Client Alerts, News Articles & Blog Posts

Everything you need to know about BMD and the industry.

CISA Ransomware Practices

On October 28, 2020, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of imminent threats to US hospitals and healthcare providers. The specific threat involves RYUK Ransomware attacks. RYUK is a novel ransomware that goes undetected by commercial anti-virus/malware detection programs. Once deployed, RYUK encrypts all data and disables systems. In short, it cripples all functionality down to phone systems and automated doors. Healthcare providers should alert their employees to remain hyper-vigilant and report any suspicious activity seen in email or on networks. It has been reported healthcare providers in New York, Pennsylvania and Oregon have been targeted in the last 48 hours. If your organization encounters issues, BMD can assist in mobilizing a response team and has contacts with forensic IT firms that are familiar with RYUK. It is advisable to engage professionals with experience dealing with this specific threat.

 

A few practical tips:

Ransomware Best Practices

CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:

  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

User Awareness Best Practices:

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

Network Best Practices:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets such as patient database servers, medical records and telehealth and telework infrastructure; create backups of these systems and house the backups offline from the network.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

The full CISA alert can be viewed at: https://us-cert.cisa.gov/ncas/alerts/aa20-302a

The Masks Are Back: New OSHA Regulations for Healthcare Employers

Employment Law After Hours is back with a News Break Episode. Yesterday, OSHA published new rules for healthcare facilities, including hospitals, home health employers, nursing homes, ambulance companies, and assisted living facilities. These new rules are very cumbersome, requiring mask wearing for all employees, even those that are vaccinated. The only exception is for fully vaccinated employees (2 weeks post final dose) who are in a "well-defined" area where there is no reasonable expectation that any person with suspected or confirmed COVID-19 will be present.

New OSHA Guidance for Workplaces Not Covered by the Healthcare Emergency Temporary Standard

On June 10, 2021, OSHA issued an Emergency Temporary Standard (ETS) for occupational exposure to COVID-19, but it applies only to healthcare and healthcare support service workers. For a detailed summary of the ETS applicable to the healthcare industry, please visit https://youtu.be/vPyXmKwOzsk. All employers not subject to the ETS should review OSHA’s contemporaneously released, updated Guidance on Mitigating and Preventing the Spread of COVID-19 in the Workplace. The new Guidance essentially leaves intact OSHA’s earlier guidance, but only for unvaccinated and otherwise at-risk workers (“at-risk” meaning vaccinated or unvaccinated workers with immunocompromising conditions). For fully vaccinated workers, OSHA defers to CDC Guidance for Fully Vaccinated People, which advises that most fully vaccinated people can resume activities without wearing masks or physically distancing, except where required by federal, state, or local laws or individual business policies.

Employer Liability for COVID-19 Vaccine Side Effects

As employers encourage or require employees to obtain a COVID-19 vaccine, they should be aware of OSHA recording obligations and potential workers’ compensation liability. Though OSHA has yet to revise its COVID-19 guidance in response to the latest CDC recommendations, OSHA has revised its position regarding the recording of injury or illness resulting from the vaccine. Until now, OSHA required an employer to record an adverse reaction when the vaccine was required for employees and the injury or illness otherwise met the recording criteria (work-related, a new case, and meets one or more of the general recording criteria). OSHA has reversed course and announced that it will not require recording adverse reactions until at least May 2022, irrespective of whether the employer requires the vaccine as a condition of employment. In its revised COVID-19 FAQs, OSHA states:

The New Rule 1.510 - Radical Change for Summary Judgement Procedure in Florida

In civil litigation, where both sides participate actively, trial is usually required at the end of a long, expensive case to determine a winner and a loser. In federal and most state courts, however, there are a few procedural shortcuts by which parties can seek to prevail in advance of trial, saving time, money and annoyance. The most common of these is the “motion for summary judgment”: a request to the court by one side for judgment before trial, generally on the basis that the evidence available reflects that a win for that party is legally inevitable and thus required. Effective May 1, 2021, summary judgment procedure in Florida has radically changed.

Vacating, Modifying or Correcting an Arbitration Award Under R.C. 2711.13: Three-Month Limitation Maximum; Not Guaranteed Amount of Time

In a recent decision, the Supreme Court of Ohio held that neither R.C. 2711.09 nor R.C. 2711.13 requires a court to wait three months after an arbitration award is issued before confirming the award. R.C. 2711.13 provides that “after an award in an arbitration proceeding is made, any party to the arbitration may file a motion in the court of common pleas for an order vacating, modifying, or correcting the award.” Any such motion to vacate, modify, or correct an award “must be served upon the adverse party or his attorney within three months after the award is delivered to the parties in interest.” In BST Ohio Corporation et al. v. Wolgang, the Court held the three-month period set forth in R.C. 2711.13 is not a guaranteed time period in which to file a motion to vacate, modify, or correct an arbitration award. 2021-Ohio-1785.