Issued by: Centers for Medicare & Medicaid Services (CMS)

Issue Date: January 05, 2018

Quality, Safety & Oversight Group- Emergency Preparedness General Guidance

Guidance for Surveyors, Providers and Suppliers for Natural Disaster Preparedness

Homeland Security threats, such as cyber-attacks, can have a massive impact on healthcare organizations and lead to a complete shutdown of operations. Attacks such as Ransomware, as experienced by several healthcare facilities since 2016, further emphasize the need for healthcare organizations to strengthen their information security systems to better protect confidential and personal identifiable information (PII).

Currently, CMS emergency preparedness Conditions of Participation/Conditions for Coverage (CoPs/CfCs) require Medicare-participating facilities to have emergency plans based on an all-hazards approach. CMS defines “all-hazards” as an integrated approach to emergency preparedness that focuses on identifying hazards and developing emergency preparedness capacities and capabilities that can address those as well as a wide spectrum of emergencies or disasters. This approach includes preparedness for natural, man-made, and/or facility-specific emergencies that may include, but are not limited to: care-related emergencies; equipment and power failures; interruptions in communications including cyber-attacks; loss of a portion, or all, of a facility; and interruptions in the normal supply of essentials, such as water and food. An all-hazards approach emergency preparedness plan should also include emerging infectious disease (EID) threats.

While not specifically required by regulations, facilities should consider implementing effective antiviral computer software programs and electronic security systems in order to detect, prevent, and protect against, malware (malicious and disruptive software) and viruses, commonly used in cyber-attacks, from disrupting and sometimes completely disabling their information systems.

Cyber/information security systems are crucial for preventing cyber-attacks on facility information systems, protecting PII, and ultimately keeping patients safe by ensuring the continuity of critical treatment and care.

For additional information and resources on emergency preparedness, response, and cyber-security, please use the downloadable materials and related links provided here.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.