The Centers for Medicare and Medicaid Services (CMS) has sent out a Survey and Certification Letter, sharing recommendations to providers regarding cyber security.

The letter reminds providers and suppliers to keep current with best practices regarding mitigation of cyber security attacks. CMS outlines resources to assist facilities in reviewing their cyber security and IT programs.

According to CMS:

  • The Cybersecurity Act of 2015, section 405(b) required the Department of Health and Human Services (HHS) to develop a report on the preparedness of HHS and health care industry stakeholders in responding to cybersecurity threats. This report, the U.S. HHS Preparedness Report, outlines the HHS components responsibilities for cyber security. However, the report does not outline mechanisms for States and facilities regarding procedures to take to protect themselves from adverse cyber events.
  • Primary areas of concerns are the disruption to patient care that occur when a cyber-attack is successful, potentially leading to a series of adverse events, including incomplete discharge instructions, missing patient information or orders, potential compromise of Public Health Information (PHI), personal identifiable information (PII), which ultimately could lead to violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Additionally, depending on the facility’s ability to provide patient care, such as loss of electronic health records or other critical computer based systems, the facility may need to close or temporarily suspend operations.
  • Highest impact for facilities faced with cyber incidents are: Governing Body; Medical Records/ Patient Records; nursing Services. CMS recommends that facility leadership review current policies and procedures to ensure adequate plans are in place in the event of an attack.
  • While the new Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers regulation does not specifically address elements of cyber-security, the regulation requires providers and suppliers to have an emergency plan and risk assessment based on an “all-hazards” approach.
    • CMS encourages providers to consider cyber-security an element in the development of their emergency plans, risk assessments, and annual training exercises. While not a requirement, facilities may consider adding cyber security protocols to their policies and procedures.
    • Given the regulation’s requirement for facilities to establish communication plans, including alternate means of communication, facilities could consider addressing within their policies and procedures an element of how to communicate with staff and different departments in the event computers or other means of communication are inaccessible. Finally, facilities may also choose to conduct table-top exercises, with or without assistance from healthcare coalitions or State emergency officials, which are focused on cyber security and how to continue operations in the event of a cyber-attack.
    • CMS encourages facility leadership to work with the Chief Nursing Officer (CNO); Risk Manager; Performance Improvement Director; IT Director and Nursing Directors, and/or anyone the facility deems appropriate in managing cyber-attack mitigation practices.

Additional resources: