Microsoft Issues Cybersecurity Risk Warning and Offers Help to Hospitals During COVID-19 Crisis

On April 1, 2020, Microsoft issued a specific warning to health care entities alerting them that they are at particular risk during the COVID-19 crisis, as threat actors are using the pandemic to take advantage of vulnerabilities while hospitals are focused on responding to the crisis.

According to Microsoft “[D]uring this time of crisis, as organizations have moved to a remote workforce, ransomware operators have found a practical target: network devices like gateway and virtual private network (VPN) appliances. Unfortunately, one sector that’s particularly exposed to these attacks is healthcare.”

Microsoft’s scanning resources previously identified dozens of health care organizations that were at risk, notified them and provided them with resources addressing how to reduce the risk of a ransomware attack or credential theft during this time.

According to Microsoft “[A]s part of intensified monitoring and takedown of threats that exploit the COVID-19 crisis, Microsoft has been putting an emphasis on protecting critical services, especially hospitals. Now more than ever, hospitals need protecting from attacks that can prevent access to critical systems, cause downtime, or steal sensitive information.”

Microsoft advises that ransomware is a particular threat to hospitals at this time, and that a successful ransomware attack could create chaos if providers are unable to access electronic medical records of patients while treating them, especially in intensive care units. The Microsoft warning noted that “the attackers behind the REvil ransomware are actively scanning the internet for vulnerable systems. Attackers have also been observed using the updater features of VPN clients to deploy malware payloads.”

Microsoft’s alert sets forth important details of what hospital information technology personnel should be looking for and focusing on to minimize this critical risk. Microsoft’s suggestions can be accessed here.

OCR Issues Additional Guidance on HIPAA for Providers and First Responders on COVID-19 Front Lines

On March 24, 2020, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued new HIPAA guidance to help providers and first responders in its efforts to combat the COVID-19 pandemic.

OCR’s guidance addresses when HIPAA allows disclosures without patient authorization of identifying health information to first responders – such as law enforcement and emergency medical services personnel – and public health authorities related to individuals infected with or exposed to COVID-19. OCR confirms such disclosures are permissible under HIPAA in certain circumstances, including:

  • If necessary to provide treatment, such as when a hospital coordinates with emergency medical services personnel regarding the transportation of a potential COVID-19 patient;
  • If required by law, such as situations in which confirmed diagnoses of communicable diseases like COVID-19 must be reported to state public health authorities;
  • If necessary to notify public health authorities to prevent or control the spread of disease, such as disclosures to the Centers for Disease Control and Prevention or to state departments of public health or local health boards authorized by law to receive or collect the information;
  • If first responders are at risk for infection, where authorized by state law (such as M.G.L. c. 111 § 111C in Massachusetts);
  • If disclosure is necessary to prevent or lessen a serious and imminent threat, and is made to someone who can lessen or prevent the threat; or
  • In response to requests from a correctional institution or law enforcement official with custody over the individual who is the subject of the disclosure, as long as the disclosure is necessary for providing health care to the individual, for the health and safety of those around the individual (including law enforcement and corrections officers), or for the administration of the correctional institution.

OCR further advises that such disclosures generally should adhere to HIPAA’s “minimum necessary” standard for uses and disclosures. OCR concludes the guidance by providing a few examples of scenarios involving the use or disclosure of personal health information (PHI) to or from first responders and others on the front lines of the COVID-19 response.

OCR’s guidance is well-timed as hospitals and first responders increase coordination to address the COVID-19 pandemic. Hospitals and other providers would be well-advised to continue monitoring guidance from OCR in support of public health efforts.

This post is also being shared on our Health Law Diagnosis blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

Privacy Tip #233 – Be Wary of Coronavirus Telemarketing Calls

The scammers know that most of us are working from home and are trying to use this to their advantage. The robocalls have increased, and telemarketers are calling more frequently, but with a new twist—preying on fears of consumers about coronavirus.

I am on the Do-Not-Call list, yet I am still getting many unwanted robocalls. It gets to the point where you don’t answer your phone at all.

