Weekend Update / Cybersecurity Saturday

Blue Bonnets — The Texas State Flower

The FEHBlog’s Friday Insights did not publish as scheduled on Saturday morning. To get the email distribution back on schedule the FEHBlog is combining the Weekend Update and the Cybersecurity Saturday posts below.

Weekend Update

The House of Representatives and the Senate will be in session for Committee business and floor voting on Wednesday, Thursday and Friday this week.

Recently, the Centers for Medicare and Medicaid Services confirmed that the No Surprises Act air ambulance reporting will not occur in 2023.

Under section 106 of the No Surprises Act, air ambulance providers, insurance companies, and employer-based health plans must submit to federal regulators information about air ambulance services provided to consumers. The Centers for Medicare & Medicaid Services (CMS) in the Department of Health & Human Services (HHS) is conducting this Air Ambulance data collection (AADC), which will be used to develop a public report on air ambulance services.
The proposed rules describing the proposed form and manner of the data collection can be found at this link. The final rules will specify the final reporting requirements, including the data elements and the deadlines for the data collection. The data collection will not begin until after the final rules are published. This page will be updated when the rules are finalized and more information on data collection is available.

From the value added care front, Behavioral Health Business discusses how Aetna and Optum are collaborating with a large mental health provider, Universal Health Services, to develop reliable outcome measurements for mental health services.

From the healthcare developments front —

NPR tells us

When the FDA approved bempedoic acid, marketed under the brand name Nexletol, back in 2020, it was clear that the drug helped lower LDL — “bad” cholesterol. The drug was intended for people who can’t tolerate statin medications due to muscle pain, which is a side effect reported by up to 29% of people who take statins.

What was unknown until now, is whether bempedoic acid also reduced the risk of cardiovascular events. Now, the results of a randomized, controlled trial published in The New England Journal of Medicine point to significant benefit. The study included about 14,000 people, all of whom were statin intolerant.

“The big effect was on heart attacks,” says study author Dr. Steven Nissen of Cleveland Clinic. 

People who took daily doses of bempedoic acid for more than three years had about a 23% lower risk of having a heart attack, in that period, compared to those taking a placebo. There was also a 19% reduction in coronary revascularizations, which are procedures that restore blood flow to the heart, such as a bypass operation or stenting to open arteries.

Medscape highlights a “revolutionary” treatment for suicidal depression, the Stanford neuromodulation therapy (SNT) protocol.

From the medical research front, Medscape reports

A common chemical that is used in correction fluid, paint removers, gun cleaners, aerosol cleaning products, and dry cleaning may be the key culprit behind the dramatic increase in Parkinson’s disease (PD), researchers say.

An international team of researchers reviewed previous research and cited data that suggest the chemical trichloroethylene (TCE) is associated with as much as a 500% increased risk for Parkinson’s disease (PD).

Lead investigator Ray Dorsey, MD, professor of neurology, University of Rochester, New York, called PD “the world’s fastest-growing brain disease,” and told Medscape Medical News that it “may be largely preventable.”

“Countless people have died over generations from cancer and other disease linked to TCE [and] Parkinson’s may be the latest,” he said. “Banning these chemicals, containing contaminated sites, and protecting homes, schools, and buildings at risk may all create a world where Parkinson’s is increasingly rare, not common.”

The paper was published online March 14 in the Journal of Parkinson’s Disease.

The FEHBlog has several friends with Parkinson’s Disease.

From the Medicare front, Health Payer Intelligence relates

Beneficiaries with end-stage renal disease (ESRD) are increasingly shifting from Medicare fee-for-service (FFS) to Medicare Advantage, leading more Medicare Advantage plans to form value-based arrangements with kidney care management companies, according to Avalere.

Beneficiaries with ESRD have typically received coverage through Medicare FFS because only those already enrolled in a Medicare Advantage plan before initiating dialysis were eligible for the private program through 2020.

A provision under the 21st Century Cures Act that went into effect on January 1, 2021, made all Medicare beneficiaries with ESRD eligible to enroll in Medicare Advantage plans.

Although patient safety awareness week is over, the Wall Street Journal makes us aware that

Black boxes on airplanes record detailed information about flights. Now, a technology that goes by the same name and captures just about everything that goes on in an operating room during a surgery is making its way into hospitals.

