• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Centers for Medicare and Medicaid Services Issues Emergency Preparedness Requirements That Address Cyber-Attacks

September 14, 2016 By Privacy, Cyber & Data Strategy Team

The Centers for Medicare and Medicaid Services (“CMS”) issued a final rule on September 8th, 2016 establishing national emergency preparedness requirements for providers and suppliers participating in Medicare and Medicaid in response to “inconsistency in the level of emergency preparedness amongst healthcare providers.”  The rule will be officially published in the Federal Register on September 16th, 2016, and providers and suppliers subject to the rule must comply by November 15th, 2017.  Notably, CMS describes cyber-attacks as a potential risk to assess when implementing the emergency preparedness requirements.

The rule imposes wide-ranging emergency preparedness obligations on 17 types of providers and suppliers.  These obligations consist of four core elements “that are central to an effective and comprehensive framework of emergency preparedness”:  risk assessment and emergency planning, policies and procedures, communication plans, and training and testing.  Specifically, the rule requires providers and suppliers to:

  • Conduct a risk assessment and create an emergency plan based on that assessment;
  • Implement policies and procedures in support of the risk assessment and emergency plan;
  • Establish a communication plan for staff and other necessary persons in the case of an emergency; and
  • Institute training and testing programs, including emergency drills and exercises, for all staff members.

While the rule does not mandate specific cyber security requirements on providers and suppliers, CMS advocates an “all-hazards approach” to risk assessment, and references “cyber-attacks” as a possible risk to communication systems.  Furthermore, CMS encourages providers and suppliers to “assess whether their specific facility can benefit” from cyber-attack preparedness plans.

Given the increase in cyber-attacks in the medical industry, many providers and suppliers could indeed benefit from cyber-attack preparedness plans.  For example, a recent ransomware attack on MedStar Health compromised hundreds of programs and systems across the entire MedStar network at the same time.  Staff members of medical facilities affected by such comprehensive attacks could benefit from the preparation, coordination, and training a cyber-attack preparedness plan would provide.  In particular, the use of drills and exercises may prepare staff members for the potential difficulties of working during an ongoing cyber-attack.

Filed Under: Cyber Risk, Data Security, Regulation

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
  • Colorado Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.