Feds Advisory to Raise Awareness of Scams Linked to COVID-19 Economic Payments

The IRS, DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury published a joint notification to boost awareness of the danger of phishing attack and other cyber attacks connected to the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

Because of the CARES Act, there is $2 trillion funds available to assist businesses and persons detrimentally impacted by the COVID-19 crisis, which could help to lessen the financial weight by economic impact payments to qualified U.S. citizens. Hackers are utilizing CARES Act payments as a trick in phishing attacks to acquire personal and financial details and try to reroute CARES Act payments. All people in America are exhorted to search for criminal fraud linked to the CARES Act and COVID-19.

The U.S. Government reports that plenty of cybercriminal groups are employing stimulus-themed lures in phishing emails and texts to acquire sensitive details including bank account details. Financial companies were asked to inform their customers to follow good cybersecurity practices and to watch for questionable account use and creation.

Criminals are utilizing CARES Act-themed email messages and web pages to acquire sensitive details, pass on malware, and get access to computer systems. They include themes like loan and grant programs, economic stimulus, personal checks, or other subject-matter linked to the CARES Act. These CARES Act connected cybercriminal efforts could support a large selection of follow-on activities that may jeopardize the rollout of the CARES Act.

Threat actors may well attempt to disturb the operations of institutions in charge of the implementation of the CARES Act, which includes the usage of ransomware to disturb the flow of CARES Act funds and to extort the beneficiary money. Government, state, local and tribal groups are being advised to assess their loan processing, banking and payment systems and fortify security to avert attacks.

International threat actors were identified to be showing bogus claims for COVID-19 relief cash, such as one Nigerian business email compromise (BEC) gang regarded to have filed more than 200 bogus claims for unemployment benefits and CARES Act payments. The group, named Scattered Canary, has been filing a number of claims through state unemployment web pages to acquire payments making use of data stolen in W-2 phishing attacks. The gang has placed no less than 174 fraudulent claims with the state of Washington and about 12 claims with the state of Massachusetts. About 8 states were targeted thus far.

The U.S. Government has been giving out threat intelligence and cybersecurity best tactics to help break up and stop criminal activity. The U.S. Secret Service is now focused on investigating operations to track down persons taking advantage of the pandemic to be sure they face the law and money lost due to the crimes are reclaimed.

The IRS has informed taxpayers that it won’t contact taxpayers through email, text, or social media platforms to ask for personal and financial data like bank account numbers, PINs and credit card details. The IRS has notified Americans that copycat web pages that can be built to acquire sensitive details and to carefully check out any domain name for transposed letters or mismatched SSL certificates. The IRS is merely making use of www.irs.gov and the IRS-run website, https://www.freefilefillableforms.com/.

All U.S. citizens were cautioned to be watchful and keep an eye on their financial accounts for indications of fake activity and to report instances of phishing attacks and other fraudulence to the right authorities. They must likewise notify their employer in case they believe they were victimized by a scam and disclosed sensitive details concerning their business.

The notification, Avoid Scams Related To Economic Payments, COVID-19, are downloadable on this link.

Guidance Document on Handling the Cybersecurity Tactical Response During a Pandemic

The Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) published a joint guidance on cybersecurity tactical response management when going through emergency conditions, like a pandemic.

Threat actors are going to make an effort to take advantage of emergency events to perform attacks, which was undoubtedly noticed at this period of the COVID-19 pandemic. In numerous situations, the entire time of an emergency will control the likelihood for threat actors to capitalize on the situation, but with a pandemic the time period of exposure is prolonged. The SARS-CoV-2 episode was proclaimed on January 30, 2020 as a public health emergency, allowing threat actors enough time to make use of COVID-19 to execute attacks on the healthcare industry.

What is essential to managing the higher level of cybersecurity danger through emergency conditions is planning. Without planning, healthcare providers will be continually fighting fires and struggling to better security during the time when resources are outspread.

The latest guidance was made for the COVID-19 crisis by HSCC’s Cybersecurity Working Group (CWG), H-ISAC, and healthcare sector and government cybersecurity professionals and is designed to guide healthcare providers produce a tactical response for dealing with cybersecurity threats that crop up at the time of emergencies and to aid them to boost their level of readiness.

