Federal Government Fraud and Abuse Series – Annual Report of the Departments of Health and Human Services and Justice Health Care Fraud and Abuse Control Program FY 2021 (FY 2021 HCFAC Report)
Medicare Lacks Consistent Oversight of Cybersecurity for Hospital Networked Medical Devices
Kendall PC’s Federal Government Fraud and Abuse Series takes a “deep dive” exploring key issues and takeaways from the Departments of Health and Human Services’ and Justice’s FY 2021 Annual Report.
The Annual Report of the Attorney General and the Secretary of the Department of Health and Human Services details the expenditures and revenues under the Health Care Fraud and Abuse Program as is required under Section 1817(k)(5) of the Social Security Act. The Health Care Fraud and Abuse Program was created as a far-reaching program to combat fraud and abuse in health care – both in public and private health plans. The Program is led under the joint direction of the Attorney General and Secretary and aims to “(1) coordinate federal, state, and local law enforcement efforts relating to health care fraud and abuse with respect to health plans; (2) conduct investigations, audits, inspections, and evaluations relating to the delivery of and payment for health care in the United States; (3) facilitate enforcement of all applicable remedies for such fraud; and (4) provide education and guidance regarding complying with current health care law.”
As is required under the Act, the Attorney General and Secretary must submit a joint annual report to Congress identifying the amounts appropriated to the Medicare Trust Funds for the previous fiscal year under specific categories and the source of such amounts. The report must also detail the amounts appropriated from the Medicare Trust Funds for such year for use by the Attorney General and Secretary, including justification for such expenditure amounts.
Per the FY 2021 HCFAC Report, the federal government won or negotiated more than $5 billion USD in health care fraud judgments and settlements. Additionally, the Department of Justice opened 831 new criminal health care fraud investigations, filed criminal charges in 462 cases (involving 741 defendants), and convicted 312 defendants; and opened 805 civil health care fraud investigations and reported 1,432 civil health care matters pending at the end of the fiscal year. Similarly, the Office of Inspector General investigations led to 504 criminal actions and 669 civil actions during the fiscal year and excluded 1,689 individuals from participation in the federal health care programs.
In FY 2021, HHS-OIG issued 162 audit reports and 46 evaluations, resulting in 506 new recommendations issued to HHS operating divisions and grantees and other entities. In the FY 2021 HCFAC Report, HHS-OIG provided select examples of audit and evaluating findings, organized by two priority outcomes: (1) minimize risks to beneficiaries and (2) safeguard programs from improper payments and fraud.
Among the “minimize risks to beneficiaries” category, HHS-OIG highlighted an audit finding that “Medicare Lacks Consistent Oversight of Cybersecurity for Networked Medical Devices in Hospitals.” The HFAC Report specifically stated that “Medicare accreditation organizations, which derive their requirements from the Conditions of Participation, rarely use their discretion to examine the cybersecurity of networked devices during hospital stays.” HHS-OIG highlighted that CMS had subsequently concurred with OIG’s recommendations to identify and implement an appropriate mechanism to address cybersecurity of “networked medical devices” in response to the OIG Issue Brief OEI-01-02-00220 issued in June 2021 (“Medicare Cybersecurity Issue Brief”).
OIG conducted the underlying review of CMS based upon concerns that compromised hospitals’ networked medical devices – those devices designed to connect to the internet, hospital networks, and other medical devices (e.g., CT, MRI, ultrasound, nuclear medicine, and endoscopy systems; electrocardiographic systems; and laboratory information systems) – may lead to patient harm absent proper cybersecurity controls. Networked medical devices are distinct from hospitals’ electronic health record (“EHR”) systems. However, because they may connect to the same network as EHR, such networked medical devices may connect to EHR systems themselves as well as to other devices on the same network. As a result, OIG contends that networked medical devices lacking adequate cybersecurity may present vulnerabilities to a hospital’s system that could lead to adverse outcomes in the event of an attack. In support, OIG cites to a 45-percent increase in attacks against health care organizations (more than double the average increase across other industries) that followed a warning presented by HHS and the Federal Bureau of Investigation (“FBI”) in October 2020 that an increase on ransomware attacks on hospitals was imminent.
