The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a “Shields Up” Alert for every organization in the United States. The Shields Up Alert states that, as a result of the Russian government’s use of cyber as a key component of asserting pressure on a country’s government, military and population, “[e]very organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety.” The Shields Up Alert sets forth specific recommended actions for organizations to take, regardless of size, to:
Reduce the likelihood of a damaging cyber intrusion,
Quickly detect a potential intrusion,
Ensure the organization is prepared to respond to an intrusion, and
Maximize the the organization’s resilence to a destructive cyber incident.
On December 11, 2021, the United States Cybersecurity & Infrastructure Security Agency (CISA), issued a Statement regarding what it called a “critical vulnerability affecting products containing the log4j software library”. This Statement emphasizes that end users are reliant on their vendors to inform them about the vulnerabilities and to develop patches to protect against the vulnerabilities. Separately, CISA established a webpage for Apache Log4j Vulnerability Guidance that CISA is continually updating to impart further guidance and vendor information as they become available. End users should be on the lookout for critical patches from their vendors.
According to the CISA Guidance, the Log4j vulnerability is being widely exploited by a growing set of malicious actors to steal information, launch ransomware attacks, or conduct other malicious activity such as taking over a company server to mine cryptocurrency. At least 10 major technology vendors have issued statements that one or more of their products have been affected by the Log4j vulnerability: Cisco, IBM, VMware, Amazon Web Services (AWS), Fortinet, Broadcom, ConnectWise, HCL Connections, N-Able, and Okta. On December 15, 2021, the Microsoft 365 Defender Threat Intelligence Team reported that a new family of ransomware, called Khonsari, is being deployed via the Log4j vulnerability on non-Microsoft hosted servers.
UKG, Inc., a company that provides payroll support services known as KRONOS for many U.S. companies, began notifying its customers on December 12, 2021, that the KRONOS Private Cloud (KPC) had been attacked by ransomware. (See UKG Kronos Private Cloud Status Updates.) The KPC products include Workforce Central, TeleStaff, Healthcare Extensions and Banking Scheduling Solutions. UKG reports that the KPC solutions may be unavailable for “several weeks.” Affected companies are diligently working to find alternative solutions to process their payrolls in the interim. UKG has created a KPC Incident Resource Hub to assist customers impacted by the KPC disruption in services.
The American Hospital Association (AHA) reported that the ransomware attack has impacted many hospitals and health systems that rely on KRONOS for timekeeping, scheduling and payroll. John Riggi, AHA’s Senior Advisor for Cybersecurity and Risk, said, “A lack of the availability of those services could be quite disruptive for health care providers, many of whom are experiencing surges of COVID-19 and flu patients. … This attack once again highlights the need for robust third-party risk management programs that identify mission-critical dependencies and downtime preparedness. … [W]e urge all third-party providers that serve the health care community to examine their cyber readiness, response and resiliency capabilities.”
In addition to the immediate payroll issues, if the ransomware attack compromises employee personal information, then it may trigger a data breach notification for these employers under state breach notification laws.
On September 15, 2021, the Federal Trade Commission (FTC) issued a Policy Statement cautioning that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule and notify consumers when their health data is breached.
The Health Breach Notification Rule (codified at 16 C.F.R. § 318) protects individually identifiable health information created or received by vendors of personal health records. The Rule requires vendors of personal health records to notify U.S. consumers, the FTC, and sometimes the media when there has been a breach of security of unsecured identifiable health information. Persons that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation, per day.
The Health Breach Notification Rule became effective in 2009, but the FTC has not enforced it to date. However, because health care applications continue to proliferate and to collect increasingly personal and sensitive health information, the FTC issued this Policy Statement to place health apps on notice that the Rule will be enforced going forward and to clarify that they are considered to be “vendors of personal health records” covered under the Rule.
The FTC explains that the developer of a health app or connected device is considered a “vendor of personal health records” under the Rule if it is capable of drawing information from multiple sources, such as a combination of direct inputting by a consumer, syncing with a consumer’s fitness tracker, or even interfacing with the phone calendar. The Rule does not apply to vendors of personal health records who are already covered by HIPAA.
In addition, the FTC reminds vendors of personal health records that a “breach of security” is not limited to cyberattacks by third parties, but includes any acquisition of identifiable health information of an individual in a personal health record without the individual’s authorization. The FTC states that “[i]ncidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule.”
If a breach occurs, then health apps should examine state data breach notification laws to determine if they apply as well.
On September 30, 2021, the Office for Civil Rights (OCR) issued welcome guidance concerning when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine—and when it does not apply.
The guidance aims to clear up misperceptions about who can ask questions about vaccination. In general, OCR reminds that HIPAA only applies to HIPAA covered entities, such as health care providers (physicians, hospitals, etc.) and health plans, and it does not apply to employers or employment records. The guidance addresses common workplace situations, provides helpful examples, and answers frequently asked questions for HIPAA covered entities, businesses, and the public.
HIPAA does not prohibit businesses, individuals, or HIPAA covered entities from asking whether their customers or clients have received a COVID-19 vaccine. HIPAA does not prohibit any person, whether an individual or a business or a HIPAA covered entity, from asking individuals whether they have received a COVID-19 vaccine. First, OCR makes it clear that HIPAA only applies to HIPAA covered entities, and it does not apply to other individuals or entities. Second, even though HIPAA regulates how and when HIPAA covered entities may use or share information about COVID-19 vaccinations, it does not limit the ability of covered entities to ask patients or visitors whether they have been vaccinated.
The guidance clarifies that HIPAA does not apply when an individual:
Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
Asks another individual, their doctor, or a service provider whether they are vaccinated.
Asks a company, such as a home health agency, whether its workforce members are vaccinated.