The OR Black Box, a system of sensors and software, is being used in operating rooms in 24 hospitals in the U.S., Canada and Western Europe. Video, audio, patient vital signs and data from surgical devices are among the information being captured.

The technology is being used primarily to analyze operating-room practices in hopes of reducing medical errors, improving patient safety and making operating rooms more efficient. It can also help hospitals figure out what happened if an operation goes wrong. * * *

Duke University Hospital, where two operating rooms are equipped with black boxes, is using the technology to study and improve on patient positioning for surgery to reduce the possibility of skin-tissue and nerve injuries. It is also studying and using the technology to improve communication among nursing personnel throughout a surgical procedure to ensure that key tasks—such as confirming that surgical instruments and medical devices are available for a procedure—are being completed promptly, effectively and efficiently.

Cybersecurity Saturday

From the cybersecurity policy front, the American Hospital Association informs us that

The Senate Homeland Security and Governmental Affairs Committee held a full Committee hearing examining cybersecurity risks to the healthcare sector on March 16. Witnesses included Scott Dresen, chief information security officer for Corewell Health, a large integrated health system in Michigan. 
 
“The increasing frequency of attack from nation state actors and organized crime has created a sense of urgency within the healthcare sector and we need help from the United States government to respond to these threats more effectively,” Dresen said.
 
Specifically, he called for enhancing existing partnerships with and between federal agencies, expanding the sharing of actionable threat intelligence, incentivizing access to affordable technology to defend against advanced threats, ensuring there is an adequate cyber workforce, and reforming legislation to encourage the adoption of best practices while not penalizing the victims of cyberattacks.

STAT News reveals why an HHS rule amending the HIPAA Privacy Rule will wreak financial havoc on health systems. The proposed rule was issued in January 2021, so the final rule has been pending for a long time.

Federal News Network reports

The Cybersecurity and Infrastructure Security Agency (CISA) is looking to position a new “Cyber Analytics and Data System” at the center of national cyber defenses, as the agency’s post-EINSTEIN plans come into focus in its fiscal 2024 budget request.

CISA is seeking $424.9 million in the 2024 budget for “CADS.” The program is envisioned as a “system of systems,” budget documents explain, that provides “a robust and scalable analytic environment capable of integrating mission visibility data sets and providing visualization tools and advanced analytic capabilities to CISA cyber operators.”

The new program is part of the “restructuring” of the National Cybersecurity Protection System, according to the documents. More commonly known as “EINSTEIN,” the NCPS has been in place to defend federal agency networks since the Department of Homeland Security’s inception in 2003.

From the cyber breaches front, Tech Target brings us up to date on the DC Health Link breach.

An additional wrinkle to the breach came Monday [March 13] when another user on the same dark web forum using the alias Denfur, who had previously published sample data from the breach, created a thread supposedly aiming to clear up misinformation surrounding the breach.

Claiming to be a friend of IntelBroker, Denfur said the attack vector for the breach was an exposed, insecure database belonging to DC Health Link. Moreover, the poster said the database was likely exposed “for over a year and a half” before the breach occurred. TechTarget Editorial contacted DC Health Link in order to verify Denfur’s claims, but a spokesperson declined to comment.

Nextgov reports

At least two hacking groups were able to gain access to at least one federal agency’s servers through an old vulnerability in a software development and design product, according to a cybersecurity advisory issued Wednesday.

According to an alert issued by the Cybersecurity and Infrastructure Security Agency, or CISA, hackers were able to gain access to and run unauthorized code on a federal agency’s server, though they were not able to gain privileged access or move deeper into the network. The malicious activity was observed between November 2022 and early January, though the initial compromise goes as far back as August 2021.

Hackers used a vulnerability in old versions of Telerik UI, a software developer kit for designing apps, which, when exploited, allows hackers with access to execute code. The vulnerability was discovered in 2019 and builds on previous vulnerabilities discovered in 2017 that allow bad actors to gain privileged access and “successfully execute remote code on the vulnerable web server.”

The National Vulnerability Database—managed by the National Institute of Standards and Technology—rates this a critical vulnerability, with a score of 9.8 out of 10.