In the Medicare Cybersecurity Issue Brief, OIG found that CMS’ protocol for overseeing and evaluating Medicare-participating hospitals was entirely silent on any cybersecurity requirements for networked medical devices. Moreover, OIG found that the Medicare accreditation organizations (“AOs”) did not use their discretion to require hospitals to have such cybersecurity plans. As a result, OIG warned that CMS lacked consistent oversight of networked device cybersecurity necessary to adequately address and guard against the ever-increasing threats of cyberattacks on hospitals, thus risking patient harm.
The 23 Conditions of Participation (CoPs) set forth the minimum health and safety requirements (“standards”) for acute-care hospitals that seek to participate in the Medicare program. OIG identifies at least several CoPs as relevant to proper cybersecurity precautions for hospital networked medical devices, highlighting expressly the CoPs on physical environment, emergency preparedness, patients’ rights and privacy, medical records, and compliance with all applicable Federal, State, and local laws. CMS also publishes a survey report called the Interpretive Guidelines which is designed to help surveyors understand how to interpret the CoPs. OIG states that the Interpretive Guidelines are limited in the guidance provided concerning cybersecurity in that it is tailored to the security of protected health information. Specifically, the Interpretative Guidelines include specifics concerning the use of “passwords and other security measures on computers maintaining personally identifiable health information.”
CMS audits Medicare-participating hospitals for compliance with its minimum requirements approximately every 3 years through State survey agencies and AOs inspections of Medicare-participating hospitals via onsite surveys. In carrying out these activities, State agencies follow CMS’s survey protocol. Notably, the CMS survey protocol does not require Medicare-participating hospitals to have any cybersecurity protections for networked medical devices. Although CMS encouraged State survey agency directors to consider cybersecurity as an element in the development of emergency plans, the agency did not go so far as to require it. Additionally, approximately 85-percent of Medicare-participating hospitals elect to demonstrate compliance with CMS requirements by earning accreditation through CMS-approved AOs who also conduct onsite surveys. That said, AOs follow their own survey protocols that at a minimum must be equivalent to the CMS survey protocol but electively may be more stringent than those requirements.
Additionally, CMS requires hospitals to comply with parts of the Life Safety Code, published every 3 years by the National Fire Protection Association (“NFPA”). CMS adopted the 2012 edition of NFPA 99, the precise code for healthcare facilities, but excluded the chapter specific to cybersecurity. OIG appears to take issue with CMS’ rationale for this exclusion – specifically, the agency’s contention that it “ha[s] no authority to regulate these specific topics in health care facilities” and that “the chapter is not within the scope of the conditions of participation . . .” To this end, OIG takes care to highlight several HHS agencies and offices that do possess roles and responsibilities involving cybersecurity – e.g., the Office for Civil Rights’ responsibility for enforcing the Security Rule of the Health Insurance Portability and Accountability Act (“HIPAA”); the Food and Drug Administration’s (“FDA”) responsibility for regulating medical devices throughout the entire product lifecycle, including shared accountability among the FDA, device manufacturers and HCPs for cybersecurity of networked medical devices; the Office of the National Coordinator for Health Information Technology’s creation of tools and guidance for HCPs on securing PHI; and HHS’s Health Sector Cyber Security Coordination Center’s development of cyberattack mitigation resources. Furthermore, OIG examines its prior audits, recommendations, and remediation measures pertaining to FDA’s premarket review of cybersecurity components of networked medical devices and post marketing events involving cybersecurity of networked medical devices. Though not expressly stated by OIG, the agency seems to imply that CMS could and should undergo a similar process to address the shortcomings identified by OIG pertaining to CMS’ oversight of hospitals’ networked medical devices.
