The Centers for Medicare and Medicaid Services (“CMS”) issued a final rule on September 8th, 2016 establishing national emergency preparedness requirements for providers and suppliers participating in Medicare and Medicaid in response to “inconsistency in the level of emergency preparedness amongst healthcare providers.” The rule will be officially published in the Federal Register on September 16th, 2016, and providers and suppliers subject to the rule must comply by November 15th, 2017. Notably, CMS describes cyber-attacks as a potential risk to assess when implementing the emergency preparedness requirements.
The rule imposes wide-ranging emergency preparedness obligations on 17 types of providers and suppliers. These obligations consist of four core elements “that are central to an effective and comprehensive framework of emergency preparedness”: risk assessment and emergency planning, policies and procedures, communication plans, and training and testing. Specifically, the rule requires providers and suppliers to:
- Conduct a risk assessment and create an emergency plan based on that assessment;
- Implement policies and procedures in support of the risk assessment and emergency plan;
- Establish a communication plan for staff and other necessary persons in the case of an emergency; and
- Institute training and testing programs, including emergency drills and exercises, for all staff members.
While the rule does not mandate specific cyber security requirements on providers and suppliers, CMS advocates an “all-hazards approach” to risk assessment, and references “cyber-attacks” as a possible risk to communication systems. Furthermore, CMS encourages providers and suppliers to “assess whether their specific facility can benefit” from cyber-attack preparedness plans.
Given the increase in cyber-attacks in the medical industry, many providers and suppliers could indeed benefit from cyber-attack preparedness plans. For example, a recent ransomware attack on MedStar Health compromised hundreds of programs and systems across the entire MedStar network at the same time. Staff members of medical facilities affected by such comprehensive attacks could benefit from the preparation, coordination, and training a cyber-attack preparedness plan would provide. In particular, the use of drills and exercises may prepare staff members for the potential difficulties of working during an ongoing cyber-attack.