HHS Releases Final Rule on 42 CFR Part 2 – Spencer Fane
HHS Releases Final Rule on 42 CFR Part 2 Spencer Fane
Healthcare Sector Warned About Akira Ransomware Attacks – HIPAA Journal
Healthcare Sector Warned About Akira Ransomware Attacks HIPAA Journal
Healthcare Sector Warned About Akira Ransomware Attacks
The Healthcare and Public Health (HPH) Sector has been warned about cyberattacks involving Akira ransomware, of which there have been at least 81 since the new ransomware variant was discovered in May 2023. This is the second alert to be issued by the HHS’ Health Sector Cybersecurity Coordination Center in the past 6 months, with the latest alert including updated information on the tactics, techniques, and procedures (TTPs) used by the group.
Since the group operates out of Russia, attacks on targets in the Commonwealth of Independent States (CIS) are prohibited. The majority of Akira ransomware victims are located in the United States and most of its victims have been located in California, Texas, Illinois, and states on the East Coast, especially the Northeast. The group has conducted attacks on targets in multiple sectors, with materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare favored.
Akira is a ransomware-as-a-service (RaaS) operation that is thought to have ties to the Conti ransomware group. Conti was a prolific ransomware group that wreaked havoc over a two-year period from 2020 but was suddenly shut down in 2022. The TTPs used by Akira are similar in many areas to Conti, which suggests that the groups are linked and that Akira is a highly capable and sophisticated threat group. In 2017, another ransomware variant was identified that was also called Akira but the latest attacks do not appear to be related.
Initial access is most commonly gained via compromised credentials, including credentials obtained through spear phishing, although the group is also known to exploit vulnerabilities in virtual private networks and other public-facing applications, especially those that do not have multifactor authentication enabled. Once initial access has been gained, the group establishes persistent access, uses tools to hide the malicious activity, conducts network reconnaissance to understand the operational environment, then moves laterally and establishes communications with their command-and-control center. Like many other RaaS groups, Akira engages in double extortion with sensitive data stolen before ransomware is deployed. Victims must pay two fees – one to decrypt their data and another to prevent the publication of the stolen data.
The alert includes several recommendations for improving security to prevent attacks and reducing the severity of attacks that it is not possible to prevent. Preventative measures include using multi-factor authentication wherever possible; ensuring software is kept patched and up to date, especially for VPNs and other Internet-facing applications; disabling unused remote access ports; monitoring remote access logs; reviewing domain controllers, active directories, servers, and workstations for new accounts; reviewing Task Scheduler for unrecognized scheduled tasks; setting unique complex passwords for accounts, and regularly changing passwords to network systems and accounts. Administrative credentials should be required for installing software and consider adding banners to emails that originate from external sources and disabling hyperlinks in emails. To minimize the harm caused, networks should be segmented, and backups regularly performed, with backups stored offline. Copies of critical data should not be accessible for modification or deletion from the system where the data resides.
The post Healthcare Sector Warned About Akira Ransomware Attacks appeared first on HIPAA Journal.
Healthcare Sector Warned About Akira Ransomware Attacks
The Healthcare and Public Health (HPH) Sector has been warned about cyberattacks involving Akira ransomware, of which there have been at least 81 since the new ransomware variant was discovered in May 2023. This is the second alert to be issued by the HHS’ Health Sector Cybersecurity Coordination Center in the past 6 months, with the latest alert including updated information on the tactics, techniques, and procedures (TTPs) used by the group.
Since the group operates out of Russia, attacks on targets in the Commonwealth of Independent States (CIS) are prohibited. The majority of Akira ransomware victims are located in the United States and most of its victims have been located in California, Texas, Illinois, and states on the East Coast, especially the Northeast. The group has conducted attacks on targets in multiple sectors, with materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare favored.
Akira is a ransomware-as-a-service (RaaS) operation that is thought to have ties to the Conti ransomware group. Conti was a prolific ransomware group that wreaked havoc over a two-year period from 2020 but was suddenly shut down in 2022. The TTPs used by Akira are similar in many areas to Conti, which suggests that the groups are linked and that Akira is a highly capable and sophisticated threat group. In 2017, another ransomware variant was identified that was also called Akira but the latest attacks do not appear to be related.