The Federal Trade Commission (FTC) is trying to help, and this week issued letters to nine Voice over Internet Protocol (VolP) service providers and other companies “warning them that ‘assisting and facilitating’ illegal telemarketing or robocalls related to the coronavirus or COVID-19 pandemic is against the law. Many of these calls prey upon consumers’ fear of the virus to perpetrate scams or sow disinformation.” 

The letters warn them that if they facilitate scams or disinformation, the FTC may take enforcement action against them. The conduct the FTC advised the companies may violate the Telemarketing Sales Rule includes:

  • making a false or misleading statement to induce a consumer to buy something or contribute to a charity;
  • misrepresenting a seller or telemarketer’s affiliation with any government agency;
  • transmitting false or deceptive caller ID numbers;
  • initiating pre-recorded telemarketing robocalls, unless the seller has express written permission to call; and
  • initiating telemarketing calls to consumers whose phone numbers are on the National Do Not Call Registry, with certain exceptions.

Be aware of scammers and telemarketers trying to prey on our fear surrounding the coronavirus, and screen your calls. If the call is legitimate, the caller will usually leave a message and you can call them back if you choose. Remember to never give your personal information or financial information to anyone over the phone.

AUVSI Comments on FAA’s Proposed Remote Identification UAS Rule

The Association for Unmanned Vehicle Systems International (AUVSI) released its comments on the Federal Aviation Administration’s (FAA) proposed Remote Identification Unmanned Aircraft Systems (UAS) Rule, emphasizing the importance of remote ID for expanded UAS operations, and also encouraging the FAA to explore ways to incentivize early, voluntary compliance with remote ID prior to the implementation of the final rule. This could help to determine any issues with the rule and allow the FAA to revise the rule prior to implementation.

Specifically, AUVSI suggests increasing airspace access for voluntarily compliant operators as well as offering financial rebates for manufacturers or reimbursement for drone pilots who successfully complete the knowledge exam or a practical training course that adheres to remote ID standards.

In its comments, the AUVSI also said the FAA:

  • Should continue with other rulemakings (e.g., flights over people and beyond visual line of sight operations);
  • Allow for flexibility in the technological approaches taken by drone operators and adopt performance-based rules that comply with international standards and do not include prescriptive technology requirements;
  • Keep in mind the importance of operator privacy and security; and
  • Create standards for manufacturers and operators to build to a single set of standards globally and encourage consistency and compliance.

To read AUVSI’s full comments, click here.

Privacy Tip #232 – Spam Phone Calls Rampant for Remote Workers

For those of us who work outside of the home during normal times, we know when we are home on the weekends not to answer our home telephone unless we recognize the number or caller. The same is, of course, true for our mobile phones. If the caller is someone we know, they will leave a message and we can call them back. If it’s a scammer or robocall, we ignore it.

But now that we are working at home, people are more susceptible to answering the phone even when they don’t recognize the number, because it might be a co-worker or colleague who is trying to get in touch with us. We used to issue warnings about telephone scams to our senior citizens who were home during the day and vulnerable; now we also need to warn workers who are working at home during this pandemic.

Telephone scams are on the rise during this pandemic. Scammers know that everyone is working at home and the robocalls, solicitations, and promises are non-stop. Just like on the weekends, they must be ignored. The scammers are using the fear of COVID-19 to impersonate the Centers for Disease Control, the Social Security Administration, Department of Labor (regarding possible unemployment benefits), and even promising to hand deliver the check from Congress if you provide your personal information to verify your identity. This includes your Social Security number to make sure you are who you say you are.

This week, a fraud scheme promised home delivery of a coronavirus vaccine if you provided personal information and payment over the phone. There is no such vaccine. But people are so scared, they are falling for these scams.

During this stressful time, fraudsters are betting on the fact that fear will make otherwise cautious people do things they wouldn’t normally do. Don’t be one of those people. Understand that phone scams are on the rise, stay vigilant, and ignore those calls.