At this time of the COVID-19 pandemic, cyber threat actors have performed an array of attacks on healthcare institutions such as domain attacks, phishing attacks, and malware and ransomware attacks. The attacks occurred at a time when healthcare providers were striving to deliver health care for highly infectious patients, utilize remote diagnostic and medication services, and transition to teleworking to avert the spread of the coronavirus. The transformation in working procedures considerably expanded the attack surface and presented new attack vectors and vulnerabilities.

The exposure to malicious cyber-actors goes up with every gain afforded by automation, interoperability, and information analytics. To combat these attacks well before they come about, it is vital for healthcare institutions to establish, use, and retain existing and effective cybersecurity strategies.

Healthcare institutions of different sizes can utilize the guidance document to strengthen their cybersecurity programs and be prepared for emergency cases. Smaller healthcare companies could employ the guidance for selecting suitable measures to boost their security posture, whereas larger sized institutions that have previously organized their tactical crisis response could employ the guide as a list to make certain nothing is skipped.

The guidance document puts strategies, practices, and activities into four primary groups:

  1. Education and Outreach
  2. Enhance Prevention Techniques
  3. Enhance Detection and Response
  4. Take Care of the Team

The cybersecurity response to a crisis is mainly centered on technical regulators, nevertheless, HSCC/H-ISAC points out that education and outreach take a crucial part in the response strategy’s good results. In emergency scenarios, even the best-laid plans could come unstuck without having the right education and outreach. Organizations that communicate their plans properly will lessen mix-up, better response times, and boost the performance of their cybersecurity plan. The guide makes clear how to make a communication plan and execute policy and procedure evaluations correctly.

Avoiding cyber attacks is very important. Many healthcare institutions will have used many different measures to curb cyberattacks ahead of the public health emergency, nonetheless, HSCC/H-ISAC recommends three practices must be evaluated: Confining the probable attack surface, reinforcing remote access, and utilizing threat intelligence feeds.

Limiting the attack surface demands reliable vulnerability management, fast patching, keeping safe medical devices and endpoints, and controlling third party network access. The guidance document recommends a number of the tactics of securing remote access, and how to use threat intelligence feeds to avert attacks and quicken the response.

Plenty of attacks are tough to prevent, thus it is essential for processes to be designed and employed to locate successful attacks and act promptly. The guidance document advises a number of steps to optimize detection and resolution to attacks.

It is likewise crucial to handle the team. In critical conditions, health, well-being, employment security, and financial reliability are all major considerations for healthcare personnel. It is necessary for businesses to communicate appropriately with their staff and street address these concerns and discuss how the business will assist employees while in the crisis.

The guidance document can be downloaded on this link. HSCC published another guidance document earlier this month that highlights steps healthcare institutions can do to secure trade secrets and research work. The guidance document can be viewed here.

Survey Uncovers Status of Workplace Safety and Preparedness in The Healthcare Industry

Rave Mobile Safety had published the results of its yearly survey of workplace safety and preparedness performed early this 2020. The report looks at the emergency preparedness levels in medical care and other industries all across the United States. It must be factored in that the survey was performed before the announcement of the COVID-19 public health crisis, which most likely caused a switch in priorities in numerous companies.

Workplace Security in 2020

The coronavirus pandemic set off the necessity of effective communication at the time of emergencies, nonetheless, the survey shows other vital reasons for bettering security and communication in the work environment. The last time the study was performed in 2019, 26 participants reported cases of violence in the work environment. This year, the employees who came across violence in their workplace has increased two times.

The survey unveiled that workers are now more mindful of safety. 58% of survey respondents stated they would file a safety problem report on the job regardless of whether it may be accomplished anonymously or not; however, 41% of Gen Z and millennials will only report safety problems if it is completed anonymously. This implies that 18-29-year olds are scared that voicing safety problems will have adverse consequences.

Though most employers have created emergency options, most aren’t doing drills. For example, 76% of firms have emergency programs for extreme weather occurrences, however, only 40% carried out drills to rehearse their reaction in case there is an event, though 48% of survey participants said they had an extreme weather situation last year. Many organizations have designed emergency blueprints for cyberattacks, yet 51% of survey participants mentioned drills were not done to check those options. About 30% of employees were not sure or uninformed regarding their employer’s emergency programs. The least aware were the 18-29-year old employees.