The OIG audit was national in its scope, focusing on CMS and the four AOs that accredit Medicare-participating hospitals and their survey protocols and applicable planned changes as of summer 2020. The networked medical devices subject to the audit inspection were those devices regulated by FDA that “support wired or wireless connectivity to a hospital network.” Those devices that patients use outside of a hospital setting (e.g., pacemakers) were excluded from the audit scope. Additionally, the audit specifically excluded State survey agencies on the basis that such agencies utilize the CMS survey protocols that are publicly available (compared to the proprietary AO survey protocols).
OIG conducted “structured telephone interviews” with leadership at the AOs in July and August of 2020 focused on discerning the extent to which the survey standards required hospitals to maintain a cybersecurity plan for networked devices and other ways that the surveys might address cybersecurity of networked medical devices. The agency also reviewed AO documentation of the pertinent survey standards and procedures and sent written questions to CMS inquiring as to whether there were planned changes to the CoPs. OIG states that while it did not independently verify all information from the AO interviews, it did verify the interview data with the AOs’ survey standards. The audit study was conducted in accordance with the Quality Standards for Inspection and Evaluation issued by the Council of the Inspectors General on Integrity and Efficiency.
The results of the audit indicated three main findings:
- The CoPs do not include requirements for the cybersecurity of networked devices, and the AOs do not use their discretion to require hospitals to have such cybersecurity plans.
- AOs sometimes review limited aspects of networked device cybersecurity under certain circumstances.
- CMS and the AOs do not plan to update their survey requirements to address networked device cybersecurity or cybersecurity generally.
The CoPs Do Not Include Requirements for the Cybersecurity of Networked Devices, and the AOs Do Not Use Their Discretion to Require Hospitals to Have Such Cybersecurity Plans
OIG reports that the AOs informed the agency that they base their hospital requirements on the CoPs and look directly to CMS for guidance on how to assess compliance. Because CMS “does not expect or require AOs to ask hospitals about the methods they use to secure networked devices from cyberattacks,” as a result, OIG found that the AOs do not use their independent discretion to develop cybersecurity requirements. Such requirements, if implemented, would enable the AOs to review hospitals’ cybersecurity protections consistently and routinely for their networked devices.
AOs Sometimes Review Limited Aspects of Networked Device Cybersecurity Under Certain Circumstances
Since AOs do not include cybersecurity as a component of accreditation requirements, AO review of Medicare-participating hospitals cybersecurity measures only occur in certain, limited circumstances. Specifically, AOs informed OIG that they apply the CoP to review the cybersecurity of networked medical devices in the following instances:
- Two AOs verify that facilities, supplies, and equipment are maintained to ensure an acceptable level of safety and quality.
- AOs verify that the hospital has a comprehensive emergency preparedness program with risk assessment and with planning, policies, and procedures, including risk(s) to networked medical devices.
- AOs review controls protecting the privacy and confidentiality of patient records
- AOs complete high-level review of the policies and procedures in place to protect the security and integrity of EHRs.
OIG believes that “opportunities exist within the medical-equipment standard of the physical environment CoP for AOs to draw attention to device cybersecurity.” OIG asserts that hospitals can elevate networked device cybersecurity as part of their all-hazards risk planning. More specifically, OIG states that hospitals may identify networked medical device cybersecurity concerns under CMS’s emergency-preparedness standards which require hospitals to complete risk assessments in the form of hazard vulnerability analyses. In its findings, however; AOs informed OIG that hospitals do not typically identify cybersecurity in risk assessments. In the event a hospital does identify cybersecurity on its hazard vulnerability analysis, those hospitals are then required to develop and maintain written emergency-preparedness policies and procedures to reduce and mitigate the risk of any identified cybersecurity vulnerabilities. Such vulnerabilities may or may not include risks to networked medical devices. Absent a hospital identifying cybersecurity in risk analysis, AOs are not prompted to raise the issue. OIG notes in the Medicare Cybersecurity Issue Brief that one AO reported that 20-25 percent of hospitals did identify cybersecurity whereas another AO indicated that a minimal number of hospitals in fact did so.
