Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

CISA Ransomware Practices

Client Alert
October 29, 2020

On October 28, 2020, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of imminent threats to US hospitals and healthcare providers. The specific threat involves RYUK Ransomware attacks. RYUK is a novel ransomware that goes undetected by commercial anti-virus/malware detection programs. Once deployed, RYUK encrypts all data and disables systems. In short, it cripples all functionality down to phone systems and automated doors. Healthcare providers should alert their employees to remain hyper-vigilant and report any suspicious activity seen in email or on networks. It has been reported healthcare providers in New York, Pennsylvania and Oregon have been targeted in the last 48 hours. If your organization encounters issues, BMD can assist in mobilizing a response team and has contacts with forensic IT firms that are familiar with RYUK. It is advisable to engage professionals with experience dealing with this specific threat.

 

A few practical tips:

Ransomware Best Practices

CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:

  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

User Awareness Best Practices:

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

Network Best Practices:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets such as patient database servers, medical records and telehealth and telework infrastructure; create backups of these systems and house the backups offline from the network.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

The full CISA alert can be viewed at: https://us-cert.cisa.gov/ncas/alerts/aa20-302a

CybersecurityRansomwareinfrastructureUser SecurityUser Awarenessbest practicesRYUKCISA
Client Alert

Substance Use Disorder Providers: 42 CFR Part 2 Now Enforceable

April 15, 2026Updates to 42 CFR Part 2 are now enforceable, bringing significant changes to how substance use disorder (SUD) records are handled. The Final Rule aligns Part 2 more closely with HIPAA, introduces updated penalties, allows a single patient consent for treatment, payment, and operations, and adds new requirements for Notices of Privacy Practices. It also creates a formal definition of SUD counseling notes and imposes strict consent requirements for their use and disclosure. Providers should review and update policies to ensure compliance.Client Alert

AAA Introduces AI-Assisted Arbitrator for Certain Disputes

April 7, 2026The American Arbitration Association has introduced an AI-assisted arbitration platform designed to streamline certain document-based disputes. While a human arbitrator still makes the final decision, the technology can improve efficiency, reduce costs, and accelerate case resolution. Companies should weigh these benefits against considerations such as transparency, risk, and contractual requirements before adopting AI-assisted arbitration.Client Alert

Quiet Hours Texts and TCPA Claims: Consent Remains King as Courts Divide on Text Messages

March 31, 2026Businesses face increasing TCPA lawsuits over off-hours marketing texts, but recent court decisions highlight strong defenses. Clear consumer consent and updated terms and conditions can defeat many claims, while a growing number of courts are finding that text messages are not “telephone calls” under the statute. Proactive compliance measures, including clickwrap agreements and forum-selection clauses, are critical to reducing risk.Client Alert

New Ohio Reporting Requirements for Non-Residential Contractors

March 18, 2026Ohio’s E-Verify Workforce Integrity Act, effective March 19, 2026, requires all nonresidential construction companies, subcontractors, and labor brokers to use E-Verify to confirm employee work eligibility on projects across the state. The law applies regardless of company size and carries financial penalties and potential restrictions on future state contracts for noncompliance. Some uncertainty remains around requirements for existing employees, making early compliance planning important.Client Alert

DOT Non-Domiciled CDL Rule

March 11, 2026A new rule from the Federal Motor Carrier Safety Administration (FMCSA) will significantly narrow eligibility for non-domiciled Commercial Driver’s Licenses (CDLs) beginning March 16, 2026. The rule limits eligibility to holders of H-2A, H-2B, and E-2 visas and eliminates Employment Authorization Documents (EADs) as qualifying proof of work authorization. As a result, many lawfully present and work-authorized immigrants, including refugees, asylees, DACA recipients, and Temporary Protected Status holders, will no longer be able to obtain or renew a non-domiciled CDL. The change is expected to affect roughly 194,000 drivers nationwide and has prompted multiple legal challenges, including a pending emergency stay request before the United States Court of Appeals for the District of Columbia Circuit.
Older posts