• Change Healthcare, a healthcare technology company owned by UnitedHealth Group, has been impacted by a ransomware attack, so its services have been shut down.
• Patients and providers have been most severely impacted by this incident—some patients are being forced to pay out of pocket for medications, and many providers have not been able to submit claims.
• Entities that have been impacted by this ransomware attack can take actionable steps outlined below to avoid further disruptions.

___________________________________________________

Change Healthcare Cyberattack

On February 21, 2024, Change Healthcare—a healthcare technology company owned by UnitedHealth Group—issued a statement that it had been impacted by a ransomware attack. According to Change Healthcare, a “threat actor” gained access to its system. As a result of this cyberattack, Change Healthcare’s services have been shut down.

To provide perspective on the magnitude of this attack and its impact, Change Healthcare serves as the largest healthcare payment system in the U.S. Change Healthcare reportedly manages approximately 15 billion clinical, financial, and operational transactions per year. Specifically, it manages healthcare technology pipelines that process insurance claims and billing. For those reasons, American Hospital Association (AHA) has characterized this attack as “the most significant and consequential incident of its kind against the U.S. healthcare system in history.”

Healthcare professionals depend on this system to verify insurance coverage and file claims for reimbursement.  Accordingly, the effects of this cyberattack are far-reaching. Providers and patients have been most severely impacted by this incident. Some patients are being forced to pay out of pocket for medications. Further, many providers have not been able to submit claims, so a critical portion of revenue cycle processes have come to a halt.

While a specific timeline to restore the services was not provided during the initial stages of the attack, Change Healthcare has since publicly stated that electronic prescribing is now fully functional along with claim submission and payment transmission. Change Healthcare has also stated electronic payment functionality will become available on March 15, 2024. Lastly, with respect to medical claims, Change Healthcare expects to reestablish connectivity to its claim network and software on March 18, 2024.

Currently, the U.S. Department of Health and Human Services (HHS) and other entities are monitoring and assessing the impact of this cyberattack on providers and suppliers. Recently, the Centers for Medicare & Medicaid Services (CMS) announced that it will accelerate payments for Medicare Part A providers and Part B suppliers. Further, CMS has directed Medicare Administrative Contractors (MACs) to expedite actions needed for providers and suppliers to change the clearinghouse they use and accept paper claims. MACs have issued information to the public on how to submit a request for a Medicare accelerated advance payment.

This incident has exposed the fragility of the U.S. healthcare ecosystem and, more importantly, the need to strengthen the cybersecurity infrastructure of healthcare organizations.

Entities That May Be Impacted

Hospitals, physicians, pharmacists, and other healthcare providers may be impacted by this ransomware attack. Providers, such as physicians and hospitals, may not be able to submit or process insurance claims and, thereby, risk facing significant cash flow problems. Pharmacies may not be able to obtain pertinent information necessary to fill prescriptions. And patients may not be able to submit claims and fill prescriptions.

If you use the Change Healthcare platform, your organization may have been impacted either directly or indirectly. Identifying whether your organization has been impacted is the first step in taking action to avoid further disruptions.

Actionable Next Steps 

Entities that have been impacted by this ransomware attack can take the following steps:

• Monitor HHS, CMS, and AHA advisories for pertinent updates.
• Communicate with payors to determine how to best circumvent compromised Change Healthcare applications.
• Review HIPAA compliance programs and take other steps to prepare for a potential breach or regulatory investigation (such as conducting internal audits and running tabletop exercises to simulate the impact of a breach).

Foley Hoag’s Healthcare and Privacy & Data Security practices can assist you with payment challenges and security compliance or incident response matters, to allow you to navigate concerns surrounding the Change Healthcare security incident.

The post Change Healthcare Cyberattack: Actionable Next Steps for Impacted Entities first appeared on Security, Privacy and the Law.

On February 22, 2024, the DOE announced its support for the release of cybersecurity baselines for electric distribution systems and distributed energy resources (“DERs”). The initiative was funded by the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (“CESER”) in partnership with the National Association of Regulatory Utility Commissioners (“NARUC”). The baselines name minimum voluntary standards that DER operators, utilities, and other electric distribution systems should meet to help mitigate cybersecurity risk and enhance grid security. The announced baselines conclude “Phase 1” of a two-phase initiative, with “Phase 2” set to advise entities of strategies for implementing and adopting the baselines over the next year.