Additionally, OIG isolates the CoPs on medical records and patient rights as a mechanism AOs may utilize to assess hospitals’’ networked medical device cybersecurity on the basis that many such devices connect directly to the EHR systems already evaluated under those standards. In response, AOs reported to OIG that their focus under such CoPs is more pointed to EHR systems’ safeguards for protecting privacy and confidentiality – concentrating on passwords, encryption, and access monitoring. Although OIG acknowledged the importance of such safeguards, it stressed that they are not directed to networked medical device cybersecurity. And, although one AO contemplated that networked medical devices may be scrutinized in connection with medical record review, the AO conceded that the opportunity to review networked medical devices in any detail would be limited considering that hospitals are “vigilant about safeguarding patient records.”
CMS and the AOs Do Not Plan to Update their Survey Requirements to Address Networked Cybersecurity or Cybersecurity Generally
At the time of the Medicare Cybersecurity Issue Brief, CMS and the AOs did not plan to update their approaches to oversight of hospitals’ cybersecurity – either for networked medical devices specifically or generally as a whole.
According to OIG, CMS’ position is that it does not plan to revise the CoPs or Interpretive Guidelines to address preventative cybersecurity measures. More specifically, CMS stated that it requires hospitals to comply with the physical-environment CoP that compels hospitals to maintain facilities, supplies, and equipment to ensure an acceptable level of safety and quality. Per CMS, these requirements necessitate that hospitals maintain networked medical devices in a way that “an acceptable level of safety and quality for patients, including an acceptable and standard level of cybersecurity” is confirmed.
Likewise, none of the AOs intend to add a requirement for networked medical device cybersecurity to their respective survey protocols. Many of the rationales provided for the resistance to such updates stemmed from CMS – some AOs emphasized CMS’s role in influencing changes to AO’s survey protocols; one AO asserted they would only include such requirements if CMS added the same to the CoPs; and another emphasized the need for training and guidance to assess compliance if such requirements were in fact added. Additionally, AOs contended that they had doubts over their ability to apply cybersecurity standards to health care and assess the sufficiency of same given their lack of expertise in cybersecurity matters.
OIG Recommends CMS Identify an Appropriate Way to Address Cybersecurity of Networked Medical Devices in its Quality Oversight of Hospitals in Consultation with HHS and Others
Despite CMS’ and the AOs’ outward unwillingness to develop and implement cybersecurity measures for networked medical devices, OIG firmly concludes that such changes are necessary to safeguard against increasing risks of cyberattacks on hospital systems. To this end, OIG recommends that CMS leverage the Interpretative Guidelines to identify the CoP(s) that touch upon cybersecurity of networked medical devices. More specifically, OIG states that CMS could add questions for surveyors to ask Medicare-participating hospitals about their practices or include nonbinding guidance on cybersecurity resources. OIG does concede that AOs are not cybersecurity professionals and that the agency does not expect AOs to directly test the security of networked medical devices. That said, OIG asserts that CMS can leverage existing AO activities related to cybersecurity to inform changes, recommending the following:
- Creating language stating that CMS considers cybersecurity as part of keeping devices in safe operating condition (e.g., utilizing physical-environment CoP standard for equipment maintenance)
- Highlighting the risk that unsecured devices connected to a hospital’s EHR system pose to protected health information (e.g., utilizing COPs for patient rights and medical records)
- Instructing surveyors to ask hospitals if they considered cybersecurity of networked medical devices when they constructed their hazard vulnerability analyses (e.g., utilizing the emergency-preparedness CoP)
- Reminding hospitals to maintain compliance with HIPAA requirements, including the Security Rule (e.g., utilizing COP on Federal, State, and local laws)
OIG also stated that CMS could also add standards to existing CoPs, though the agency acknowledged that this option would necessitate that CMS follow the rulemaking process – an admittedly more burdensome process than amending the Interpretative Guidelines.