Emergency Communications

The selection of methods utilized to converse with employees in emergency events has gone up in 2020. Email is still the most often used way of communication and 63% of companies utilize it to communicate critical advice, yet communication options like mass texting have increased in popularity. Mass SMS is nowadays utilized by 42% of businesses represented in the annual survey, though many continue to count on obsolete communication techniques including in-person press releases, which don’t include remote employees.

The survey revealed that employers typically adhere to dated communication procedures, even if employees would opt to get notifications concerning safety and security utilizing a faster and quickly accessible system, for instance mass texting.

Emergency Communication in the Medical Industry

The survey showed a considerable proportion of healthcare employees were uninformed of emergency programs for cases including system breakdowns (22%) and active shooters (16%). The moment there are emergency events, email was the most prevalent means of correspondence, utilized by 65% of healthcare companies. Intercom systems were likewise often used (50%) coupled with in-person press releases (44%). Even though these might be valuable onsite, they’re not efficient for conversing with remote employees, who would choose to accept notifications by means of text message, however, just 41% of healthcare providers are utilizing mass text notifications in crisis events. The survey likewise showed breaks in security practices, with 80% of healthcare staff not expected to carry out a security check-in when doing work off-site.

The complete findings of the Annual Workplace Safety and Preparedness Study can be viewed on this page.

Ciitizen HIPAA Right of Access Report Reveals Considerable Improvement in Compliance

Healthcare organizations’ compliance with the HIPAA Right of Access has considerably improved, reported by the latest Ciitizen’s Patient Record Scorecard Report.

To create the report, Ciitizen carried out a study that was participated by 820 healthcare organizations to examine their response to patients requesting to obtain copies of their healthcare records. A variety of healthcare organizations were evaluated for the review which includes single doctor practices and big hospital systems.

Under the HIPAA Privacy Rule, patients are given the right to ask for a copy of their healthcare records from their companies. Request ought to be filed in writing. The healthcare organization needs to give the patient a copy of the health records in a specific record set in 30 days from the filing of the request. The information ought to be given in the format the patient asked for when the PHI may be easily made in that format. In case it is impossible to produce the information in the asked for format, the healthcare provider ought to provide the patient with the healthcare information in or in an alternate format decided by the patient.

For the study, Ciitizen users submitted requests for copies of healthcare records to healthcare organizations. The healthcare provider then receives a score from 1-5 based upon their performance. A 1-star rating means a non-HIPAA-compliant response. 2-stars are given when requests are in the end done satisfactorily, although it took several escalations to administrators. A 3-star rating is assigned if the request is completed with little intervention, and a 4-star rating is assigned to healthcare providers that are absolutely compliant and provided a smooth response. A 5-star rating is earmarked for healthcare providers with a patient-focused approach who exceed the HIPAA requirements.

Past studies showed that many providers (51%) don’t comply with the HIPAA Right of Access. The most current study showed a better percentage of 27%. The number of healthcare organizations given 4-star scores improved from 40% to 67%, and the number of healthcare organizations given 5-star ratings improved from 20% to 28%.

Another great news from this year’s report showed that just 6% of the 820 healthcare organizations billed patients fair-priced fees for generating the data.

In past studies, numerous healthcare organizations asked patients to fill up a standard form, but this year, almost all providers accepted any type of written request and didn’t necessitate patients to sign a certain form before producing the request.

The recent study had a substantial increase in evaluations, which may mostly be because of the developments in compliance. There were 51 healthcare providers evaluated for the Patient Record Scorecard report the first time, 210 providers the second time, and 820 the third time. Ciitizen remarks that the proportion of non-compliant healthcare providers in those studies did correspond with another study done on 3,000 healthcare providers, which shows that the developments made are legitimate.

