OIG Issues Report Regarding Medicare Oversight of Cybersecurity for Networked Medical Devices in Hospitals — On June 21, 2021, OIG released a report titled “Medicare Lacks Consistent Oversight of Cybersecurity for Networked Medical Devices in Hospitals” (OEI-01-20-00220) (the OIG Report). OIG determined that CMS’s accreditation survey protocol does not include requirements for networked device cybersecurity, and Medicare Accreditation Organizations (AOs) do not employ their discretion to require hospitals to have cybersecurity plans. OIG recommended that CMS take additional steps to address cybersecurity of networked medical devices in its quality oversight of hospitals.
The OIG Report explains that CMS’s survey protocol for overseeing hospitals is silent with respect to the cybersecurity of networked medical devices (i.e., devices designed to connect to the internet, hospital networks, and other medical devices). These devices can be compromised which can lead to patient harm. OIG conducted interviews with various Medicare AOs, and found that the AOs did not use their discretion to require hospitals to have cybersecurity plans. However, AOs sometimes reviewed limited aspects of device cybersecurity. The OIG Report stated that AOs did not plan to update their survey requirements to address such issues.
In light of the increased use of technology in healthcare, as well as the increased cyberattacks on hospitals, OIG recommended that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals in consultation with HHS partners. In response to the OIG Report, CMS stated that it agreed with considering additional ways to highlight the importance of cybersecurity of networked medical devices for providers.
The OIG Report is available here.
Reporter, Lauren S. Gennett, Atlanta, + 1 404 572 3592, email@example.com.
CMS Withdraws Prior Approval for “Must-Work” Requirements in State Medicaid Programs — On June 24, 2021, CMS sent letters to Arizona and Indiana informing them that the agency has revoked its approval of provisions in their state Medicaid demonstration projects that had required adults to be employed as a condition to receiving healthcare through the Medicaid programs. In its letters to Arizona and Indiana notifying them of the change, CMS emphasized that it “has serious concerns about testing policies that create a risk of substantial loss of health care coverage and harm to beneficiaries.” The agency concluded that these community engagement projects were unlikely to promote the objectives of the Medicaid program.
Previously on February 12, 2021, CMS had sent letters to Arizona and Indiana, as well as nine other states, informing them of its preliminary determination that demonstration projects with work requirement components did not further Medicaid’s objectives. That letter gave the states the opportunity to respond. Arizona did not respond to that letter, but Indiana responded by asserting its belief that work requirements promoted the health of Medicaid beneficiaries. Arizona and Indiana have 30 days to appeal CMS’s determination.
CMS has already taken similar action again Arkansas, New Hampshire, Wisconsin, and Michigan, which had each included work requirements in their Medicaid programs.
CMS’s letter to Indiana is available here, and its letter to Arizona is available here.
Reporter, Michelle Huntsman, Houston, +1 713 751 3211, firstname.lastname@example.org.
ALSO IN THE NEWS
King & Spalding Webinar - COVID-19 Litigation and the PREP Act: A Year Later — King & Spalding will host a webinar on July 28, 2021 from 12 p.m. to 1 p.m. ET. This Life Sciences and Healthcare Roundtable webinar will discuss the status of lawsuits against healthcare providers and pharmaceutical and medical device companies involved in responding to the public health emergency posed by the COVID-19 pandemic. Several hundred cases have already been filed against providers, including owners and operators of senior care and other long-term care facilities. Future lawsuits against pharmaceutical and medical device companies involved in the manufacture and distribution of COVID-related medications and devices under Emergency Use Authorization are expected. This webinar will focus on, among other topics, the state of this litigation, lessons learned so far, and the application of the federal Public Readiness and Emergency Preparedness Act of 2005 (the PREP Act) to these lawsuits. The PREP Act immunizes from suit and liability entities involved in the manufacture, testing, development, distribution, administration and use of COVID-19 countermeasures. You can obtain more information and register for the webinar here.
SAVE THE DATE: King & Spalding 30th Annual Health Law & Policy Forum — On Monday, September 20, 2021, from 8:00 am to 5:00 pm, King & Spalding LLP will host the 30th Annual Health Law & Policy Forum at The St. Regis Atlanta. The Health Law & Policy Forum will focus on the foremost legal and political developments impacting the healthcare industry. Further details and registration will be available soon, and capacity will be limited.