own testing of hospitals, cybersecurity protections.
Tom Temin: And CMS does have some mechanism in place so that their surveyors can ascertain cybersecurity.
Ivan Troy: Their current guidelines for surveyors already include reference to cybersecurity, such as using strong passwords to secure EHR’s. And even last year, CMS issued regulation around EHR interoperability, where, and I’ll paraphrase, but they said, we see no reason why the hospital conditions of participation can’t include technology, when it’s a patient safety issue, and when you think this is a patient safety issue.
Tom Temin: And when you’re spending a trillion dollars, you’ve got a pretty big stick too, I guess.
Ivan Troy: Yeah, sure.
Tom Temin: Okay. Ivan Troy is a research analyst in the Office of Inspector General at the Health and Human Services Department. Thanks so much for joining me.
Ivan Troy: Yeah, my pleasure. Thank you very much.