The National Cybersecurity Strategy, issued in 2023, identified energy cybersecurity as an area for the DOE’s attention as the grid becomes increasingly distributed and vulnerable to both physical and cyber-attacks. The current regulatory approach, which entails state-level oversight of energy cybersecurity for DER operators and utilities, puts the grid at risk due to a lack of alignment across states. Phase 1 of this initiative provides states with uniform nationwide cybersecurity baselines that they may meet to become aligned with the U.S.’ energy cybersecurity approach, rather than relying on the existing patchwork regulatory framework.

Phase 1 of this initiative is merely a singular step in what should be a nationwide effort to secure the grid as it becomes integrated with DERs, including wind and solar energy. The National Cybersecurity Strategy is expected to produce additional federal initiatives around energy cybersecurity in light of increased threats to the energy sector.

Takeaways:

• Though the baselines are voluntary, states that adopt them will be in greater alignment with nationwide efforts to secure the electric grid and better positioned to collaborate across the public and private sectors.
• The baselines are also best practices for entities’ individual cybersecurity efforts, including securing the supply chain, implementing strong IT practices, detecting threats, and detecting and reporting incidents.
• In the near term, utilities and DER providers should review their current compliance with the announced baselines and prepare initial strategies to meet them ahead of the Phase 2 announcement in the coming year.
• In the long term, such entities should focus on meeting or exceeding the baselines, bearing in mind that future DOE initiatives may enforce stronger mandates than those currently in effect.

The post U.S. Department of Energy Releases Cybersecurity Baselines for Utilities and DERs first appeared on Security, Privacy and the Law.

The FCC’s order also treats breaches as presumptively causing harm—including emotional harm and other harms not directly related to identity theft or financial fraud.  This presumption can be overcome, however, if a data custodian can show there was no harm; by making such a showing, a custodian can avoid notifying consumers.  Providers who are required to notify affected consumers must do so “without unreasonable delay” and to provide such notice within 30 days after reasonable determination of the occurrence of a breach.

The FCC’s new rules also contain a safe harbor for data breach reporting:  no reporting is required if the breached data has been encrypted and there is definitive evidence that the encryption key was not also compromised (in other words, there is no harm that can come to consumers).

The FCC is just the latest federal agency to move forward with new breach reporting obligations, despite the Biden Administration’s attempts to harmonize such requirements. The FCC’s action follows on the heels of the Securities and Exchange Commission final rule requiring businesses to report cyberattacks to the agency within four days of determining the scope of compromise and the Federal Trade Commission’s recent updates to its breach reporting rules.  The FCC acknowledged that it declined to take action to harmonize with the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA, which requires the Cybersecurity and Infrastructure Security Agency to publish a proposed rule by March 2024; as such, the burden of making sense of the regulatory maze continues to fall on those companies subject to these regulations.

The post The Federal Communications Commission Updates Its Data Breach Rules first appeared on Security, Privacy and the Law.

• The Federal Bureau of Investigation (FBI) and Cybersecurity & Infrastructure Security Agency (CISA) have jointly issued a cybersecurity advisory in response to recent activity by the threat actor group known as Scattered Spider.
• Scattered Spider is known to target large companies holding sensitive data – including financial services, telecommunications, business process outsourcing, hospitality, and cryptocurrency firms – for ransomware attacks.
• Scattered Spider largely relies upon impersonating IT support professionals and manipulating target company employees into sharing passwords or running malicious executables through remote access software.

____________________________________________________________________

Large companies holding sensitive data – including financial services, telecommunications, business process outsourcing, hospitality, and cryptocurrency firms – as well as their IT helpdesks, are increasingly being targeted by ransomware attacks. The Federal Bureau of Investigation (FBI) and Cybersecurity & Infrastructure Security Agency (CISA) have jointly released a cybersecurity advisory in response to recent activity by the threat actor group known as Scattered Spider. Scattered Spider received significant attention in September 2023 when it launched a ransomware attack against multiple casino operators, the details of which became known in securities filings following the SEC’s adoption of data breach reporting rules for public companies in July 2023. Scattered Spider has re-emerged in recent days launching ransomware attacks against multiple targets in a short span of time. The main details of the advisory are summarized below, though clients should direct their IT professionals to consult the full advisory.