Initial access is most commonly gained via compromised credentials, including credentials obtained through spear phishing, although the group is also known to exploit vulnerabilities in virtual private networks and other public-facing applications, especially those that do not have multifactor authentication enabled. Once initial access has been gained, the group establishes persistent access, uses tools to hide the malicious activity, conducts network reconnaissance to understand the operational environment, then moves laterally and establishes communications with their command-and-control center. Like many other RaaS groups, Akira engages in double extortion with sensitive data stolen before ransomware is deployed. Victims must pay two fees – one to decrypt their data and another to prevent the publication of the stolen data.
The alert includes several recommendations for improving security to prevent attacks and reducing the severity of attacks that it is not possible to prevent. Preventative measures include using multi-factor authentication wherever possible; ensuring software is kept patched and up to date, especially for VPNs and other Internet-facing applications; disabling unused remote access ports; monitoring remote access logs; reviewing domain controllers, active directories, servers, and workstations for new accounts; reviewing Task Scheduler for unrecognized scheduled tasks; setting unique complex passwords for accounts, and regularly changing passwords to network systems and accounts. Administrative credentials should be required for installing software and consider adding banners to emails that originate from external sources and disabling hyperlinks in emails. To minimize the harm caused, networks should be segmented, and backups regularly performed, with backups stored offline. Copies of critical data should not be accessible for modification or deletion from the system where the data resides.
The post Healthcare Sector Warned About Akira Ransomware Attacks appeared first on HIPAA Journal.
HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations – HIPAA Journal
HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations
The U.S. Department of Health and Human Services (HHS) has finalized the proposed modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (Part 2). “The Final Rule strengthens confidentiality protections while improving care coordination for patients and providers. Patients can seek needed treatment and care for substance use disorder knowing that greater protections are in place to keep their records private, and providers can now better share information to improve patient care,” said OCR Director Melanie Fontes Rainer.
The Part 2 regulations have been in effect since 1975 and protect “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder [SUD] education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” These records are subject to strict protections due to the sensitivity of the information contained in those records and avoid deterring people from seeking treatment for SUD due to fears about discrimination and prosecution.
The bipartisan Coronavirus Aid, Relief, and Economic Security Act (CARES Act) called for the Part 2 regulations to be more closely aligned with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Breach Notification, and Enforcement Rules. On December 2, 2022, the HHS, via the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), published a Notice of Proposed Rulemaking (NPRM) to implement the changes required by the CARES Act. The comments received from industry stakeholders in response to the NPRM have been considered and appropriate modifications have been made before finalizing the changes.
The modifications include permitting the use and disclosure of Part 2 records based on a single patient consent. Once that consent has been given by a patient it covers all future uses and disclosures for treatment, payment, and health care operations. The final rule also permits disclosure of records without patient consent to public health authorities, provided the records are first deidentified using the methods stated in HIPAA. Redisclosure of Part 2 records by HIPAA-covered entities and business associates is permitted, provided those disclosures are in accordance with the HIPAA Privacy Rule, with certain exceptions. Separate consent is required for the disclosure of SUD clinician notes, which will be handled in the same way that psychotherapy notes are handled under HIPAA.
Patients’ SUD treatment records were already protected and could not be used to investigate or prosecute the patient unless written consent is obtained from the patient or as required by a court order that meets Part 2 requirements. Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have also been expanded in the final rule. The final rule clarifies the steps that investigative agencies must follow to be eligible for safe harbor. Before any request for records is made, the agency is required to search the SAMHSA treatment facility directory and check the provider’s Notice of Privacy Practices to determine if they are subject to Part 2.
The final rule gives patients new rights to obtain an “accounting of disclosures,” request restrictions on certain disclosures, and opt out of receiving fundraising communications, as is the case under the HIPAA Privacy Rule. Patients will also be able to file a complaint about Part 2 violations directly with the Secretary. In the event of a breach of Part 2 records, the requirements for notifications are now the same as the HIPAA Breach Notification Rule. The HHS has also been given enforcement authority, including the ability to impose civil monetary penalties for Part 2 violations. The criminal and civil penalties for Part 2 violations will be the same as those for violations of the HIPAA Rules. Other changes that have been introduced based on comments received on the NPRM include a statement confirming that Part 2 records do not need to be segregated and that it is not permitted to combine patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.
