Compliance with July 1 CMS Interoperability Rule Deadline May Pose Ransomware Risk

In recent months, the word “ransomware” has moved from a topic discussed only among cybersecurity professionals to a term used at dinner tables and water coolers across the country. Simultaneously, in the healthcare space, hospitals, healthcare systems, and payers are scrambling to meet the July 1, 2021 deadline for the first wave of interoperability and patient access requirements included in the final rule issued by the Centers for Medicare & Medicaid Services in June of 2020.

As system interoperability and connectivity increase, so does the risk of ransomware. Cybersecurity experts agree that one of the initial defenses against widespread ransomware is via network segmentation. Segmenting a network means, for example, ensuring that an organization’s IT environment is created in a manner where patient-facing technology does not interact with software running medical equipment. However, compliance with the Interoperability and Patient Access final ruling significantly impairs an organization’s ability to segment its network and exposes the organization to an increased risk of ransomware attacks.

To mitigate some of the risks while still complying with the Interoperability and Patient Access rule, we suggest companies do the following:

  • Frequent Backup – the more frequently data is backed up, the less power ransomware has over an organization. Losing an hour of data is much less harmful than losing a month.
  • Segmented and Encrypted Backup Encryption – although the rule makes it difficult to segment production environments, it does not prevent segmenting backup data. Companies should ensure that the backups are also encrypted to provide an additional layer of defense.
  • Thorough Vendor Review – an organization’s security is only as strong as its weakest link, and no complex healthcare ecosystem can exist without the use of third-party vendors. Therefore, vendors should be thoroughly vetted and investigated prior to onboarding to ensure that the security procedures do not introduce unnecessary risk into the technology environment.
  • Scoping for Clarity, Cooperation, and Root Cause Analysis – ensure that each of your vendors has an obligation to cooperate with both the organization and other third parties (even competitors) to determine the root cause of an intrusion so that it can be addressed as quickly as possible.
  • Vendor Contracting – once a legal contract is signed, everything else evaporates. Therefore, all contracts should have security requirements that reflect the organization’s minimum standard. These provisions usually are very particular and include specific obligations regarding audit logs, endpoint detection, virus scan, vulnerabilities, and patching.

At AGG, we have extensive experience creating and negotiating legal documentation for technology, including those with very specific and detailed security requirements. Please reach out to Lori L. Wright with any questions.