Ciitizen attributes improved compliance rates to three major reasons:

  • A higher emphasis has been put on the right of persons to acquire copies of their healthcare records after the HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT circulated new guidelines, making it a lot easier for patients to get copies of their healthcare records.
  • There’s a favorable effect on the release of information (ROI) vendors who generate the patient data requests for covered entities so they are in compliance with the HIPAA Right of Access.
  • The HHS’ Office for Civil Rights began a HIPAA Right of Access enforcement action this past year. From then on, two covered entities that failed with compliance were imposed fines of $85,000.

It is also perhaps because the Ciitizen created a website that presents the scores of every healthcare provider motivating healthcare providers to observe this essential aspect of HIPAA.

Brandywine Counselling and Community Services

On March 13, 2020, ExecuPharm, a pharmaceutical company located in King of Prussia, PA, suffered a Maze ransomware attack with theft of sensitive information. The attackers behind the Maze ransomware use manual attacks and they grab data from the breached entity before data encryption. Then they issue threats to publicize the data when the victims don’t pay the ransom demand. This is the case with this cyberattack.

The attackers have previously told the press that they won’t launch ransomware attacks on medical institutions while there’s a COVID-19 crisis. Nonetheless, it appears that pharma companies aren’t excluded from their campaigns. In this case, the data posted on the Maze web page consists of financial information, records, database backup files, and other sensitive data.

As per an announcement provided by ExecuPharm, a top-notch cybersecurity company is assisting with the investigation to know the design and magnitude of the breach. The firm had submitted the breach report to the authorities and all affected persons received notifications.

Aside from company data, the attackers accessed and downloaded the personal data of workers. That data is composed of financial data, Social Security numbers, driver licenses, passport numbers, bank account details, credit card numbers, IBAN/SWIFT numbers, national insurance numbers, beneficiary details, and other sensitive data. The attackers additionally stole certain information related to its parent company, Parexel. People affected by the breach were provided complimentary one-year identity theft monitoring services.

The company used backups to recover its servers. As soon as systems were recovered, all data were restored from backups at the same time. Options are similarly being integrated to improve its security against attacks. The company set up multi-factor authentication for remote links, recognition and response forensics solutions on all systems and endpoint security. Email security procedures were similarly boosted to hold off ransomware emails.

Ransomware Attack on Brandywine Counselling and Community Services

Brandywine Counselling and Community Services located in Delaware also just lately had a ransomware attack.

Brandywine discovered the attack on February 10, 2020 and hired a computer forensic company to assist with the investigation. The investigation confirmed that servers affected by the attack held certain client data which was obtained by the attackers.

The breach report indicating 4,262 persons were affected was submitted to the HHS’ Office for Civil Rights. The stolen information included the names of clients, addresses, birth dates, and/or limited clinical data, like name(s) of provider, diagnosis, treatment data, and/or prescription(s), and some driver’s license numbers and Social Security numbers.

The people whose driver’s license number or Social Security number was exposed were offered free credit monitoring and identity theft protection services. More security steps were being completed to stop other ransomware attacks later on.

CISA Alerts of Continuous Cyberattacks on Pulse Secure VPNs Despite Patching

The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) released an alert to all businesses that utilize Pulse Secure VPN servers concerning the probability of not avoiding cyberattacks despite patching vulnerabilities. CISA is advised that attacks are still taking place even after implementing patches to resolve identified vulnerabilities.

CISA published an advisory roughly a year ago telling businesses to patch a vulnerability (CVE-2019-1151) discovered in Pulse Secure Virtual Private Network equipment caused by a high chance of exploitation. Numerous organizations did not implement the patch immediately, and cybercriminals took advantage.

CVE-2019-1151 is an arbitrary file reading vulnerability impacting Pulse Secure VPN machines. The vulnerability was found in the spring last year and Pulse Secure launched a patch to resolve the vulnerability last April 2019. A few advanced persistent threat gangs are noted to have taken advantage of the vulnerability and copied information and download ransomware and malware. By taking advantage of the vulnerability and thieving information, the attackers can obtain continual system access even after applying the patch, in case there was no modification in the credentials.

CISA found threat actors taking advantage of the vulnerability to download ransomware at a couple of government agencies and medical centers, even after implementing the patches.

First, cybercriminals took advantage of the vulnerability to access the network via vulnerable VPN products.