“Patient confidentiality is one of the bedrock principals in health care. People who are struggling with substance use disorders must have the same ability to keep their information private as anyone else. This new rule helps to ensure that happens, by strengthening confidentiality protections and improving the integration of behavioral health with other medical records,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration has made it a priority to end the stigmatization of those living with substance use disorders and give health care providers the tools they need so they can treat the whole patient while continuing to protect patient privacy. We will not rest until behavioral health is fully integrated into health care and those struggling with behavioral health challenges get the best treatment available.”
The final rule is due to be published in the Federal Register in mid-February. The compliance date has been set as 2 years from the date of publication. A fact sheet has been published by the HHS summarizing the changes that have been made in the Final Rule.
The post HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations appeared first on HIPAA Journal.
Montefiore Medical Center settles HIPAA violation allegations with $4.75 million penalty – TEISS
Montefiore Medical Center settles HIPAA violation allegations with $4.75 million penalty – TEISS
7 Benefits of Patient Scheduling Software
Patient scheduling software is software that can be used by patients to self-book healthcare appointments, by physicians to fill their schedules, and by medical practices to synchronize patient appointments with physician and treatment room availability in order to optimize the use of time and resources. Depending on the capabilities of the software and how it is used, there can be dozens of benefits of patient scheduling software. This article discusses the seven most common benefits.
How Does Patient Scheduling Software Work?
Patient scheduling software most often consists of a cloud-based appointment booking platform which integrates with a healthcare organization’s practice management system and EHR system. Patients access the platform via a web link, patient portal, and/or mobile app to see what slots are available for their preferred physician – or the most relevant physician – and self-book appointments. The booking platform automatically adds each self-booked appointment to physicians’ schedules.
Physicians access their schedules via a web portal or mobile app and can instantly see what their schedule looks like and where gaps exist. Depending on how the platform is integrated with an organization’s practice management system and EHR system, physicians can fill the gaps by sending a text message, email, or push notification via the platform inviting patients with non-urgent health needs (i.e., patients due for a routine health check) to book an appointment in an available slot.
The patient scheduling software gives practice managers a holistic view of patients’ bookings, physicians’ schedules, and – when the platform supports patient messaging – the nature of consultations (i.e., pediatric care, immunizations, home visits, etc.). The holistic view enables practice managers to ensure the right people are in the right place at the right time and that preparations are made (for example) for assisting patients with mobility issues or for consultations that may require infection containment.
The 7 Benefits of Patient Scheduling Software
Because different medical practices differ in size and operate in different ways, there is no one-size-fits-all patient appointment scheduling software. It is up to each individual practice to evaluate the options in order to determine the best patient scheduling software solution for their needs. However, whichever online patient scheduling system is selected, it should be capable of delivering the following 7 common benefits at a minimum.
#1 Improved Patient Experience
To fully appreciate how patient self-scheduling software can improve the patient experience, it is best to consider how the availability of patient self-scheduling software is preferable to a patient who lacks the confidence to speak on the phone about their condition with a receptionist, whose first language is not English, or who is too ill to speak – but capable of tapping buttons on a mobile device.
In addition, by giving patients the convenience to book appointments when the practice is closed, the control over which physician they see and when, and the ability to message the practice ahead of the appointment, patients are empowered to take responsibility for their wellbeing – leading to increased patient compliance with prescribed medications and therapies, and better patient outcomes.
#2 Minimized Patient Wait Times
One of the ways in which patient appointment scheduling software minimizes patient wait times is automated gap filling. It was mentioned above that, when a physician identifies a gap in their schedule, they can search practice databases to identify patients with non-urgent health needs and invite them to book an appointment in an available slot to fill the scheduling gap.
As an alternative, some patient appointment scheduling software can analyze appointments already booked for future dates to see if any match the available physician. These patients can then be contacted via their preferred channel of communication (i.e., text message, email, or push notification) to see if they would like to bring their appointment forward to fill the scheduling gap.
#3 Prioritized Care for Urgent Needs
The process of bringing appointments forward to fill scheduling gaps can also be used in reverse to push appointments back or reschedule appointments if a patient with urgent or complicated needs has to be prioritized. In such cases, the patient scheduling system can automatically contact patients with non-urgent appointments to advise them of the change of time/date and request confirmation.
