Client Alerts, News Articles & Blog Posts

Everything you need to know about BMD and the industry.

CISA Ransomware Practices

On October 28, 2020, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of imminent threats to US hospitals and healthcare providers. The specific threat involves RYUK Ransomware attacks. RYUK is a novel ransomware that goes undetected by commercial anti-virus/malware detection programs. Once deployed, RYUK encrypts all data and disables systems. In short, it cripples all functionality down to phone systems and automated doors. Healthcare providers should alert their employees to remain hyper-vigilant and report any suspicious activity seen in email or on networks. It has been reported healthcare providers in New York, Pennsylvania and Oregon have been targeted in the last 48 hours. If your organization encounters issues, BMD can assist in mobilizing a response team and has contacts with forensic IT firms that are familiar with RYUK. It is advisable to engage professionals with experience dealing with this specific threat.

 

A few practical tips:

Ransomware Best Practices

CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:

  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

User Awareness Best Practices:

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

Network Best Practices:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets such as patient database servers, medical records and telehealth and telework infrastructure; create backups of these systems and house the backups offline from the network.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

The full CISA alert can be viewed at: https://us-cert.cisa.gov/ncas/alerts/aa20-302a

Vaccination Considerations for Employers

Today, three Covid-19 vaccines have tested as highly effective (90%+ efficacy) and are advancing in the process for emergency use. This is especially welcome news in Ohio, which has skyrocketing cases and our strategic response has been to turn the entire state into the small town of Bomont with strict curfews and bans on social gatherings.

Did You Receive More than $750,000 in Provider Relief Funds?

The Provider Relief Funds (“PRF”) - authorized under the CARES Act - has been a vital tool for health care providers during the COVID-19 public health emergency. These funds have allowed providers to stay open and continue to offer care during these pressing times. While helpful, these funds do come with several important obligations. First, fund recipients are required to comply with certain record-keeping requirements as well as comply with certain balance billing prohibitions. See our Client Alert. Second, fund recipients are required to report their intent, use of funds, and other data elements, which helps promote transparency to the federal government. Please see our Client Alert on provider relief fund reporting requirements. Third, and perhaps a new concept for many providers, fund recipients of more than $750,000 must undergo a “single audit” to ensure program compliance and appropriate use of funds.

Important Updates Every Provider Should Know: Information Blocking

In December 2016, Congress passed the 21st Century Cures Act (“Cures Act”) which: (1) authorized funding for the National Institutes of Health to promote medical research and drug development, (2) implemented provisions aimed at addressing the prevention and treatment of mental illness and substance abuse, and (3) reformed certain standards of the Medicare program and federal tax laws to foster healthcare access and quality improvement.

PPP Update: Loan Necessity Questionnaires

On October 26, 2020, the Small Business Administration (“SBA”) published a notice in the Federal Register which foreshadowed the release of two new forms seeking information from for-profit and nonprofit organizations that received Paycheck Protection Program (“PPP”) loans of $2 million or more. If approved, the SBA would use information from these forms to evaluate and determine whether economic uncertainty made a PPP loan request necessary.

Exposure to COVID-19 Flow Chart

Exposure to COVID-19 Flow Chart