Second, the attackers could get plaintext Active Directory credentials, and used the related accounts with external remote services for access and for lateral movement.

Third, the threat actors deployed malware and ransomware and/or exfiltrated and offered for sale sensitive organization data.

The threat actors utilized Tor infrastructure and virtual private servers to limit the likelihood of detection each time they were hooked up to the victims’ VPN devices. Numerous victims were unsuccessful in identifying the compromise because their antivirus and attack detection tools did not recognize the shady remote access considering that the attackers utilized real sign-in credentials and remote services. A number of attackers employed LogMeIn and TeamViewer to make certain they had consistent access even though the principal connection was missing.

When patches are used to resolve vulnerabilities that are regarded to be actively taken advantage of in real-world attacks, companies then must perform analyses to find out if the vulnerability was already used to obtain systems access. Patching will stop threat actors from further taking advantage of the vulnerability, although when a system compromise already transpired, implementing the patch won’t get the attackers out of networks.

CISA has now designed a solution that companies can utilize to discover if the Pule Secure VPN vulnerability was already taken advantage of. The solution may be utilized to search the record files of Pulse Secure VPN servers to know when the gateway was compromised. Aside from assisting system administrators triage logs, the solution will likewise search for Indicators of Compromise (IoCs) linked to the exploitation of the Pulse Security vulnerability.

In case organizations locate proof of malicious, anomalous or suspicious action or information, they need to look into reimaging the server or workstation and redeploying back into the world. CISA advises doing assessments to assure the infection is eliminated even when the host or workstation was reimaged.

Aside from carrying out the scans, CISA advises modifying Active Directory passwords and doing a lookup for unauthorized programs, planned tasks, and any remote access applications that were set up that the IT departments didn’t agree to. Scans need to be carried out to find any remote access Trojans and any malware that could have been deployed.

A number of companies that employ VPN servers for remote access don’t use multi-factor authentication, which suggests that any ripped off credentials may be employed to get access to systems by way of the VPN gateways. Having multi-factor authentication ready, usage of stolen credentials becomes significantly more difficult, as a second factor is going to be necessary before allowing access.

Phishing Attacks on Saint Francis Ministries and Hartford Healthcare Reported

The Saint Francis Ministries health system announced that an unauthorized person gained access to the email account of an employee causing a likely exposure of patient data.

The health system identified the breach on December 19, 2019 upon identifying the suspicious activity in the employee’s email account. A third-party computer forensics agency looked into the breach and established on February 12, 2020 that there was unauthorized access of the email account from December 13, 2020 to December 20, 2019. It can’t be established whether the attacker had viewed emails that contain patient data or downloaded any email information, nevertheless, there were no reports acquired that indicate the improper use of any patient data.

An analysis of the impacted email accounts was concluded on March 24, 2020 which showed the potential breach of the following data: name, birth date, driver’s license number, state ID number, Social Security number, credit or debit card number, bank or financial account number, username and password, diagnosis, treatment data, prescription details, name of provider, Medicare/Medicaid number, medical record number, medical insurance details, and treatment cost data.

On April 12, Saint Francis Ministries began mailing breach notification letters to impacted persons. The health system additionally offered the impacted patients free credit monitoring and identity theft protection services and took action to strengthen email security to make sure that the same breaches will be averted later on.

Phishing Attack on Hartford Healthcare

Healthcare network Hartford Healthcare in Connecticut and Rhode Island encountered a phishing attack and announced it on April 13, 2020. The healthcare network identified the phishing attack on February 13, 2020 after identifying abnormal activity in two employees’ email accounts.

With the assistance of a third-party computer forensics firm, Hartford Healthcare established that the attackers gained access to the accounts between February 13 and February 14, 2020.

At least one email account had the protected health information (PHI) of some patients, including names, medical insurance data, medical record numbers, and other health-related records. The email accounts also contained the Social Security numbers of 23 patients.

Hartford Healthcare mentioned that the attack impacted 2,651 patients and notifications are being mailed right now. There were 23 people who got offers of two-year free credit monitoring and identity theft protection services due to the potential exposure of their Social Security numbers.