Patients with urgent or complicated medical needs are more likely to require longer appointments or multiple appointments. To reschedule non-urgent patients manually is not only complex and time-consuming, but also prone to errors and miscommunications – notwithstanding that some patients with non-urgent appointments may become abusive over the phone when advised of the change.
#4 Reduced Cancellations & No Shows
A feature that all software for scheduling patient appointments should include is an automated patient reminder. Because some patients with non-urgent medical needs might book an appointment a long time in advance (i.e., during their next vacation from work), this feature sends a reminder to patients before appointments in order to reduce cancellations and no shows through forgetfulness.
The automated patient reminder feature should be customizable so the wording of the reminder can be adjusted to be appropriate for the circumstance. While it can be beneficial for patient attendance to send reminders that use strong and committed language, it may be inappropriate to send a strong and committed message to a patient who has made an appointment for grief counselling.
#5 More Efficient Resource Management
This benefit of automated online patient scheduling not only applies to making better use of physicians’ time, reducing the overhead of managing patient waitlists, and being able to turn off the heating earlier when a treatment room is not going to be used for the rest of the day, but it can also apply to other resources used by the medical practice.
One important resource for small to medium sized medical practices is staff training. All medical practices are required to provide HIPAA training, OSHA training, and emergency preparedness training, and it is difficult to provide group training when physicians have overlapping schedules. By scheduling patient appointments to coincide, staff training can be provided to all members of the workforce at the same time – making more efficient use of training resources.
#6 Improved Billing and Payment Processes
When patient scheduling software is integrated into a practice management system, practice managers can use the same communication tools as used by physicians to fill scheduling gaps in order to bill patients and send payment reminders. The difference between the two processes is, rather than a text message, email, or push notification directing a patient to an appointment scheduling portal, they are directed to a payment portal.
In some cases, integrations between patient scheduling software and practice management systems can support card-on-file payments – similar to those used by multiple online shopping websites. Card on file payments can accelerate collections from patients, reduce non-payments, and protect both patients and practices from credit card fraud. It is also claimed that card on file payments builds trust between practices and patients and contributes towards patient retention.
#7 HIPAA Compliant Messaging
Online patient scheduling and payment systems do not only have to be used for patient scheduling and payments. Cloud-based appointment booking platforms have to be secure by design to safeguard the privacy of Protected Health Information (PHI), and this means they can be adapted for other HIPAA compliant messaging purposes that can further improve the patient experience.
Patients may be able to raise health concerns via the platform that can be answered by a physician without the need to visit the practice. Patients may also be able to request copies of PHI or download PHI via the system, while physicians can send patients electronic consent forms to sign digitally ahead of a procedure. Practices can also use the platform to (for example) alert patients to a change in their HIPAA Notice of Privacy Practices.
Patient Appointment Scheduling Software and HIPAA Compliance
Before using patient appointment scheduling software, it is important to consider the implications for HIPAA compliance. This is because no software (of any type) is HIPAA compliant, and even the best patient scheduling software can only support HIPAA compliance. In addition, depending on how the system is accessed by patients, it may be necessary to educate patients about online security.
The reason for educating patients about online security is if, for example, the patient scheduling system connects with an EHR so patients can view their medical histories, patients need to be alerted to the risks of using weak passwords (if the system is accessed via a web portal) or not PIN-locking their mobile devices (if the system is accessed via a mobile app). All advice provided to patients should be documented in case of a subsequent disclosure of PHI attributable to patient negligence.
Workforce members must also be trained on security best practices to prevent data breaches attributable to phishing, malware, and ransomware; while system administrators must ensure the patient appointment scheduling software is configured to comply with the Administrative and Technical Safeguards of the Security Rule (compliance with the Physical Safeguards is most often a shared responsibility between the medical practice and the software vendor).
It is also important that a Business Associate Agreement is entered into with the software vendor before any PHI is disclosed to the vendor and before the patient scheduling software is integrated with a practice management system or EHR. The requirements for a valid HIPAA Business Associate Agreement can be found here; and, if practice managers have any further questions about patient appointment scheduling software and HIPAA compliance, it is advisable to seek professional compliance advice.
The post 7 Benefits of Patient Scheduling Software appeared first on HIPAA Journal.