CISA/NCSC Joint Alert Warns of APT Groups Targeting Healthcare and Essential Services

by Margaret Young Levi and Kathie McDonald-McClure

On May 5, 2020, the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of techniques that advanced persistent threat (APT) groups are using to exploit the COVID-19 pandemic.

APT groups target and exploit organizations responding to COVID-19, such as healthcare organizations, pharmaceutical companies, universities, medical research organizations, and local governments. These groups seek to steal “bulk personal information, intellectual property, and intelligence that aligns with national priorities.” For example, pharmaceutical companies, medical research organizations, and universities have been targeted in order to steal sensitive research into COVID-19-related medicine for both commercial and governmental benefit.

These cybercriminals employ a variety of techniques to steal data.

Continue reading

Data Security in the “New Normal” of Teleworking

By Margaret Young Levi and Kathie McDonald-McClure

The 2020 worldwide pandemic will go down in the history books much like the 1918 Spanish Flu.  One big difference between then and now: the technology that has enabled millions of us to remain moderately productive “at work” from the comfort of our homes.  Welcome to the “new normal” of telework.  Being comfy at work in yoga pants – saving time by not having to dress for “the office” as we once knew it.  Shorter commutes, with coffee refills only steps away in the “breakroom” – our kitchens.  Staying connected to our co-workers, clients and work associates in Brady Bunch style, creating a little mystique with virtual backgrounds on Zoom, Microsoft Teams or WebEx video conferencing platforms.

As relaxed as we may be in the new normal of teleworking, it’s not a time to relax when it comes to being vigilant in securing the confidences of our employers, employees, clients or customers.  Teleworking brings new technology challenges:  learning new software and conferencing programs, managing confidential paper documents, and protecting electronic data.  And since our homes are now an extension of our offices, these challenges may create additional exposure for employers. As office workers and healthcare providers switched to telework and telehealth under state stay-at-home orders, malicious cyber actors were ramping up to take advantage of the security gaps that would inevitably accompany such a sudden transition. Wyatt data privacy counsel offer practical tips to protect employer and client data, as well as personal information, in the new normal of telework.

Continue reading

CMS Issues COVID-19 Related Extension of the Deadline for Hospitals to Implement Electronic Patient Event Notifications

by Margaret Young Levi and Kathie McDonald-McClure

Last year, we wrote about the CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications” in which CMS proposed new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital to send electronic event notifications to primary care or post-acute care providers identified by the patient when a patient has been admitted, discharged, or transferred (ADT Notifications).  ADT Notifications are an outgrowth of the 21st Century CURES Act passed by a bi-partisan majority of Congress and signed into law on December 13, 2016 (CURES Act). The CURES Act contains aggressive goals to promote the interoperability of electronic health records and patient access to their health information.

The objective of ADT Notifications is to improve care coordination and patient outcomes. These ADT Notifications are to be integrated into either the hospital’s interoperable certified electronic health record technology (CEHRT) or other electronic administrative system such as a registration system. An ADT Notification will be required when the patient is:

  • registered in the Emergency Department (ED) or as an observational stay;
  • admitted to the hospital (regardless if the patient was admitted from the ED, from an observation stay, or as a direct admission from home, from their practitioner’s office, or as a transfer from some other facility);
  • transferred from the ED or inpatient care; or
  • discharged from the ED, observational stay or inpatient services unit.
Continue reading

Audio-Video Conferencing Risks and Tips for Healthcare Providers

by Margaret Young Levi and Kathie McDonald-McClure

Federal and state governments have relaxed restrictions on telehealth to encourage and empower medical providers to serve patients at home during the novel coronavirus (COVID-19) national public health emergency (PHE). Both medical providers and patients have embraced this new way of connecting due to its convenience and, as a result, the expanded use of telehealth is likely here to stay.  The use of audio and video conferencing for patient care, while convenient, risks an unauthorized disclosure of sensitive information if it is used without due regard for whether the connections are secure. 

Following expansion by the U.S. Department of Human Health Services’ Office for Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS) of federal telehealth services and relaxation of certain requirements during the COVID-19 PHE, Kentucky Medicaid followed suit.  See our previous post about Kentucky Medicaid’s expansion of coverage for telehealth. 

OCR Relaxes HIPAA enforcement for telehealth during COVID-19 PHE.  OCR, the agency responsible for enforcement of HIPAA, issued guidance on its enforcement discretion with regard to certain telehealth practices under HIPAA.  This guidance makes it clear that OCR will not enforce penalties for the use of technology that is not HIPAA compliant, when used in the good faith provision of telehealth services.

Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 PHE. 

Continue reading

FBI Issues New COVID-19 Cyber Alert for Healthcare Providers on April 21, 2020

On April 21, 2020, the American Hospital Association alerted its members that the Federal Bureau of Investigations (FBI) had issued an FBI Flash to update healthcare providers on additional cyber activity* that continues to exploit fears related to the COVID-19 pandemic. The FBI stated that it had been notified of targeted email phishing attempts against US-based medical providers. The phishing attempts use subject lines and content related to COVID-19 and distribute malicious attachments. Individuals or companies receiving email with unsolicited attachments that may be a phishing attempt should NOT open the email or email attachment if the individual or the company does not have the capability to examine the attachment in a controlled and safe manner.

FBI Alert provides technical details. The FBI Flash provides technical details about the phishing campaign to assist individuals and company IT personnel in identifying the malicious emails. The technical details include a list of email senders, email subject lines, attachment file names and hashes related to the phishing attempts.

The FBI Requests Assistance to Respond to the Threat. To assist in the FBI’s response to the COVID-19 phishing campaign, the targeted individual, or his or her company, is being asked to:

Continue reading