What techniques are Scattered Spider employing?

Scattered Spider operatives have been reported to be posing as company IT or helpdesk staff in order to obtain credentials from employees, or to direct employees to run remote access tools that permit Scattered Spider to access a company network. Because IT support is also frequently offered through the use of remote access tools, Scattered Spider has been able to successfully impersonate IT professionals on a number of occasions. Similarly, Scattered Spider has been making use of multi-factor authentication tools (again utilizing tools that are familiar to employees who frequently utilize tech support) to prompt employees to share passwords and/or run remote access tools.

What can be done to mitigate the threat?

The FBI and CISA recommend the use of the following measures:

• Address the threat of remote access tools:
  • This includes auditing remote access tools on a company network, reviewing logs for execution of remote access software, and requiring only authorized remote access solutions to be used only from within a company network.
• Implementing application controls that manage and control execution of software. The use of “allow-listing” (that is, only allowing pre-defined software to be executed) can block un-listed application execution, including execution of malicious files that are compressed, encrypted, or otherwise obfuscated.
• Implementing multi-factor authentication based on public key infrastructure, which is known to resist the tactics utilized by Scattered Spider.
• Strictly limiting the use of remote desktop protocols and, when using, taking extra precautions such as locking out accounts after a specified number of attempts and logging in remote desktop logins.

In addition, the FBI and CISA reinforce the continued importance of basic cybersecurity best practices:

• Implementing recovery plans and retaining multiple copies of sensitive data that could be targeted in a ransomware attack, including maintaining offline backups.
• Requiring all accounts with passwords to comply with NIST password standards.
• Requiring phishing-resistant multi-factor authentication for all services to the extent possible.
• Keeping operating systems, software, and firmware up to date.
• Segmenting networks to prevent the spread of ransomware.
• Monitoring networks for abnormal activity.
• Installing and regularly updating antivirus software.
• Disabling unused ports and protocols.
• Ensuring that backup data is encrypted, that it cannot be altered, and that it covers the entire organization’s infrastructure.

Additionally, the FBI and CISA are actively soliciting reporting on the Scattered Spider group actors, and urge individuals or entities suffering from ransomware attacks or that obtain information about Scattered Spider to contact a local FBI field office or CISA operations center.

The post FBI and CISA Issue Advisory on Scattered Spider Ransomware Attacks first appeared on Security, Privacy and the Law.

CISA identified and its guide addresses common vulnerabilities and insecure configurations across the HPH Sector, such as:

• Web application vulnerabilities
• Encryption weaknesses
• Unsupported software
• Unsupported Windows operating systems (OS)
• Known exploited vulnerabilities (KEVs)
• Vulnerable services

Exposure of these and other vulnerabilities can result in ransomware, data breaches, or denial-of-service, and can compromise the availability, confidentiality, and integrity of criticial HPH systems, functions, and data.  So skip the holiday shopping crowds and spend a little time with CISA’s Mitigation Guide this weekend.

The post CISA Publishes Mitigation Guide to Combat Cyber Threats in the Healthcare and Public Health Sectors first appeared on Security, Privacy and the Law.

1. 1. 1. 1. 1. 123456
            2. password
            3. part of the company’s name*
            4. 12345
            5. aaron431
            6. part of the company’s name2012*
            7. Part of the company’s name*
            8. PART OF THE COMPANY’S NAME443*
            9. company name2014*
            10. linkedin
            11. pass1
            12. company name*
            13. COMPANY NAME’S ABBREVIATION1*
            14. company name*
            15. 00000
            16. 1111
            17. company name*
            18. 1234
            19. Med
            20. company name*

Obviously, none of these are optimal, particularly in situation where HIPAA Protected Health Information may be involved.

