FBI Sounds Alarm on Cyber Attacks Against Healthcare Payment Processors – On September 14, 2022, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification (Notification) warning the industry regarding increasing cyber-attack activity against healthcare providers and payment processors. In the Notification, the FBI describes the escalation in attacks and resulting monetary losses and lists numerous recommendations for healthcare providers and payment processors to reduce the risk of compromise.
The Notification describes three incidents in 2022 in which cyber criminals obtained credentials to the systems of healthcare companies and used the credentials to divert transactions totaling between $700,000 and $3,100,000. The Notification also states that at least 65 healthcare payment processors in the U.S. were targeted by cyber criminals in 2018-2019 for purposes of replacing legitimate customer banking and contact information with accounts controlled by the cyber criminals. The cyber attacks involved a variety of methods and tools, including use of publicly available information, phishing schemes, social engineering, changes in email exchange server configuration, and requests for employees to reset both passwords and two-factor authentication (2FA) phone numbers within a short timeframe.
Based on the threat posed by these recent attacks, the FBI recommends the following mitigation measures, among others:
- Ensure anti-virus and anti-malware is enabled and regularly updated.
- Conduct regular network security assessments.
- Implement training for employees on how to identify and report phishing, social engineering, and spoofing attempts.
- Advise all employees to exercise caution while revealing sensitive information, such as login credentials, through phone or web communications.
- Use multi-factor authentication for all accounts and login credentials.
- Update or draft an incident response plan.
- Mitigate vulnerabilities related to third-party vendors.
- Verify and modify as needed contract renewals to include the inability to change both credentials and 2FA within the same timeframe.
- Ensure company policies include verification of any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors and organizational collaborations.
- Create protocols for employees to report privacy and security irregularities.
- Require strong and unique passphrases.
- Implement mandatory passphrase changes upon evidence of system or network compromise.
- Apply timely patching.
In addition to the above, healthcare providers should consider using mock phishing emails for training, conducting table-top exercises for leadership, engaging external vendors for risk assessments, and spreading awareness of the elevated threat.
The Notification is available here.
Reporter, Igor Gorlach, Houston, +1 713 276 7326, firstname.lastname@example.org.
ALSO IN THE NEWS
Comments Requested on No Surprises Act Advanced EOB and Good Faith Estimate Requirements – HHS, the Department of Labor, and the Treasury released a request for information to inform future rulemaking to implement advanced explanation of benefits (EOB) and good faith estimate requirements under the No Surprises Act. Providers and facilities are currently required to provide uninsured and self-pay patients a good faith estimate in accordance with the Interim Final Rule published in September, but the requirement to provide an advanced EOB to insured patients has been deferred pending future rulemaking. Comments may be submitted online here, or by mail. Comments are due November 15, 2022.
Medicaid Mobile Crisis Intervention Services Program in Oregon Approved by HHS – On September 12, 2022, CMS approved the Oregon Health Authority’s Medicaid state plan amendment that will allow Oregon to provide community-based stabilization services to individuals with Medicaid who are experiencing mental health or substance use crises. These services will be available 24/7 and will connect individuals experiencing mental health crises to behavioral health specialists. Oregon’s proposal is the first in the nation under the new Medicaid option, which became available in April 2022 under the American Rescue Plan. The American Rescue Plan designated $15 million in planning grants to develop these types of programs. These programs aim to provide individuals with the following services: screening and assessment; community-based stabilization and de-escalation; and coordination with and referrals to health, social services and other services. This new option is one of many major actions taken by HHS to strengthen and expand access to crisis care. For instance, the U.S. also recently transitioned the 10-digit National Suicide Prevention Lifeline to 988 on July 16, 2022. CMS’s full press release regarding Oregon’s approved plan to provide mobile crisis intervention services can be found here.
CMS Announces Updated COVID-19 Vaccines that Fight Omicron Variant Available at No Cost – On September 12, 2022, CMS announced that people with Medicare, Medicaid, Children’s Health Insurance Program (CHIP) coverage, private insurance, or no health coverage can receive COVID-19 vaccines at no cost. This includes the updated Moderna and Pfizer-BioNTech vaccines that target two Omicron variants (BA.4/BA.5), which are the most prevalent variants in the U.S. CMS stated that these vaccines will be available at no cost for as long as the federal government continues to purchase and distribute them. Individuals are eligible for an updated vaccine at least two months after completing the primary vaccination series (two doses of Pfizer-BioNTech, Moderna, or Novavax, or one dose of Johnson & Johnson). The full press release from CMS can be found here.
King & Spalding Webinar – No Surprises Act Update: The IDR Process Final Rules and the Impact on Managed Care – This panel presentation will explore the Final Rule on the Independent Dispute Resolution (IDR) Process under the No Surprises Act issued by HHS, the Department of Labor, and the Treasury on August 19, 2022, as well as the accompanying guidance and their collective implications. Topics for discussion include:
- The impact of the new Final Rule on the IDR process;
- Lessons learned from the first five months of the IDR process;
- Prior challenges to the interim Final Rule addressing the IDR process and potential future challenges to the Final Rule; and
- The impact of the No Surprises Act on the managed care landscape.
The webinar will be held on September 22, 2022 from 12:00 to 1:00 p.m. ET. Additional information and a link to register can be found here.