Man in suit holding CMS reimbursement money with cybersecurity icons
CMS may tie reimbursements to a required medical device cybersecurity plan.

CMS May Require Medical Device Cybersecurity


OIG Notices Rising Risks of Connected Medical Devices

The Office of Inspector General (OIG) has noticed that medical devices are often in connected environments while many Healthcare Delivery Organizations (HDOs) are ignorant of the risks these devices pose to their patients. However, outside of a fine for lost or stolen ePHI, facilities often have little financial incentive to do anything about it.

Many have assumed the problem is an issue for large hospitals with large budgets. But small facilities are often just as lucrative for the bad guys, and are easier to hack.

This fact has resulted in hundreds of small HDOs being victims of hacks or disclosing ePHI through preventable means.

OIG Responds to Medical Device Cybersecurity Risks

The Office of Inspector General wrote that because “[an absence of] proper cybersecurity controls, hospital’s networked medical devices… can be compromised, which can lead to patient harm.” And so the OIG recommended “that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospital in consultation with HHS partners and others.”

CMS responded by stating that “it concurred with considering additional ways to appropriately highlight the importance of cybersecurity of networked medical devices for providers in consultation with its HHS partners that have specific oversight authority regarding cybersecurity.”

This news, along with the HIPAA Safe Harbor Bill signed into law in January, give HDOs of all size every reason to get serious about cybersecurity.


How You Can Prepare for Potential CMS Changes

This is where CE-Tech can help.

CE-Tech has a fully-functional medical device cybersecurity program that utilizes a NIST framework that complies with the Safe Harbor Bill. Our risk assessment process is thorough and will move your organization to the forefront of security. Protiviti reviewed our program using NIST standards and found CE-Tech to be above all of our peers – averaging 67.7% above the average.

Now is the time to take cybersecurity seriously. Do not simply rely on segmenting or monitoring your equipment. The HIPAA Safe Harbor Bill already incentivizes utilizing a full NIST cybersecurity framework. Soon, reimbursements may go the same way.

CE-Tech can help you today. Give us a call.