On October 28, 2020, the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning hospitals and the health care community about coordinated ransomware attacks on hospitals designed to steal data and freeze hospital information systems for financial gain.
Six U.S. hospitals fell victim to this attack on October 27th and the FBI, HHS, and CISA have credible information that more hospitals will be targeted in this attack. The ransomware behind these attacks is known as Ryuk, which utilizes TrickBot malware and other malware to execute the attack. The Ryuk ransomware is designed to allow the cybercriminals to stealthily access, map and move laterally across the victim’s network before encrypting critical data files and deleting connected backups.
by Margaret Young Levi and Kathie McDonald-McClure
Cyber attacks using ransomware have been on the rise during the COVID-19 pandemic. Ransomware, whether it encrypts computer files or locks an entire hard drive, can block access to an organization’s essential operating data, unless the organization can obtain a decryption key. In many if not most cases, a decryption key is only available by paying a ransom to the cybercriminal.
On October 1, 2020, the U.S. Department of the Treasury Office of Terrorism and Financial Intelligenceannounced the issuance of two advisories aimed at fighting ransomware scams and attacks. In making the announcement, Deputy Secretary Justin G. Muzinich said:
Cybercriminals have deployed ransomware attacks against our schools, hospitals, and businesses of all sizes. Treasury will continue to use its powerful tools to counter these malicious cyber actors and their facilitators.
The advisories also warned that those who facilitate ransomware payments may be sanctioned for violating Treasury law and regulations. However, Treasury’s efforts to crack down on ransomware in this way places its victims in the crossfire. Ransomware victims may feel they have no choice but to pay the ransom if this is the only way to regain access to essential data, which is often the case when the most recent data back-up is also attacked and a decryption key is not available by other means. Moreover, paying the ransom may be a matter of public safety. For example, ransomware that locks healthcare providers out of patient electronic medical records, attacks computers that support life-saving medical devices, or that shuts down computers connected to automobiles and other consumer devices, could pose a risk of injury or even death.
Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advisory, entitled “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” (Treasury Advisory). The Treasury Advisory is intended to educate financial institutions and others involved in cyber incident response measures about ransomware trends and indicators of ransomware as well as related money laundering activities. More specifically, the Treasury Advisory addresses the following areas of concern:
According to a recent USA Today article, the Federal Trade Commission (FTC) reported that it had received 83,858 fraud reports this year through August 9th relating to COVID-19 and the economic stimulus packages. Many of these fraud reports are connected to email phishing campaigns that target remote, telework or furloughed employees.
In one type of phishing campaign, scammers send emails to workers telling them that their employment is being terminated as a result of COVID-19 and purports to offer termination package options. These termination email scams provide clickable links inviting the employee to attend a teleconference meeting or to obtain additional information concerning the termination packages. Instead, these links download malicious software or require the employee to enter personal information, such as a Social Security number, in an attempt to steal their identity and ultimately commit financial fraud that harms the employee. Employees who receive a suspicious email telling them they are being terminated should notify their human resources department or other designated person in the organization.
Post-Note: On April 30, 2021, the requirements for hospitals with certain EHR capabilities to send admission, discharge and transfer notifications to other providers went into effect. See CMS webpage, “Policies and Technology for Interoperability and Burden Reduction“.
Last year, we wrote about the CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications” in which CMS proposed new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital to send electronic event notifications to primary care or post-acute care providers identified by the patient when a patient has been admitted, discharged, or transferred (ADT Notifications). ADT Notifications are an outgrowth of the 21st Century CURES Act passed by a bi-partisan majority of Congress and signed into law on December 13, 2016 (CURES Act). The CURES Act contains aggressive goals to promote the interoperability of electronic health records and patient access to their health information.
The objective of ADT Notifications is to improve care coordination and patient outcomes. These ADT Notifications are to be integrated into either the hospital’s interoperable certified electronic health record technology (CEHRT) or other electronic administrative system such as a registration system. An ADT Notification will be required when the patient is:
registered in the Emergency Department (ED) or as an observational stay;
admitted to the hospital (regardless if the patient was admitted from the ED, from an observation stay, or as a direct admission from home, from their practitioner’s office, or as a transfer from some other facility);
transferred from the ED or inpatient care; or
discharged from the ED, observational stay or inpatient services unit.
by Margaret Young Levi and Kathie McDonald-McClure
Federal and state governments have relaxed restrictions on telehealth to encourage and empower medical providers to serve patients at home during the novel coronavirus (COVID-19) national public health emergency (PHE). Both medical providers and patients have embraced this new way of connecting due to its convenience and, as a result, the expanded use of telehealth is likely here to stay. The use of audio and video conferencing for patient care, while convenient, risks an unauthorized disclosure of sensitive information if it is used without due regard for whether the connections are secure.
Following expansion by the U.S. Department of Human Health Services’ Office for Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS) of federal telehealth services and relaxation of certain requirements during the COVID-19 PHE, Kentucky Medicaid followed suit. See our previous postabout Kentucky Medicaid’s expansion of coverage for telehealth.
OCR Relaxes HIPAA enforcement for telehealth during COVID-19 PHE. OCR, the agency responsible for enforcement of HIPAA, issued guidance on its enforcement discretion with regard to certain telehealth practices under HIPAA. This guidance makes it clear that OCR will not enforce penalties for the use of technology that is not HIPAA compliant, when used in the good faith provision of telehealth services.
Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 PHE.
wyatthitechlaw.com 