July 23, 2021 | By Rachel Rose, JD, MBA
In June 2021, the U.S. Department of Health and Human Services Office of the Inspector General (HHS-OIG) issued Issue Brief, OEI-01-20-00220 (hereinafter “Issue Brief”), which highlighted the results of its review of cybersecurity for networked medical devices in hospitals. The impetus behind the review was to address the potential harm to patients that may result when a variety of devices may become compromised. First, the threshold question – what is a medical device?
The U.S. Food and Drug Administration (FDA), which is the government agency tasked with regulating medical devices, proffers the following definition:
A medical device is an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part or accessory which is: recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.
The Federal Food, Drug, and Cosmetic Act sets forth the various classifications that a device may fall into. Automatic Dispensing Cabinets (ADCs), pacemakers, and devices used in hospitals that are designed to connect to the internet are all examples of FDA approved medical devices or applications, which were the subject to the OIG’s Issue Brief. The FDA, like the OIG, recognizes that “medical devices, like computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. By carefully considering possible cybersecurity risks while designing medical devices, and having a plan to manage emerging cybersecurity risks, manufacturers can reduce cybersecurity risks posed to devices and patients.”
In light of the increased emphasis on cybersecurity and protecting the confidentiality, integrity, and availability of the data and the functioning of the device, this article provides a synopsis of the Issue Brief, as well as some compliance tips for mitigating risk of a cyberattack.
Issue Brief Take-Aways
While Medicare accreditation organizations (AOs) were the focus of the review, it is important to note that covered entities, business associates, and subcontractors all have an obligation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to conduct an annual risk analysis (45 CFR § 164.308(a)(1) and ensure that all ingress and egress of electronic protected health information (ePHI) is secured by meeting the requisite technical, physical, and administrative safeguards set forth in the Security Rule, as well as the corollary National Institute for Standards and Technology (NIST) standards.
Failing to perform an annual risk analysis can have even greater implications for providers’ pockets as the Merit-Based Incentive Payments (MIPs) includes the annual risk analysis requirement, which in turn relates to the attestation on the back of the CMS Form 1500 and other forms for complying with federal rules and regulations. In light of the increased attacks on the healthcare sector and government efforts to require cybersecurity compliance, it is hard to argue that complying with HIPAA, HITECH Act, and MIPs is not material to the government paying claims that are submitted.
In light of this, here are the key take-aways from the Issue Brief:
- Medicare AOs are deficient in using their discretion to examine the cybersecurity of networked devices during hospital surveys;
- CMS’s survey protocol does not include requirements for networked device cybersecurity, and the AOs have turned a blind eye and not used their discretion to require hospitals to have such cybersecurity plans, despite HIPAA being a cornerstone of healthcare law and requiring it;
- Devices may connect to a hospital’s electronic health records system; and
- OIG recommends that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals in consultation with HHS partners and others.
Although Medicare contractors have looked the other way, HIPAA, the HITECH Act, and MIPs, among other laws, have required that the requisite technical, administrative, and physical safeguards are evaluated and implemented annually. This leads us to the next section – risk mitigation.
Driven by the White House Industrial Control Systems Cybersecurity Initiative and the long-standing HIPAA requirements, here are some fundamental compliance suggestions that should not be overlooked:
- Annual, comprehensive Risk Analysis
- Adequate policies and procedures that address the privacy and security of data
- Workforce Training on HIPAA and cybersecurity
- Encryption of data both at rest and in transit
- Business Associate Agreements or Data Privacy & Security Agreements in place and accounted for
- Bring Your Own Device (BYOD) protocols
- Multi-factor identification
- Cyber risk insurance
- Document retention and destruction policies and procedures
- Penetration tests by a qualified third-party
These ten items should already be on any organization’s radar. If not, better late than never in order to overall an organization’s approach to cybersecurity and risk.
Cyber events and non-compliance can be costly. As the government refines its oversight requirements and holds Medicare AOs accountable for not assessing non-compliance with HIPAA and other cybersecurity vulnerabilities, providers and business associates alike will face greater consequences for non-compliance. Given the DOJ’s increased focus on cybersecurity as a basis for False Claims Act cases, compliance and truthfulness in claims submissions and attestations should not be overlooked.