Health Information Technology

HHS and American Hospital Association Alert Providers to Act Now on “Citrix Bleed” Vulnerability

Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Health Information Technology , , , , , , , ,

The United States Health & Human Services Department (HHS) Health Sector Cybersecurity Coordination Center (HH3) issued an HH3 Sector Alert for a software vulnerability dubbed the “Citrix Bleed“. The HH3 Alert advises on a Citrix security advisory regarding a zero-day vulnerability that impacts the NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (fomerly Citrix Gateway). The HH3 Alert, issued on November 30, 2023, urges healthcare organizations to upgrade their devices to prevent damage to the health sector from cyber attacks, including ransomware.

Per the HH3 Alert, even if the patch that Citrix released for this vulnerability was implemented, Citrix warns that compromised sessions will still be active after the patch is implemented. Organizations should follow the Citrix guidance to upgrade devices and remove any active or persistent sessions with the commands listed in the Alert.

On December 1, 2023, the American Hospital Association (AHA) similarly alerted its members about the Citrix Bleed issuing its own alert titled, “Urgent: Hospital Action Needed to Protect Against ‘Citrix Bleed’ Threat.” AHA also published the following article the same day: “HHS-HC3 calls for immediate hospital action to protect against ‘Citrix Bleed’ vulnerability and ransomware threat.”

In its weekly Medicare MLN Connects news on December 7, 2023, the Centers for Medicare and Medicaid Services (CMS) asks providers to make sure their IT department reads the information and takes necessary action. Providers also should share the HH3 Alert with their network clearinghouse and vendors.

Relatedly, on December 6, 2023, CNN reported that HHS shared exclusively with CNN a plan focused on getting more money and training to small and rural health care providers who lack dedicated cybersecurity staff. CNN reported that Biden administration officials “have long been concerned that software providers continue to sell insecure products that hackers are too easily able to exploit.” Click here to read the full CNN article, titled “US health officials call for surge in funding and support for hospitals in wake of cyberattacks that diverted ambulances,” by Sean Lyngass.

Looking for assistance with your organization’s data security policies? We work with clients and their IT team in the preparation and updating of information security policies and procedures to comply with the HIPAA Security Rule, FTC Safeguards Rule, and more.  Such policies are essential in today’s cyber threats environment to meet the expectations of regulatory enforcement agencies such as the HHS Office for Civil Right and FTC. Information security policies also aide organizations in meeting other legal requirements and expections, e.g., contractual, cyber insurance underwriting, consumer, and other third-parties. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526

HHS Proposed Rule Aligns Regulation on Confidentiality of Substance Use Disorder Treatment Records with HIPAA

Kathie McDonald-McClure data breach; notification, Data Privacy & Security, Health Information Technology, HIPAA , , , , , , , ,

by Kathie McDonald-McClure

UPDATE: On February 16, 2024, HHS published a Final Rule (89 Fed Reg 12472) to amend Part 2 rules on patient confidentiality of SUD records. While the Final Rule’s effective date is April 16, 2024, the deadline for compliance is February 16, 2026. Based on public comments to the Proposed Rule, HHS included further substantive modifications in the Final Rule, which HHS outlines in a Fact Sheet on the Part 2 Final Rule.

On November 28, 2022, the Secretary for the United States Department of Health & Human Services (HHS) released a Proposed Rule to amend the requirements in Title 42, Part 2, on confidentiality of substance use disorder (SUD) patient records in federally assisted Part 2 Programs.  Part 2 protects the confidentiality of SUD patient records (which generally include alcoholism, alcohol abuse, and drug abuse treatment and prevention records) by restricting the circumstances under which Part 2 Programs or other lawful holders can disclose such records.

Continue reading

A Supreme Development in Employer Computer Protection

WyattLLP Data Privacy & Security, Health Information Technology, HITECH Law ,

By: Courtney Samfordcontributing author Blake Sims, Wyatt Summer Associate

This image has an empty alt attribute; its file name is pexels-mikhail-nilov-6930431-1024x617.jpg

Employers commonly supply computer and work devices to employees and state that the electronics may only be used for business related purposes, and employers have always had the ability to discipline employees who violate computer use policies through improper use. In some Federal Court of Appeals Circuits, employers may have been able to rely on threats of criminal and civil liabilities under 18 U.S.C. § 1030 to further deter improper use. On June 3, 2021, however, an evenly split conservative-liberal majority of the Supreme Court reversed the Eleventh Circuit Court of Appeals in Van Buren v. United States, holding that an individual only violates the Section 1030 of Computer Fraud and Abuse Act “when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Van Buren v. United States, No. 19-783 (Sup. Ct. June 3, 2021).

Continue reading

INFORMATION BLOCKING RULE EFFECTIVE APRIL 5, 2021: ARE PROVIDERS READY?

WyattLLP Cures Act and Program Interoperability, Health Information Technology , , , ,

By Kathie McDonald-McClure and Margaret Young Levi

The Information Blocking Final Rule, a provision of the 21st Century Cures Act geared towards ensuring access, exchange and use of electronic health information (EHI), was published on May 1, 2020, and became effective on June 20, 2020.  However, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) extended the compliance effective dates for the Final Rule several times over the last year—and most providers were hopeful that it would be extended once again—but there are no more delays.  Information Blocking compliance is now effective, as of April 5, 2021.  Health care providers should take immediate steps to ensure compliance.

Continue reading

Federal Agencies Warn of Cyberattacks on U.S. Hospitals

Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology , , , , ,

By Margaret Young Levi and Kathie McDonald-McClure

On October 28, 2020,  the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning hospitals and the health care community about coordinated ransomware attacks on hospitals designed to steal data and freeze hospital information systems for financial gain. 

Six U.S. hospitals fell victim to this attack on October 27th and the FBI, HHS, and CISA have credible information that more hospitals will be targeted in this attack. The ransomware behind these attacks is known as Ryuk, which utilizes TrickBot malware and other malware to execute the attack. The Ryuk ransomware is designed to allow the cybercriminals to stealthily access, map and move laterally across the victim’s network before encrypting critical data files and deleting connected backups.

Continue reading