Compliance with July 1 CMS Interoperability Rule Deadline May Pose Ransomware Risk | Arnall Golden Gregory LLP

In recent months, the word “ransomware” has moved from a topic discussed only among cybersecurity professionals to a term used at dinner tables and water coolers across the country. Simultaneously, in the healthcare space, hospitals, healthcare systems, and payers are scrambling to meet the July 1, 2021 deadline for the first wave of interoperability and patient access requirements included in the final rule issued by the Centers for Medicare & Medicaid Services in June of 2020.

As system interoperability and connectivity increase, so does the risk of ransomware. Cybersecurity experts agree that one of the initial defenses against widespread ransomware is via network segmentation. Segmenting a network means, for example, ensuring that an organization’s IT environment is created in a manner where patient-facing technology does not interact with software running medical equipment. However, compliance with the Interoperability and Patient Access final ruling significantly impairs an organization’s ability to segment its network and exposes the organization to an increased risk of ransomware attacks.

To mitigate some of the risks while still complying with the Interoperability and Patient Access rule, we suggest companies do the following:

  • Frequent Backup – the more frequently data is backed up, the less power ransomware has over an organization. Losing an hour of data is much less harmful than losing a month.
  • Segmented and Encrypted Backup Encryption – although the rule makes it difficult to segment production environments, it does not prevent segmenting backup data. Companies should ensure that the backups are also encrypted to provide an additional layer of defense.
  • Thorough Vendor Review – an organization’s security is only as strong as its weakest link, and no complex healthcare ecosystem can exist without the use of third-party vendors. Therefore, vendors should be thoroughly vetted and investigated prior to onboarding to ensure that the security procedures do not introduce unnecessary risk into the technology environment.
  • Scoping for Clarity, Cooperation, and Root Cause Analysis – ensure that each of your vendors has an obligation to cooperate with both…