From the cyber vulnerabilities front, HHS’s Healthcare Cybersecurity Coordination Center (HC3) released its February 2023 list of vulnerabilities of interest to the health sector.

In February 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Mozilla, SAP, Citrix, Intel, Cisco, VMWare, Fortinet, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.

Cybersecurity Dive informs us.

  • Researchers are warning that state-linked and financially motivated threat actors may try to exploit a critical zero-day vulnerability in Microsoft Outlook to launch new attacks against unpatched systems. 
  • Microsoft urged customers to patch their systems against CVE-2023-23397 to address the critical escalation of privilege vulnerability in Microsoft Outlook for Windows, the company said Tuesday. Microsoft Threat Intelligence warned that a Russia-based threat actor launched attacks against targeted victims in several European countries.
  • Mandiant researchers warned that other criminal and cyber-espionage actors will race to find new victims vulnerable to the zero day before organizations can apply patches. 

CISA added three and then one more known exploited vulnerability to its catalog this week.

Security Week highlights that “Deepfakes are becoming increasingly popular with cybercriminals, and as these technologies become even easier to use, organizations must become even more vigilant.”

Deepfakes are part of the ongoing trend of weaponized AI. They’re extremely effective in the context of social engineering because they use AI to mimic human communications so well. With tools like these, malicious actors can easily hoodwink people into giving them credentials or other sensitive information, or even transfer money for instant financial gain. Deepfakes represent the next generation of fraud, by enabling bad actors to impersonate people more accurately and thus trick employees, friends, customers, etc., into doing things like turning over sensitive credentials or wiring money.

Here’s one real-world example: Bad actors used deepfake voice technology to defraud a company by using AI to mimic the voice of a CEO to persuade an employee to transfer nearly $250,000 to a Hungarian supplier. Earlier this year, the FBI also warned of an uptick in the use of deepfakes and stolen PII to apply for remote work jobs – especially for positions with access to a lot of sensitive customer data.

The Security Week article also discusses defenses to deepfake tactics.

From the ransomware date infiltration front –

  • The Federal Bureau of Investigation (FBI), CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has released a joint cybersecurity advisory (CSA), #StopRansomware: LockBit 3.0. This joint advisory details known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that FBI investigations correlated with LockBit 3.0 ransomware as recently as March 2023. LockBit 3.0 functions as an affiliate-based ransomware variant and is a continuation of LockBit 2.0 and LockBit. CISA encourages network defenders to review and apply the recommendations in the Mitigations section of this CSA.
  • HC3 posted a threat profile on Black Basta.
    • “Black Basta was initially spotted in early 2022, known for its double extortion attack, the Russian-speaking group not only executes ransomware but also exfiltrates sensitive data, operating a cybercrime marketplace to publicly release it, should a victim fail to pay a ransom. The threat group’s prolific targeting of at least 20 victims in its first two weeks of operation indicates that it is experienced in ransomware and has a steady source of initial access. The level of sophistication by its proficient ransomware operators, and reluctance to recruit or advertise on Dark Web forums, supports why many suspect the nascent Black Basta may even be a rebrand of the Russian-speaking RaaS threat group Conti, or also linked to other Russian-speaking cyber threat groups. Previous HC3 Analyst Notes on Conti and BlackMatter even reinforce the similar tactics, techniques, and procedures (TTPs) shared with Black Basta. Nevertheless, as ransomware attacks continue to increase, this Threat Profile highlights the emerging group and its seasoned cybercriminals and provides best practices to lower risks of being victimized.”

Here is a link to the always interesting Bleeping Computer Week in Ransomware.

From the cyber defenses front —

CISA announced

the creation of the Ransomware Vulnerability Warning Pilot (RVWP). Through the RVWP, CISA:     

  1. Proactively identifies information systems—belonging to critical infrastructure entities—that contain vulnerabilities commonly associated with ransomware intrusions.
  2. Notifies the owners of the affected information systems, which enables the owners to mitigate the vulnerabilities before damaging intrusions occur. 

Review the RVWP webpage for details, including information on the authorities and services CISA leverages to enable RVWP notifications.

HelpNetSecurity tells us how to use ChatGPT to improve cyber defenses.