Kwampirs APT Group Is Still Attacking Healthcare Companies through the Supply Chain

An Advanced Persistent Threat (APT) group identified as Kwampirs, also called OrangeWorm, still attacks healthcare companies and compromise their systems with the Kwampirs Remote Access Trojan (RAT) as well as other malware payloads.

The threat gang is busy since about 2016, although activity has heightened lately with the FBI lately having passed three notifications concerning the APT group all this time in 2020. Symantec’s report in April 2019 was the earliest to document attacks on healthcare companies by way of the supply chain.

The APT group is targeting several different industries, which include healthcare, engineering, energy, and software vendor. The attacks on the healthcare community are thought to have taken place by way of the vendor software supply store and hardware goods.

According to the FBI, the attacks were really effective. The APT gang has attacked numerous hospitals across Asia, the United States and Europe, which include local hospital groups and leading transnational healthcare firms. The campaigns have involved locally contaminated appliances and enterprise malware attacks.

The APT group begins with the acquisition of access to the gadgets of victim organizations and creates an extensive and continual presence making use of the Kwampirs RAT to be able to perform computer network exploitation (CNE) campaigns. The attacks include two levels. The first includes the usage of the Kwampirs RAT to acquire broad and continual access to hospital systems which usually involves the delivery of various secondary malware payloads. The second entails adding more modules to the Kwampirs RAT to enable farther exploitation of the attacked systems. The extra modules are personalized based upon the organization which was attacked. The reports of FBI say that the attackers had the ability to sustain persistence on the attacked systems for a long time, from approximately 3 months to 3 years when they did comprehensive reconnaissance.

The APT group has targeted principal and alternative domain controllers, software development servers, engineer servers that comprise source code for software program creation, and file servers which are employed as databases for R&D information. When deployed, the Kwampirs RAT carries out day-to-day command and manipulate communications with Domains and IP addresses encoded in the malware and downloads information.

The principal goal of the APT group looks like cyber surveillance, nevertheless the FBI says that a review of the RAT pointed out various code commonalities with the Shamoon (Disttrack) wiper that was employed in the Saudi Aramco attack in 2012. Nonetheless, the FBI says that it hasn’t found the inclusion of any wiper modules in Kwampirs so far.

The FBI has given various advice and guidelines to follow to strengthen security and lessen the danger of infection. These best practices include:

  • Update software programs and operating systems and use patches
  • Use user input confirmation to minimize local and distant file inclusion vulnerabilities
  • Make use of a least-privileges guideline on the Web server to minimize the risk for escalation of privileges and pivoting sideways to other hosts, and to manage file creation and execution in certain directories.
  • Developing a demilitarized zone (DMZ) among internet-facing systems and the business network
  • Make certain all Web servers possess a protected setting and all unwanted and unused ports are deactivated or obstructed
  • Make use of a reverse proxy to minimize accessible URL paths to recognized legit ones
  • Set up a Web application firewall
  • Perform consistent virus inspections and code assessments, app fuzzing, and server network reviews
  • Perform routine system and app vulnerability verification to prepare areas of danger.

CMS Proclaims Sweeping Regulatory Adjustments Because of the Increase in COVID-19 Patients

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) announced that there is going to be some sweeping regulatory modifications and waivers to provide the most versatility to medical professionals when caring for patients throughout the COVID-19 outbreak. The latest modifications will permit healthcare providers to work as medical care delivery coordinators in their zones.

The non-permanent changes to remove constraints are supposed to establish hospitals and health systems with no walls. Consequently, hospitals and health systems will have less trouble dealing with a likely substantial increase in COVID-19 patients during the coming days.

Under standard situations, federal constraints require hospitals to deliver healthcare services inside their established facilities, however, this won’t be feasible with a rise in patient numbers. With the number of COVID-19 cases growing bigger, hospitals will subsequently fill up their capacity. If they don’t have added sites to treat patients, they are going to be overloaded.

