CMS stresses disaster preparedness in cyber security advisory

A memo on cyber security in healthcare settings was posted Friday
A memo on cyber security in healthcare settings was posted Friday

Long-term care providers should consider cyber security when developing and reviewing their emergency-preparedness plans, the Centers for Medicare & Medicaid Services advised in a memo sent Friday.

The notice, shared with state survey agency directors, acknowledged that while the agency's recently released emergency preparedness rule did not specifically address cyber security, providers could still benefit from adopting an “all-hazards approach” to mitigating cyber attacks. The “all-hazards” approach focuses on the capabilities necessary for providers to be ready “for a full spectrum of emergencies or disasters,” CMS said.

Preparing for a cyber-security attack could help address the disruptions of patient care that can occur when an attack is successful, as well as adverse events such as incomplete discharge instructions, the compromising of personal health information and in some cases, closing or suspending operations in a facility.

The agency also recommended that facility administration review policies and procedures related to cyber attacks, such as when a security breach would require a facility's electronic systems to be shut down, and guidelines for notifying federal and state officials.

CMS also highlighted attack mitigation methods in the memo, including retraining staff to use non-electronic documentation methods, familiarizing staff with the paper-based medication administration record process, and pre-programing contact information into fax machines in the event that computer systems are inaccessible.

Click here to read CMS' full memo, which includes additional resources that facilities can use in their cyber-security planning process.