Federal Agencies Warn of Cyberattacks on U.S. Hospitals

By Margaret Young Levi and Kathie McDonald-McClure

On October 28, 2020,  the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning hospitals and the health care community about coordinated ransomware attacks on hospitals designed to steal data and freeze hospital information systems for financial gain. 

Six U.S. hospitals fell victim to this attack on October 27th and the FBI, HHS, and CISA have credible information that more hospitals will be targeted in this attack. The ransomware behind these attacks is known as Ryuk, which utilizes TrickBot malware and other malware to execute the attack. The Ryuk ransomware is designed to allow the cybercriminals to stealthily access, map and move laterally across the victim’s network before encrypting critical data files and deleting connected backups.

Network Best Practices. The Joint Cybersecurity Advisory provides some practical precautions that health care providers can put in place to protect their networks from these threats:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts.
  • Do not reuse the same password for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Ensure that your remote access and application “block lists” and “allow lists” are up-to-date so that only those programs and individuals with permission can access your system.
  • Audit user accounts with administrative privileges and configure access controls with minimum necessary privileges in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and address ports that are not needed. (Ports are your network’s gateways for internet data exchange. There are 65,535 TCP ports and 65,535 UDP ports. Cybercriminals scan these ports to find access into your network and you should too!)
  • Identify the critical data assets on your network and ensure that backups of these assets are not connected to the network 24-7 and the most recent backup is housed offline from the network.
  • Implement network segmentation to secure sensitive data.  For example, sensitive data files should not reside on the same server as email.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

End User Awareness and Training. As pointed out in the Joint Cybersecurity Advisory, a best practice includes focusing on user awareness and training. Because end users are the most common targets, ensure employees and stakeholders are aware of ransomware and phishing scams and how they are delivered. To ensure that you can timely mitigate the risk and deploy your data security incident response plan, ensure employees and stakeholders know who to contact if they see suspicious activity or believe they are a victum of an attack.

Addressing the Ransom Demand. The Joint Cybersecurity Advisory also includes information on what to immediately do when a ransomware attack is discovered.  In particular, it advises not paying ransoms.  For more information about this read our article on the Wyatt HITECH Law blog discussing two new Treasury Department advisories issued on October 1, 2020 about the risks of paying ransoms and the potential for sanctions when doing so.

The Wyatt Data Incident Response Team has prepared “Six Tips” on responding to a cybersecurity incident within the first 24-48 hours. For more information on Wyatt’s Data Privacy & Security Incident Response Team see our Data Privacy & Incident Response Team brochure and visit the Data Incident Response Team tab on this blog.

The EPCS Mandate: Kentucky Requires Electronic Prescribing Of Controlled Substances

by Lindsay K. Scott

In an ongoing effort to battle the opioid crisis, Kentucky House Bill 342 was signed into law on March 26, 2019.  This bill created a new statute, KRS 218A.182, to require that all prescriptions for controlled substances be submitted electronically, unless certain exceptions apply (the “EPCS Mandate”).  Effective January 1, 2021, practitioners who prescribe controlled substances to be dispensed by a Kentucky pharmacy must issue the prescription electronically (“e-prescribe”) directly to the pharmacy unless an exception applies. Continue reading

CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications”

By Kathie McDonald-McClure and Margaret Young Levi

Doctor Speaking with Patient

Summary: CMS proposes new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital EHR to send electronic event notifications to post-acute care providers when a patient has been admitted, discharged, or transferred.  What must hospitals do, and how much time is needed, to operationalize the new CoPs, considering a process will need to be developed that identifies providers who should and can receive these event notices? What will be required, and how much time is needed, to reconfigure EHRs to send the notifications and demonstrate compliance with the multiple facets of the CoP?  Will PAC providers be obligated to operationalize the receipt and use of these notifications under the IMPACT Act?  CMS is seeking stakeholder input on its proposal, including a reasonable time frame for implementation. Comments are due June 3, 2019.* Continue reading

Ransomware Attack on Allscripts’ Cloud-Based EHR and E-Prescribing Platforms: What Providers Need to Know

pexels-photo-263370.jpegBy Kathie McDonald-McClure

What Happened. According to several healthcare news sources, on Thursday, January 18, 2018, Allscripts experienced a ransomware attack on the computer servers that host the Allscripts cloud-based EHR and the Allscripts cloud-based Electronic Prescriptions for Controlled Substances (“EPCS”) platform. Allscripts did not pay the ransom because it had recent data backups that were unaffected by the attack.¹

Initial Impact on Allscripts’ Clients. The EPCS reportedly was restored on Saturday, January 20, 2018. The EHR system reportedly continued to be adversely affected through at least Monday, January 22, 2018, with some providers still reporting log-in issues through Wednesday, January 24, 2018. Allscripts held a conference call with providers in which it advised providers that they may continue to experience usage interruptions with the cloud-based products until Allscripts completed a roll-out of security updates. During down times, Allscripts urged providers to use the Allscripts mobile solution (only available on the iPhone) to view medical histories and schedules but acknowledged that providers would be unable to Continue reading

Can blockchain technology solve healthcare IT security and interoperability challenges?

On March 20-21, 2017, multiple healthcare technology companies came together in Washington, D.C. to host The Healthcare Blockchain Summit.  Blockchain, the technology that underpins bitcoin technology, keeps data secure in a “distributed, encrypted ledger” while allowing control over who can access that ledger.  This is the hottest technology being discussed today as a way to secure confidential or sensitive data.

The on-line technology publication, Wired, describes blockchain’s security method in a February 1, 2017 article as follows: “Rather than having one central administrator that acts as a gatekeeper to data—a list of digital transactions—there’s one shared ledger, but it’s spread across a Continue reading