To make certain that all patients could be given treatment and nobody is left behind, the CMS has laid-back constraints and gave interim new guidelines that would permit the giving of treatment in other areas. Numerous ambulatory surgery facilities have opted to call off elective treatments for the period of the public health emergency. Hospitals and health systems will be authorized to utilize those areas including inpatient rehabilitation hospitals, as well as hotels and dormitories, and would still be entitled to obtain a refund for services with Medicare. The new areas may be utilized to give healthcare services to non-COVID-19 patients to provide inpatient beds for COVID-19 patients that must have intensive treatment and respirators.

The CMS stated that ambulatory surgery facilities have two choices.

  • They could either agree with community healthcare systems to deliver services on behalf of the healthcare facility
  • They may enroll and charge CMS being hospitals during the public health emergency proclamation if that is not conflicting with their State’s Emergency Preparedness or Pandemic Strategy.

Healthcare companies won’t be authorized to operate beyond established plans at the community level.

To further maximize capacity, the CMS has made a waiver that will let doctor-owned medical centers to get more beds without facing penalties. Hospitals are allowed to create drive-through screening stations for COVID-19, make use of off-campus testing centers, and coverage will be granted to lab techs who have to go to a Medicare beneficiary’s residence to acquire samples to conduct COVID-19 testing. CMS is giving added reimbursement for ambulances, which are probably needed to transport patients between healthcare centers and doctor’s surgeries to make certain they acquire the necessary treatment. Medicare coverage for respiratory-linked instruments and machines has currently been prolonged to cover any health reason.

Modifications were likewise made to assist in the fast expansion of healthcare employees. These changes involve making Medicare enrollment less difficult for providers and enabling teaching hospitals to permit medical residents to offer services with the oversight of a teaching doctor. The CMS has furthermore granted a blanket waiver to enable hospitals to deliver more benefits to assist their medical personnel, including several everyday meals, laundry service for their own clothes, or child care services during the time the doctors and other workforce are at the healthcare facility offering patient care.

Transformations were additionally made to lessen the administration load on healthcare workers with the CMS giving patients more value than paperwork by removal of paperwork requirements to make sure that doctors have more hours for caring for patients.

The CMS has already said that there’s more freedom for the accessibility of telehealth services, with refunds now being given for all Medicare beneficiaries in all places. Coverage is presently included for around 80 additional services made available via telehealth, provided those services are delivered by doctors allowed to deliver telehealth services.

These latest changes and waivers are just temporary and in effect throughout the national public health emergency for COVID-19, and then the CMS will review how to fully go back to the existing system.

Solving the HIPAA Problem Using Compliancy Group’s Simple HIPAA Compliance Process

Compliance with all demands of the Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, Breach Notification, and Omnibus Rules could be a big obstacle.

A lot of healthcare providers have set up a compliance program and thought that they were HIPAA-compliant, but they discover through a compliance review or HIPAA audit that they are not complying with a number of HIPAA provisions. Those errors could turn out to be really high pricey.

Compliance problems could quickly result in a data breach or can prompt the filing of a complaint with the Department of Health and Human Services’ Office for Civil Rights (OCR), which is the principal enforcer of HIPAA compliance.

OCR looks into submitted complaints and reported data breaches to ascertain if a healthcare organization has violated HIPAA Rules. It performs compliance audits to evaluate compliance of HIPAA covered entities and business associates of covered entities with all facets of HIPAA regulations.

OCR has increased its HIPAA compliance enforcement activities in recent years. In 2018, OCR charged covered entities and business associates with $28,683,400 in financial penalties in relation to 11 enforcement actions. In 2019, OCR issued financial penalties for 10 compliance investigations.

Resolving HIPAA Compliance Problems

Compliancy Group is aware of the great importance of HIPAA compliance and the challenges encountered by HIPAA-covered entities and business associates when attempting to employ and retain an efficient compliance program.

To make the HIPAA compliance process simpler, Compliancy Group has designed a software program that leads entities throughout the compliance process. The software program called The Guard streamlines all the things that an organization must do to accomplish HIPAA compliance, minimize risk, and avert penalties.

The Compliancy Group is hosting webinars from time to time to demonstrate the simplicity of using The Guard for completing the HIPAA compliance process.

With the help of Compliancy Group’s webinar and their compliance coaches, covered entities and business associates can realize compliance and meet all federal requirements. Find out more about the webinars being hosted by the Compliancy Group on this page.