Businesses and Trade Groups Seek Delay in CCPA Enforcement Actions

Recently businesses and advertising trade groups wrote a letter to the California Attorney General Xavier Becerra to request delayed enforcement of the California Consumer Privacy Act (CCPA) as a result of the COVID-19 global pandemic. The letter cited the current health crisis as a result of COVID-19 and a state of national emergency as the first reason to delay enforcement. The letter seeks a reprieve from enforcement actions given the pressures and stressors placed on organizations due to COVID-19 and the delay would allow businesses to prioritize the needs and health of their workforce rather than focus on using those resources to “avoid costly and resource intensive enforcement actions.” The letter also cites the rapid switch to a remote workforce due to the crisis, thus making it more difficult to develop and test necessary systems and processes to comply with CCPA.

The second reason given for the request to delay enforcement focused on the status of the CCPA draft regulations which are still pending and have not yet been finalized. The letter points out that it takes time for businesses to create procedures and processes to comply with CCPA which is more challenging when the regulations are still pending. The letter also points out that with each version of the draft regulations, compliance responsibilities have changed, ultimately making the time frame to implement the regulations even shorter before the current July 1, 2020, CCPA enforcement date.

The letter asks that the Attorney General delay enforcement of the CCPA until January 2, 2021. Thus far, it has been reported that the Attorney General’s Office has no current plans to delay enforcement.

COVID-19 Vaccine Test Lab Hit by Maze Ransomware

Despite the fact that the hackers behind Maze ransomware previously promised not to hit medical organizations during the coronavirus pandemic, it recently attacked a British medical lab that is slated to test COVID-19 vaccines during the pandemic. The Maze hackers previously said publicly that it would “stop all activity versus all kinds of medical organizations until the stabilization of the situation with the virus.” Apparently not so.

What do we expect from criminals—that they will actually keep their word? It just seems particularly despicable right now.

Despite the public pledge, the cyber criminals behind Maze [view related posts] hit Hammersmith Medicines Research (Hammersmith), a British laboratory facility that is ready to test coronavirus vaccines with medical trials, with its ransomware on March 14, 2020. According to a spokesman for Hammersmith, which performed tests in the past for the Ebola vaccine, the cyber attack was identified and stopped without paying the requested ransom.

The problem with Maze is that its business plan relies on the ability to exfiltrate the victim’s data, then increase pressure on the victim by threatening to publish the data on the dark web if the victim doesn’t pay the ransom. It has been reported that Maze has used the same pressure techniques with Hammersmith after it refused to pay the ransom. Maze is now threatening to publish patient data from Hammersmith of patients involved in medical trials 8-20 years ago. Maze has reportedly already published some of Hammersmith’s patient data on the dark web. Just what Hammersmith needs to worry about while ramping up to test coronavirus vaccines.

Perhaps the hackers behind Maze should be thinking about their own health when they hamper coronavirus vaccine medical trials and approvals–they may need the vaccine one day. If only they would focus their capabilities on doing some good for the world or leave those who are actually working for the greater good to continue to do their good work without interruption.

COVID-19: HHS Issues FAQs on HIPAA and Telehealth to Help Providers Maintain Access to Care During the Pandemic

On March 20, the U.S. Department of Health and Human Services (HHS) issued additional guidance in the form of Frequently Asked Questions (FAQs) on HIPAA and telehealth services to help providers furnish care during the COVID-19 pandemic.

The FAQs follow and provide further information on the Notification of Enforcement Discretion issued by HHS on March 17 (Notification), in which HHS indicated that it would not penalize providers for using popular video chat applications, such as FaceTime and Skype, in good faith to provide telehealth services amid the COVID-19 pandemic.  HHS has emphasized, however, that the Notification does not allow the use of public-facing communications products, such as Facebook live or other livestreaming applications.

In the FAQs, HHS first provides an important reminder that while the term telehealth refers to the “use of electronic information and telecommunications technologies” for remote health care and patient education, certain payors – including Medicare – place restrictions on the types of technologies that can be used in order for the services to be reimbursed.  HHS notes that such restrictions do not limit the scope of the Notification.

