October 2, 2020. The National Institute of Standards and Technology (NIST) published yesterday a draft white paper entitled: Securing Data Integrity Against Ransomware Attacks: Using the NIST Cybersecurity Framework and NIST Cybersecurity Practice Guides. NIST states: “The National Cybersecurity Center of Excellence (NCCoE) at NIST is actively engaged in helping organizations address the challenge of ransomware and other data integrity events through the Data Integrity projects. These projects help organizations implement technical capabilities that address data integrity issues.” Integrity is defined as “the property that data or information have not been altered or destroyed in an unauthorized manner.” Integrity also is represented as the first “I” in our company name: CAIPHI, which means “confidentiality, availability, and integrity of protected health information.”
This document has important technical capabilities that should be addressed by the 17 categories of 71,000 Medicare and Medicaid providers and suppliers that are required to comply with the Centers for Medicare & Medicaid Services (CMS) Emergency Preparedness (EP) Rule as a ransomware cyberattack is one of “all hazards” to be considered in the EP Rule risk assessment. The 17 categories of Medicare providers and suppliers are, with EP “42 CFR” code in parentheses:
- Hospitals (482.15)
- Religious Nonmedical Health Care Institutions (RNHCIs) (403.748)
- Ambulatory Surgical Centers (ASCs) (416.54)
- Hospices (418.113)
- Psychiatric Residential Treatment Facilities (PRTFs) (441.184)
- All-Inclusive Care for the Elderly (PACE) (460.84)
- Transplant Centers (482.78)
- Long-Term Care (LTC) Facilities (483.73)
- Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICF/IID) (483.475)
- Home Health Agencies (HHAs) (484.102)
- Comprehensive Outpatient Rehabilitation Facilities (CORFs) (485.68)
- Critical Access Hospitals (CAHs) (485.625)
- Clinics, Rehabilitation Agencies, and Public Health Agencies as Providers of Outpatient Physical Therapy and Speech-Language Pathology Services (485.727)
- Community Mental Health Centers (CMHCs) (485.920)
- Organ Procurement Organizations (OPOs) (486.360)
- Rural Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs) (491.12)
- End-Stage Renal Disease (ESRD) Facilities (494.62)
Compliance requires annual survey and certification of compliance with the provisions of the Emergency Preparedness Rule that fall generally into four categories:
- Written emergency plan, including an “all hazards” risk assessment of every type of emergency (e.g., disease outbreak, cyberattack and breach, loss of power, natural disasters—flood, severe storm, tornado, hurricane, fire—and shooting.
- Policies and procedures for responding to emergency, including evacuation or sheltering in place, and maintaining the safety of workforce members, patients, and residents
- Communication protocols for contacting all stakeholders involved with the provider or supplier and for participating in community emergency readiness and response activities.
- Training workforce members, patients, and residents on the plan and conducting required tests of the plan, documenting lessons learned, and updating the plan as necessary.
In addition to the core requirements, hospitals, critical access hospitals (CAHs), and long-term care (LTC) assisted living and skilled nursing facilities have the requirement of having an energy source onsite to maintain the temperature of patients, residents, and staff sheltering in place during an emergency.
The NIST white paper outlines technical capabilities that will help Medicare and Medicaid providers and suppliers that must comply with the CMS EP Rule to detect and mitigate weaknesses for a variety of cyber hazards such as befell Athens Orthopedic that I described in the September 14, 2020, post on its OCR Resolution Agreement and Corrective Action Plan. Natural disasters may be occasional or seasonal, but potential cyberattacks are a constant threat to exploit a vulnerability that may result in significant potential harms and financial losses.
CAIPHI has developed a mobile, cloud-based emergency preparedness platform, CyPHIprepare®, that is a data and document management system for healthcare providers to comply with the CMS EP Rule. This platform includes appropriate sources of guidance, such as the NIST technical capabilities for cyber referenced above, and from CMS, ASPR TRACIE, and states, for addressing emergency situations across a variety of hazards, and permits uploading existing emergency response documentation in files that meet specific CMS EP Rule compliance requirements. Access and permissions are role-based and compliance is easily demonstrated via a color-coded dashboard. The value of the CyPHIprepare® is as a tool for mitigating consequences of unpreparedness that imperil reputation, business sustainability, and finances.
You can see a short 3-minute demonstration of the functionality of CyPHIprepare® at: WATCH.
1) Access the white paper and information related to it online at: https://csrc.nist.gov/publications/detail/white-paper/2020/10/01/securing-data-integrity-against-ransomware-attacks/draft.
2) 45 CFR 164.304.
3) The Centers for Medicare & Medicaid Services (CMS) published in the Federal Register its Emergency Preparedness (EP) Final Rule on September 16, 2016 (https://www.govinfo.gov/content/pkg/FR-2016-09-16/pdf/2016-21404.pdf), and Modifications to the 2016 EP Final Rule on September 30, 2019 (https://www.govinfo.gov/content/pkg/FR-2019-09-30/pdf/2019-20736.pdf). Compliance for each of the Final Rules was November 17, 2017 and November 29, 2019, respectively.
4) ASPR refers to Assistant Secretary for Preparedness and Response of the U.S. Department of Health and Human Services (HHS). TRACIE refers to Technical Resources, Assistance Center, and Information Exchange. Visit https://asprtracie.hhs.gov. CMS EP Rule guidance resources are at https://asprtracie.hhs.gov/cmsrule and at CMS: https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertEmergPrep/Emergency-Prep-Rule.