Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About

Trending Topics

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni

    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor & Employment
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations

    Industries

    View All

    • Cannabis
    • Consumer
    • Energy
    • Entertainment
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Non Profit
    • Real Estate
    • Technology

    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    1. Home
    2. Insights
    3. Articles
    4. HHS OIG review calls out CMS's lack of cybersecurity oversightArticles

    Article

    HHS OIG review calls out CMS's lack of cybersecurity oversight

    July 16, 2021

    Share

    By Julia Cassidy

    The Office of the Inspector General (OIG) in the Department of Health and Human Services (HHS) recently conducted a review of the Centers for Medicare and Medicaid Services’ (CMS’s) survey standards for hospital cybersecurity and determined that CMS lacks consistent oversight of networked-devices cybersecurity in hospitals.

    The Office of the Inspector General (OIG) in the Department of Health and Human Services (HHS) recently conducted a review of the Centers for Medicare and Medicaid Services' (CMS’s) survey standards for hospital cybersecurity and determined that CMS lacks consistent oversight of networked-devices cybersecurity in hospitals. This lack of oversight is especially concerning in light of the many cybersecurity threats that hospitals have faced (and continue to face) and the recent increase in attacks against health care organizations.

     The OIG looked specifically at networked medical devices, or networked devices, which they defined as devices designed to connect to the internet, hospital networks, and other medical devices, providing features that improve health care and increase the ability of health providers to treat patients. These include systems that obtain, archive, and communicate pictures on networks within health care facilities (such as ultrasounds, MRIs, and nuclear medicine) and systems that monitor patient activity (such as electrocardiographic systems). The OIG noted that some of these networked devices also connect to the hospital’s electronic health record (EHR) system. As a result, networked devices lacking proper cybersecurity protection can potentially have significant vulnerabilities, which could lead to widespread data exposure and damaging cyberattacks.

    Approximately, every three years, CMS uses both state survey agencies and Medicare accreditation organizations (AOs) to inspect Medicare-participating hospitals through on-site surveys. When state agencies conduct such surveys, they follow CMS’s survey protocol, which does not require hospitals to have any cybersecurity protections for networked devices. AOs follow their own survey protocols, which are required by the Social Security Act to be equivalent to or more stringent than those of CMS. CMS reviews the AO survey protocols and conducts complaint investigations and random surveys of hospitals AOs have surveyed. However, due to the fact that CMS’s survey protocols do not include any requirements for the cybersecurity of networked devices, AOs are under no obligation to do so. Consequently, it is unlikely that CMS or an AO will ask hospitals how they protect networked devices from cybersecurity attacks.

    The OIG noted that neither CMS nor AOs have plans to update their oversight of hospital cybersecurity in general or of networked devices and recommended that CMS identify and implement an appropriate way to address the cybersecurity of networked devices in its oversight of hospitals. CMS’s lack of attention to cybersecurity is harmful for hospitals and health care providers, as the frequency of cybersecurity attacks is only increasing, and failure to properly secure hospital devices will only make such attacks easier and more frequent. The OIG noted that it awaits further detail on CMS’s cybersecurity plan.

    Despite CMS’s lack of oversight on cybersecurity matters, hospitals and health care systems should continue heightened scrutiny of their cybersecurity practices in order to protect their patients and systems against these harmful threats and vulnerabilities. 

    CybersecurityCybersecurityData BreachPrivacyHealthcare

    Practices

    HealthcareCybersecurity & Privacy

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • © 2023 Nixon Peabody. All rights reserved
    • Privacy Policy
    • Terms of Use
    • Statement of Client Rights
    • Supplier Diversity Program
    • Nixon Peabody International LLC
    • PAL