(One of these, Aaron431, is a bit of a mystery.  It may be that it is a default password on a common application.)  The point of noting these passwords is, of course, to prompt you to reviecw/change your passwords.  Or better yet, adopt a password manager, so you can utlize more complete passwords and change the more easily.

The post Your Password Can’t Possibly Be This Bad, Can It? first appeared on Security, Privacy and the Law.

The Massachusetts Supreme Judicial Court has ruled in In the Matter of a Motion to Compel, SJC-13336 that the Superior Court could not order a Massachusetts counseling center to turn over, at the behest of a Rhode Island court, counseling records of the alleged minor victim of a sexual assault that occurred in Rhode Island, without the court first following to the so-called Lampron-Dwyer protocol.

The Lampron-Dwyer protocol, first set out in Commonwealth v. Dwyer, 448 Mass. 122 (2006) and Commonwealth v. Lampron, 441 Mass. 265, 269-270 (2004), provides a step-by-step process Massachusetts courts must follow when defense counsel in a sexual assault case request access to a victim’s counseling records.  The Lampron-Dwyer protocol adheres as much as possible to M.G.L. c. 233, §20J, the statutory privilege shielding such records from disclosure, while protecting a defendant’s due process rights.

In this case, Foley Hoag LLP submitted an amicus brief on behalf of long-time pro bono clients the Victim Rights Law Center (VRLC) and Jane Doe, Inc. (JDI). The case addressed whether survivors of sexual assault who are resident in Massachusetts and receive mental health counseling related to the assault retain the privacy rights in those counseling records granted to them under Massachusetts law if the assault occurred outside of Massachusetts (in this case, Rhode Island).  As amici, VRLC and JDI argued that survivors should not be stripped of certain existing privacy protections simply because the assault occurred in another state.  The SJC ultimately agreed, ruling that the well-established Lampron-Dwyer protocol must be followed prior to the disclosure of otherwise-protected counseling records of sexual assault survivors.  Practitioners and advocates hailed the decision as a victory for sexual assault survivors who rely on the privacy protections provided in Massachusetts when seeking much needed counseling services.

The Underlying Criminal Case

The appeal arose out of a criminal case in Rhode Island against an alleged perpetrator of sexual assault against a minor.  The minor survivor was resident in Massachusetts, but the assault occurred in Rhode Island.  The minor sought counseling following the assault from Wayside Youth & Family Support Network, a Massachusetts-based counseling center that provides sexual assault counseling to youths.  The defendant sought the survivor’s counseling records from Wayside, claiming that he believed the records would support his alibi. He obtained an order from a Rhode Island court under the Uniform Law to Secure the Attendance of Witnesses from Without the State in Criminal Proceedings, M.G.L.c. 233, §§ 13A-13D (the Uniform Law), which demanded that Wayside turn over the victim’s records.

Under Massachusetts law, counseling records like those sought in this case are generally privileged, under the sexual assault counselor’s privilege provided in M.G.L. c. 233, § 20J.  The SJC also established stringent non-disclosure protections for such records in the Lampron-Dwyer protocol and related cases.. The Lampron-Dwyer balancing test the SJC developed allows courts to determine when an exception might be made to the general bar for disclosing these confidential records.

The Massachusetts Superior Court judge in this case initially denied the defendant’s request for counseling records in light of the §20J privilege, but ultimately issued an order compelling production of the records, citing the SJC’s 1993 Matter of a R.I. Grand Jury Subpoena decision, which stated that, under the Uniform Law, the requesting state must make any privilege determinations. The judge also stayed the order and reported the case for appellate guidance.

The Impact for Survivors and their Advocates

The SJC’s decision ruling that the Massachusetts judge committed reversible error when he issued the order compelling the production of the survivor’s sexual assault counseling records without first considering the § 20J privilege or applying the long-standing Lampron-Dwyer balancing test reinforces the view of the Commonwealth, VRLC, and JDI that sexual assault counseling records are entitled to special privacy protections that few other records are entitled to under Massachusetts law.

