HealthLeaders Media June 28, 2021
Hospitals have thousands of such devices connected to their networks, capable of accessing EHR records.
The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued a report last week finding that the Centers for Medicare & Medicaid Services’ (CMS) survey protocol does not include requirements for networked device cybersecurity.
Further, the report stated that CMS’ accreditation organizations (AO) do not use powers they possess to require hospitals to have such cybersecurity plans.
The OIG stated that hospitals that identify networked device cybersecurity as part of their emergency preparedness risk assessments can get their mitigation plans reviewed by AOs.
In practice, however, hospitals frequently fail to identify device cybersecurity in these risk assessments, the AOs told...