Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

CISA Ransomware Practices

On October 28, 2020, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of imminent threats to US hospitals and healthcare providers. The specific threat involves RYUK Ransomware attacks. RYUK is a novel ransomware that goes undetected by commercial anti-virus/malware detection programs. Once deployed, RYUK encrypts all data and disables systems. In short, it cripples all functionality down to phone systems and automated doors. Healthcare providers should alert their employees to remain hyper-vigilant and report any suspicious activity seen in email or on networks. It has been reported healthcare providers in New York, Pennsylvania and Oregon have been targeted in the last 48 hours. If your organization encounters issues, BMD can assist in mobilizing a response team and has contacts with forensic IT firms that are familiar with RYUK. It is advisable to engage professionals with experience dealing with this specific threat.

 

A few practical tips:

Ransomware Best Practices

CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:

  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

User Awareness Best Practices:

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

Network Best Practices:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets such as patient database servers, medical records and telehealth and telework infrastructure; create backups of these systems and house the backups offline from the network.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

The full CISA alert can be viewed at: https://us-cert.cisa.gov/ncas/alerts/aa20-302a

Explosive Growth in Pot of Gold Opportunity for Bank (and Other) Cannabis Lenders Driving Erosion of the Barriers

Our original article on bank lending to the cannabis industry anticipated that the convergence of interest between banks and the cannabis industry would draw more and larger banks to the industry. Banks were awash in liquidity with limited deployment options, while bankable cannabis businesses had rapidly growing needs for more and lower cost credit. Since then, the pot of gold opportunity for banks to lend into the cannabis industry has grown exponentially due to a combination of market constraints on equity causing a dramatic shift to debt and the ever-increasing capital needs of one of the country’s fastest growing industries. At the same time, hurdles to entry of new banks are being systematically cleared as the yellow brick road to the cannabis industry’s access to the financial markets is being paved, brick by brick, by the progressively increasing number and size of banks that are now entering the market.

2021 EEOC Charge Statistics: Retaliation & Impact of Remote Work

The U.S. Equal Employment Opportunity Commission (EEOC) released its detailed information on workplace discrimination charges it received in 2021. Unsurprisingly, for the second year in a row, the total number of charges decreased as COVID-19 either shut down workplaces or disconnected employees from each other. In 2021, the agency received a total of approximately 61,000 workplace discrimination charges - the fewest in 25 years by a wide margin. For reference, the agency received over 67,000 charges in 2020, and averaged almost 90,000 charges per year over the previous 10 years.

Ohio’s Managed Care Overhaul Delayed – New Implementation Timeline

At the direction of Governor Mike DeWine, the Ohio Department of Medicaid (ODM) launched the Medicaid Managed Care Procurement process in 2019. ODM’s stated vision for the procurement was to focus on people and not just the business of managed care. This is the first structural change to Ohio’s managed care system since the Centers for Medicare & Medicaid Services' (CMS) approval of Ohio’s Medicaid program in 2005. Initially, all of the new managed care programs were supposed to be implemented starting on July 1, 2022. However, ODM Director Maureen Corcoran recently confirmed that this date will be pushed back for several managed care-related programs.

Laboratory Specimen Collection Arrangements with Contract Hospitals - OIG Advisory Opinion 22-09

On April 28, 2022, the Department of Health and Human Services, Office of Inspector General (“OIG”) published an Advisory Opinion[1] in which it evaluated a proposed arrangement where a network of clinical laboratories (the “Requestor”) would compensate hospitals (each a “Contract Hospital”) for specimen collection, processing, and handling services (“Collection Services”) for laboratory tests furnished by the Requestor (the “Proposed Arrangement”). The OIG concluded that the Proposed Arrangement would generate prohibited remuneration under the federal Anti-Kickback Statute (“AKS”) if the requisite intent were present. This is due to both the possibility that the proposed per-patient-encounter fee would be used to induce or reward referrals to Requestor and the associated risk of improperly steering patients to Requestor.

Property Owner Protection from Tax Valuation Challenges

New legislation provides significant new protections for commercial property owners against challenges to valuation primarily by local school boards and prohibiting side agreements to avoid tax valuation changes. The Ohio Legislature has approved House Bill 126 which will go into effect July 2022 but will effectively apply to the 2023 tax valuation year.