The Centers for Medicare & Medicaid Services (CMS) is reminding providers and suppliers to keep current with best practices regarding mitigation of cyber security attacks.
Here is some background information – The Cybersecurity Act of 2015, section 405(b) required the Department of Health and Human Services (HHS) to develop a report on the preparedness of HHS and health care industry stakeholders in responding to cybersecurity threats. This report is known as the U.S. HHS Preparedness Report and outlines the HHS components responsibilities for cyber security. However, the report does not outline mechanisms for States and facilities regarding procedures to take to protect themselves from adverse cyber events.
In 2016, multiple cyber-attacks occurred worldwide, which included banks, health systems, academia and social media. In the United States, several hospitals and health care providers experienced cybersecurity attacks, commonly known as Ransomware. This cyber-attack’s motive is primarily financial, with a demand for Bitcoins (an Internet Monetary System) in exchange for restoration of temporarily disabled IT systems, including electronic medical records; paging systems and other IT infrastructure.
The primary areas of concerns are the disruption to patient care that occur when a cyber-attack is successful. These attacks can lead to a series of adverse events, including incomplete discharge instructions, missing patient information or orders, potential compromise of Public Health Information (PHI), personal identifiable information (PII), which ultimately could lead to violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). (As an interesting side note a report from DataBreaches.net and Protenus found that between 10% and 40% of all HIPAA breaches involved business associates with more recent statistics putting the percentage at least 30 percent. See the report for additional recommendations for your facility as well as third party vendors used by your organization.)
Additionally, depending on the facility’s ability to provide patient care, such as loss of electronic health records or other critical computer based systems, the facility may need to close or temporarily suspend operations. The Conditions of Participation most impacted for facilities faced with cyber incidents are:
- Governing Body
- Medical Records/ Patient Records
- Nursing Services: due to lack of knowledge of alternate methods such as the medication administration record (MAR), etc.
CMS recommends that facility leadership review current policies and procedures to ensure adequate plans are in place in the event of an attack. While the new Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers regulation does not specifically address elements of cyber-security, the regulation requires providers and suppliers to have an emergency plan and risk assessment based on an “all-hazards” approach. An all-hazards approach is an integrated approach to emergency preparedness planning that focuses on capacities and capabilities that are critical to preparedness for a full spectrum of emergencies or disasters.
CMS encourages providers to consider cyber-security as an element in the development of their emergency plans, risk assessments, and annual training exercises. While not a requirement, facilities may consider adding cyber security protocols to their policies and procedures. Additionally, given the regulation’s requirement for facilities to establish communication plans, which also includes alternate means of communication, the facility could consider addressing within their policies and procedures an element of how to communicate with staff and different departments in the event computers or other means of communication are inaccessible. Finally, facilities may also choose to conduct table-top exercises, with or without assistance from healthcare coalitions or State emergency officials, which are focused on cyber security and how to continue operations in the event of a cyber-attack.
CMS has outlined resources to assist facilities in their reviews of their cyber security and IT programs:
- The Department of Homeland Security Cyber Resilience Review (CRR) & Cyber Security Evaluation Tool is a no-cost, voluntary, non-technical assessment to evaluate operational resilience and cybersecurity capabilities of an organization.
- Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off the-Shelf Software
- FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks
- Postmarket Management of Cybersecurity in Medical Devices. Guidance for Industry and Food and Drug Administration Staff
- Office of the Assistant Secretary for Preparedness & Response (ASPR) Technical Resources, Assistance Center, and Information Exchange (TRACIE)
MCN HEALTHCARE
Regulatory Compliance Solutions for Healthcare Organizations
Our comprehensive compliance suite includes:
Policy Management Software | Policy and Procedure Library Templates
StayAlert! – Regulatory Alert System | Learning Management System
Learn more. Visit www.mcnsolutions.com