HHS then provides the following additional information on the Notification and telehealth generally:

  • The Notification applies to all health care providers that are covered by HIPAA and provide telehealth services during the COVID-19 emergency, with no limitations on the patients served via telehealth;
  • The Notification applies to all services that a provider believes, in his or her professional judgment, can be provided via telehealth under the circumstances of the emergency;
  • The Notification does not apply to health insurance companies that just pay for telehealth services;
  • The Notification applies to HIPAA’s Security Rule, Privacy Rule, and Breach Notification Rule regulations;
  • The Notification does not apply to substance use disorder records or communications covered by 42 C.F.R. Part 2;
  • The Notification does not have an expiration date;
  • Health care providers are expected to conduct telehealth services in private settings, and providers should implement reasonable safeguards to limit incidental uses or disclosures of protected health information;
  • The Notification applies only to the “good faith” provision of telehealth services, which HHS assesses via a facts and circumstances test, and examples of what would not qualify as good faith include the provision of telehealth services in furtherance of a criminal scheme, or to violate state licensure law, or the use of public-facing communications products such as Facebook live; and
  • Non-public facing remote communication products can include FaceTime, Skype, Facebook messenger video, Whatsapp video chat, or Google hangouts video, but do not include livestreaming products.

HHS concluded the FAQs by stating that if a provider uses telehealth services during the COVID-19 pandemic and protected health information is intercepted during transmission, HHS will not pursue otherwise applicable penalties for any such breach.

Notably, in furtherance of the government’s efforts to promote the use of telehealth services to combat the COVID-19 pandemic, on March 23 HHS’s Centers for Medicare and Medicaid Services issued telehealth toolkits for providers available here (for general practitioners) and here (for ESRD providers).

This post was co-authored Lisa Thompson and is also being shared on our Health Law Diagnosis blog. If you’re interested in getting updates on developments affecting health information privacy and HIPAA related topics, we invite you to subscribe to the blog. 

HHS Targeted by Nation-State Hackers

Evil doers know that the best time to attack is during a crisis or a time of vulnerability. As the United States, and specifically, the Department of Health and Human Services (HHS) attempts to respond to and get ahead of the COVID-19 pandemic in the U.S., hackers, likely from a foreign enemy nation state, ramped up cyber attacks against HHS this past weekend.

HHS has acknowledged the increased attempts, and has confirmed that the attacks have been unsuccessful. It appears the attacks were designed to disrupt HHS’s response efforts during the pandemic, and to distract officials from their focus on the response to COVID-19.

Enemy nation states and cyber-criminals are taking advantage of the worldwide COVID-19 crisis to attack, intrude, disrupt and distract. We all need to be on high alert during this time of vulnerability and concern.

California Attorney General Releases Additional Modifications to Draft CCPA Regulations

On March 11, 2020, the California Attorney General released the second set of modifications to the draft California Consumer Privacy Act (CCPA) regulations. This set of modifications contains deletions to language that was included in the February modifications to the regulations as well as some new language. Notable changes include the deletions of the “do not sell my personal information” logo/button as well as the section that provided guidance regarding the interpretation of CCPA definitions, particularly the language that indicated that if a business collected the IP address, but did not link it to an individual, that it did not fall within the definition of personal information.

The March regulations added some additional definitions as well as language that specifies that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information. In addition, language was added to provide that the notice at collection of employment-related information is not required to provide a link to the business’s privacy policy.

For businesses that sell a consumer’s personal information, if a business denies a consumer’s deletion request, it must ask the consumer if they would like to opt-out of the sale of their personal information if the consumer has not already made a request to do so.

With respect to privacy policies, the March regulations added language that a privacy policy must identify the categories of sources from which the personal information is collected and that the categories be described in a manner that provides consumers a meaningful understanding of the information being collected. For businesses that sell personal information, the March regulations also specified that the business must Identify the business or commercial purpose for collecting or selling personal information and that the purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is collected or sold.

With respect to information that a business may collect such as social security numbers or driver’s license numbers, the March regulations now specify that although a business cannot release such information, it is required to disclose that it collects such information.

The deadline to submit comments to the regulations is March 27, 2020, by 5 p.m. PDT. Detailed information on the CCPA regulatory process is on the Attorney General’s website.