Under either option, OIG stresses that CMS should work with other HHS partners – FDA, Office for Civil Rights, and the Health Sector Cybersecurity Coordination Center – as well as others outside of the Department including the National Institute of Standards and Technology (“NIST”), the Health Information Trust Alliance (“HITRUST”), and the AOs. As noted above, CMS subsequently concurred with OIG’s recommendation to identify and implement an appropriate mechanism to address cybersecurity of networked medical devices in consultation with HHS partners and others.
Audit Findings Follow Biden Administration Cybersecurity Initiative
Both the Medicare Cybersecurity Issue Brief itself and its inclusion as a key audit finding in the FY 2021 HCFAC Report underscore the current administration’s dedication to comprehensive cybersecurity and data protection measures. More specifically, the OIG audit continues and advances the current administration’s broader data security enforcement goals and objectives established in President Biden’s Executive Order on Improving the Nation’s Cybersecurity executed on May 12, 2021 (“Executive Order”). The Executive Order demonstrates the administration’s position that preventing, detecting, and remediating cybersecurity breaches is a matter of national and economic security. Among other things, the Executive Order calls for the establishment of standard cybersecurity requirements for all federal contracts including (1) breach notification and information sharing requirements for government service providers; (2) the establishment of baseline security standards for the development of software sold to the government by all commercial suppliers; and (3) minimum cybersecurity requirements such as using multifactor authentication and encryption.
Moreover, the audit findings align with the administration’s commitment to combat cybersecurity fraud committed against the federal government, including the Federal healthcare programs. On October 6, 2021, the Department of Justice (“DOJ”) announced that the agency has created a new “Civil Cyber-Fraud Initiative” (“Initiative”) leveraging the authority of the False Claims Act (“FCA”) to bring civil suits against federal contractors, subcontractors, and grant recipients (collectively “government contractors”) who fail to meet their regulatory and contractual cybersecurity obligations. The Initiative is a direct result of the Department’s ongoing comprehensive cyber review ordered by Deputy Attorney General Lisa O. Monaco in May 2021. Led by the DOJ’s Civil Division’s Commercial Litigation Branch, Fraud Section, the Initiative will utilize the FCA to “identify, pursue, and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk.” The DOJ has positioned the new Initiative to leverage its combined expertise in civil fraud enforcement, government procurement, and cybersecurity in its larger mission to combat new and emerging cyber threats.
In carrying out the Initiative, the DOJ indicated that it would pursue those individuals and entities that present cybersecurity threats to the government systems – i.e., those cases where the DOJ views the federal agencies as victims. Specifically, the DOJ identified three types of conduct that will be the focus of FCA enforcement:
- Knowingly providing deficient cybersecurity products or services to the government.
- Knowingly misrepresenting their cybersecurity practices and protocols.
- Knowingly failing to monitor and report cybersecurity incidents and breaches violating regulatory and contractual obligations.
Acting Assistant Attorney General Brian M. Boynton (“Boynton”) provided important insights as to how the DOJ will leverage its resources to utilize the FCA against government contractors in relation to cybersecurity. With respect to the first targeted area of enforcement, Boynton stated that FCA liability under the initiative was likely to arise from contract terms or agency-specific requirements and government contractors knowing failure to meet same. Second, liability may arise from knowing misrepresentations about a system security plan or practices for monitoring systems. Finally, liability may arise from failure to promptly report incidents in a timely manner in accordance with government contract terms. Additionally, DOJ will “work closely on the Initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government.”
Contact Our Attorneys Today
The attorneys at Kendall PC have over three decades of legal experience serving as general, litigation, and special counsel to a wide variety of regulated industry entities. Our firm offers comprehensive legal services to clients facing regulatory litigation matters, including fraud and abuse government investigations.
To learn how our attorneys can help your company, contact Kendall PC today online or at (484) 414-4093. Our firm proudly serves small, midsized, and emerging businesses throughout the United States and across the globe.