Through the protections in § 20J, the Lampron-Dwyer protocol, and related cases, Massachusetts has identified the sexual assault counselor and survivor relationship as one of the few societal relationships entitled to a privilege that should only be pierced in rare and necessary circumstances.  The list of relationships entitled to such privileges is small—the priest-penitent privilege is one of the few comparable statutorily established privileges—emphasizing the conscious decision made by the legislature to protect this beneficial relationship.  This SJC decision upholds those protections and provides the consistency in application of the law that both survivors and their advocates can rely upon.

The Foley Hoag team representing VRLC, Jane Doe, Inc. and the other amici consisted of Anthony Mirenda, Laura Gradel, and Foley alum Adam Aguirre.

The post Massachusetts Extends Protections for Counseling Records of Survivors of Sexual Assault first appeared on Security, Privacy and the Law.

Key Takeaways:

• This executive order (EO) directs federal agencies to review and develop policies to guide the use of artificial intelligence that touches every sector of the economy.
• The EO directs the Department of Health and Human Services (HHS) to establish an HHS AI Task Force to develop a strategic plan on the responsible deployment of AI and AI-enabled technologies in healthcare settings.
• The EO also directs HHS to develop a strategy for regulating the use of AI-enabled tools in the drug development process.
• The Biden administration actions to direct government agencies on the development, use, and maintenance of AI will bring renewed focus and interest in the use of AI going forward.

—

On October 30, 2023, President Biden issued an executive order (EO) to guide federal agencies on the development and use of artificial intelligence (AI). The administration views AI as holding numerous benefits but at the same time cautions it could exacerbate societal harms if not responsibly managed.

The Biden administration laid out eight principles to guide federal agencies in advancing, using, and overseeing AI. The first principle is that AI must be safe and secure, meaning there must be robust, reliable, and standardized evaluations of AI systems, as well as policies or other mechanisms, including institutions, to test, understand, and mitigate risks from these systems before they are in use. This is particularly relevant, as the EO notes, to the biotechnology and cybersecurity industries. In meeting this principle, the administration will develop labeling and content provenance mechanisms to help determine when content is generated using AI and when it is not.

The next set of principles focus on promoting responsible innovation, competition, and collaboration to allow the United States to lead in AI. This includes a commitment to supporting American workers and furthering health equity and civil rights. It also focuses on upholding consumer protection laws and Americans’ privacy and civil liberties.

The final set of principles seek to govern the Federal Government’s own use of AI and increase its internal capacity to regulate and govern the responsible use of AI. This includes developing a framework to manage AI’s risks, unlock AI’s potential for good, and promote common approaches with other nations.

EO Healthcare Implications
To ensure safe and responsible use of AI in the healthcare industry, the EO directs the Department of Health and Human Services (HHS) to establish an HHS AI Task Force within one year. This task force shall develop a strategic plan that includes policies, and possibly regulatory action, on responsible deployment of AI and AI-enabled technologies in the healthcare sector, including research and discovery, drug and device safety, healthcare delivery and financing, and public health.

The EO directs HHS to identify appropriate guidance and resources to promote AI’s deployment and use in a variety of settings and situations. This includes:

• the development, maintenance, and use of predictive and generative AI-enabled technologies in healthcare delivery and financing, including quality measurement, performance improvement, program integrity, benefits administration, and patient experience, and considering appropriate human oversight of the AI-generated output;
• identifying uses of AI that promote workplace efficiency and satisfaction, and the development and maintenance of documentation to help users determine appropriate and safe uses of AI in local healthcare settings;
• monitoring long-term safety and performance of AI-enabled technologies, including clinically relevant or significant modifications and performance across population groups, and incorporating equity principles in AI-enabled technologies. This means using disaggregated data on affected populations and representative population data sets when developing new models, and monitoring algorithmic performance against discrimination and bias in existing models.

To protect personally identifiable information, the EO calls for incorporating safety, privacy, and security standards into the software-development lifecycle, including measures to address AI-enhanced cybersecurity threats.

The EO also directs HHS to consider appropriate actions to advance compliance and understanding of federal nondiscrimination laws by health providers that receive federal financial assistance, and its relationship to AI. This may include providing technical assistance or issuing guidance to healthcare providers and payers about their obligations under nondiscrimination and privacy laws as they relate to AI.

