If you’ve been following the news lately, you’ll know that cybersecurity in the healthcare space is a big problem. Hospitals and health systems large and small have increasingly been on the receiving end of hacks, cyber-attacks and ransomware intrusions. Not to mention that an estimated 275 million medical images are currently vulnerable due to unsecured picture archiving communication systems. HHS just released another alert about that just days after the Inspector General report came out.
The report focused on the role of Medicare accrediting organizations’ failure to keep proper tabs on whether hospitals were maintaining proper cybersecurity of their networked devices. According to the report:
CMS’s survey protocol does not include requirements for networked device cybersecurity, and the AOs [accrediting organizations] do not use their discretion to require hospitals to have such cybersecurity plans. However, AOs sometimes review limited aspects of device cybersecurity.
For example, two AOs have equipment maintenance requirements that may yield limited insight into device cybersecurity. If hospitals identify networked device cybersecurity as part of their emergency-preparedness risk assessments, AOs will review the mitigation plans. AOs told us that in practice, however, hospitals did not identify device cybersecurity in these risk assessments very often.
But most importantly, the OIG’s report underscored the lopsided cybersecurity expectations in the healthcare industry. Cybersecurity is supposed to be a shared responsibility between device manufacturers and providers. For their part, the manufacturers are tightly regulated by the FDA and are required ensure their products are secure through a carefully designed protocols subject to frequent updates. Alas, the best-designed devices in the world can’t compensate for negligence or poor practices on the part of the end-user.
Which brings me to the point I raised in The Hill recently about how unregulated medical device servicing poses serious risks for cybersecurity. Original equipment manufacturers and their servicers are regulated by the FDA. Third party servicers – who could really be anyone since there are no universal training and licensing requirements to service these devices either – are not. Third-party servicers claim they’re held to the same standards as OEMs due to hospital accreditation. The OIG report flies in the face of that claim.
If the goal is to get rid of the “blind spots” that lead to cybersecurity incidents, ensuring that those who control repairs and maintenance of these highly sophisticated pieces of health care technology are FDA-regulated makes the most sense to me. Hiding behind accreditations that Medicare isn’t watching doesn’t. It’s clear no one is watching the proverbial coup on the hospitals’ end.
If hospitals and imaging providers can’t keep tabs on their own cyber security, how can we expect them to handle the servicing of highly sophisticated medical devices?