By John H. Fisher II
February 22, 2017
On January 13, 2017, the Centers for Medicare & Medicaid Services (CMS) issued Recommendations to Providers Regarding Cyber Security. In general, the Recommendations are intended to remind providers and suppliers to keep current with best practices regarding mitigation of cybersecurity attacks. The Recommendations contain an interesting discussion of some of the current cyber threats that exist to the health care industry.
CMS released these recommendations in consideration of Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity” which was released by President Obama. The EO directed agencies to issue new regulations addressing cybersecurity risks, “if current regulatory requirements are deemed to be insufficient…to mitigate cyber risk.” Though CMS considers existing regulations adequate, it is addressing the specific cybersecurity risk by implementing a number of non-regulatory activities and recommendations to enhance cybersecurity of private sector critical infrastructure partners.
Existing emergency preparedness regulations applicable to health care providers do not specifically address elements of cybersecurity. However, the regulations require providers and suppliers to have an emergency plan and risk assessment that focus on capacities and capabilities critical to preparedness for a full spectrum of emergencies or disasters. Even though cybersecurity is not specifically called out, that risk should certainly be considered and addressed by health care providers as part of their risk assessment and compliance with existing regulations.
CMS encourages facility leadership to work collaboratively with various management and outside resources to develop systems to manage cyber-attacks.
The practical part of the release contains a variety of recommendations to health care providers. Many of the recommendations involve training staff to use alternative “paper” systems to prevent interruption in the event of a cyber-attack.
Some of the recommendations CMS made include the following:
Facility leadership should review current policies and procedures to ensure adequate plans are in place in the event of an attack. For instance, most IT Directors and policies within facilities require systems be shut down, and have specific timelines to notify appropriate State and Federal agencies and State Health Departments.
Facilities should research best practices and mitigation methods and implement steps that provide adequate protection against a cyber-attack.
Facilities should consider retraining staff to include use of non-electronic methods, such as written discharge instructions, care planning, and medical records, to be used as an alternative to electronic records in the event of an attack.
Some providers also encouraged staff to familiarize themselves with knowledge of the paper medication administration record (MAR) process, and the transmission of laboratory and radiology orders on paper-based requisition forms that are hand delivered to departments for processing.
Cybersecurity risk should be considered in the development of their emergency plans, risk assessments, and annual training exercises.
Consider pre-programing phone/fax numbers into the fax machine to avoid any delay in the event computer systems are inaccessible.
Consider conducting table-top exercises focused on cybersecurity and how to continue operations in the event of a cyber-attack.
Consider establishing or adapting communication plans that can be implemented to identify alternative communications methods in the event existing means of communication are inaccessible.
The CMS recommendations conclude by referencing a variety of external resources providers can consider when implementing procedures to address cybersecurity risks.
The content in the following blog posts is based upon the state of the law at the time of its original publication. As legal developments change quickly, the content in these blog posts may not remain accurate as laws change over time. None of the information contained in these publications is intended as legal advice or opinion relative to specific matters, facts, situations, or issues. You should not act upon the information in these blog posts without discussing your specific situation with legal counsel.
© 2021 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.