Notably, the EO directs HHS to develop a strategy for regulating the use of AI or AI-enabled tools in drug development processes. This strategy shall define the objectives, goals, and high-level principles required for appropriate regulation throughout each phase of drug development, identify areas where future rulemaking, guidance, or additional statutory authority may be necessary, and identify existing budget, resources, and personnel for such regulatory systems.

Lastly, the EO directs HHS, in consultation with the Secretary of Defense and Veterans Affairs, to establish an AI safety program that establishes a common framework for approaches to identifying and capturing clinical errors resulting from AI deployed in healthcare settings, as well as specifications for a central tracking repository for associated incidents that cause harm to patients, caregivers, or other parties.

Next Steps
While the EO provides up to one year for many of these actions to occur, it is possible the administration and these agencies will begin operationalizing and engaging industry to begin building AI frameworks and seeking necessary input to roll out AI systems and processes in key areas of the healthcare sector.

The post President Biden Issues Executive Order on Use of Artificial Intelligence in Healthcare Settings first appeared on Security, Privacy and the Law.

The Department’s actions followed on litigation that began in 2020 after an upstate school district began implementing a facial recognition system intended to identify potentially threatening non-students on school premises. After the litigation began, the state legislature enacted a moratorium on facial recognition technology while the State Education Department and Office of Information Technology Services conducted further research and issued a final decision.

In its report, the Office of Information Technology Services focused heavily on potential impacts to student privacy as well as equity concerns, noting that research on facial recognition technology has noted the possibility of higher rates of incorrect identification on people of color, non-binary and transgender individuals, women, the elderly, and, importantly, children.  The report likewise expressed significant concerns over the possibility of breaches to biometric databases that would be needed to make the facial recognition technology work, noting that because biometric information generally cannot be changed, the disclosure of biometric data could potentially put users at permanent risk.

Ultimately, the report was less critical of non-facial recognition biometric technology, such as the use of digital fingerprinting.  The Department’s order potentially allows for the use of such technology, as it authorizes school districts to “determine whether to use biometric identifying technology other than facial recognition technology at the local level.”

Similar debates are taking place at the local level in other states, too.  Montana, for example, has recently begun to utilize facial recognition technology for security purposes in several small school districts.  Though there is no over-arching federal policy on the use of facial recognition technology in schools, the Federal Educational Rights and Privacy Act (“FERPA”) does require certain protections for “biometric records” of students, which can include, among other things, “retina and iris patterns” and “facial characteristics.”  That said, FERPA does not have highly built-out requirements in relation to privacy and data security (in the way that, for example, HIPAA does in the health context), and the potential for data breaches to occur figured heavily in the Department’s analysis as well as other state-level debates about facial recognition.

We expect these debates will continue as schools continue to search for technologies that enhance security on campus, while attempting to balance the need for security with the various other issues presented by facial recognition technology.

The post NY State Education Department Bans Facial Recognition Technology first appeared on Security, Privacy and the Law.

The SRA Tool is designed to help healthcare providers conduct a risk analysis as required by the HIPAA Security Rule. Identifying and assessing potential risks and vulnerabilities to electronic protected health information (ePHI) are foundational elements in the implementation of security measures that protect ePHI. As hacking and ransomware attacks continue to increase within the health care sector, it is more important than ever for organizations to understand their risk exposure and use that understanding to improve their cybersecurity.

The downloadable SRA Tool is a desktop application that walks users through the security risk assessment process using multiple-choice questions, threat and vulnerability assessments, and asset and vendor management. References and additional guidance are given along the way. Reports are available to save and print after the assessment is completed.

The latest version contains a variety of feature enhancements based on user feedback and public input. New features include:

1) A Remediation Report to help track  responses within the tool
2) A Glossary and “Tool Tips” help
3) Updated references to Health Industry Cybersecurity Practices (HICP) for 2023 Edition
4) Bug fixes and stability enhancements

The post HHS OCR/ONC Announce Latest Version of Security Risk Assessment Tool first appeared on Security, Privacy and the Law.