Webinars and Member Engagement | |
|
Ascension Cyber Attack Update
Key Takeaway: On Friday, federal authorities released a joint Cybersecurity Advisory (CSA) two days following the massive cyber-attack suffered by the Ascension health system.
Why It Matters: A ransomware variant known as Black Basta- a Russian backed group - is believed to be responsible for the cyber-attack on Ascension health system that was announced last Wednesday. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released the CSA to provide information on this ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector. The Health-ISAC also published their own bulletin.
News reports last week indicated widespread system interruptions and hospitals on diversion status. News reports this morning indicated that system restoration is underway. At the time of publication, the Ascension website on this event had not been updated since May 11th.
| |
|
IPPS Workgroup Call
Key Takeaway: The Centers for Medicare and Medicaid Services (CMS) released their annual Inpatient Prospective Payment System (IPPS) proposed rule last month. Help shape CHIME’s comments by joining our workgroup call. We will discuss changes to the Promoting Interoperability program, SAFER guides, a request for information (RFI) pertaining to public health reporting, among other topics.
Why It Matters: Our workgroup call is scheduled for Thursday, May 16th at 3:00 p.m. ET. Email Chelsea Arnone at carnone@chimecentral.org if you want to be added to the workgroup. Comments are due to CMS on June 10th. Find CHIME’s cheat sheet here.
| |
|
Policy & Politics Webinar
Key Takeaway: Register now for our next Policy & Politics webinar scheduled for Wednesday, May 22nd from 2-2:30 p.m. ET. Go here to register.
Why It Matters: We get you in and out in 30 minutes with all the hot takes from Washington to keep you informed.
| |
|
Deadline Extended for Advocacy Opportunity to Support ONC Funding
Key Takeaway: CHIME, HIMSS, and AHIMA are leading an organizational sign-on letter requesting that Congress supports funding the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) at the President’s proposed Fiscal Year (FY) 2025 budget request of at least $86 million.
Why It Matters: The deadline to sign on has been extended to Tuesday, May 14th at 5:00 p.m. ET. Add your organization here.
| |
|
House Ways and Means Committee Marks up Telehealth Legislation
Key Takeaway: On May 8th, the House Ways and Means Committee marked up several bills including H.R. 8261, the Preserving Telehealth, Hospital, and Ambulance Access Act (bill text; one-pager). The bill passed out of the Committee by a vote of 41-0. The bill would extend many of the current Medicare telehealth flexibilities through December 31, 2026, an additional two years.
Why It Matters: Importantly, the bill:
- Removes geographic and originating-site restrictions through 2026.
- Allows Federally Qualified Health Centers (FQHCs) and Rural Health Clinics (RHCs) to continue to furnish telehealth services through 2026.
- Expands the list of practitioners eligible to furnish telehealth (including Physical Therapists, Occupational Therapists, Speech Language Pathologists, and Audiologists) through 2026.
- Allows for audio-only services through 2026.
- Delays in-person requirement for telemental health.
- Extends the Acute Hospital Care at Home program through CY 2029.
| |
|
Homeland Committee Requests Microsoft to Testify on Cyber Shortfalls
Key Takeaway: Last week, House Homeland Security Chairman Mark Green and Ranking Member Bennie Thompson sent a letter to Brad Smith, Microsoft’s Vice Chair and President, asking him to testify at a May 22 hearing on “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.”
Why It Matters: According to the letter, the hearing is an opportunity to hear Microsoft’s perspective on the U.S. Department of Homeland Security Cyber Safety Review Board’s (CSRB) recent report, “Review of the Summer 2023 Microsoft Exchange Online Intrusion.” The board found that Microsoft’s security culture was inadequate and recommended that its CEO and Board of Directors focus on the company's security culture including developing and sharing a plan with “specific timelines to make fundamental, security-focused reforms across the company and its full suite of products,” among other recommendations.
| |
|
White House Releases 2024 National Cybersecurity Implementation Plan
Key Takeaway: The White House released the second version of their National Cybersecurity Strategy Implementation Plan (NCSIP) executing on the Administration’s National Cybersecurity Strategy. The NCSIP Version 2 describes 100 high-impact initiatives to achieve the Strategy’s objectives. More details can be found in the White House blog.
Why It Matters: The report lays out a plan for rebalancing the responsibility to defend cyberspace on to more capable actors and realigning incentives to favor long-term investments in cybersecurity and resilience. Initiative 1.1.4 promotes adoption of cybersecurity best practices across the healthcare and public health sector. The report states, “The Federal Government will use existing authorities to set necessary cybersecurity requirements in critical sectors. Where Federal departments and agencies have gaps in statutory authorities to implement minimum cybersecurity requirements […] the Administration will work with Congress to close them.”
| |
|
CISA Extends Comment Period for CIRCIA Proposed Rule
Key Takeaway: The Cybersecurity and Infrastructure Security Agency (CISA) has extended the comment period for their proposed rule concerning the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) which proposes regulations implementing the statute's covered cyber incident and ransom payment reporting requirements for covered entities.
Why It Matters: The original deadline was set for June 3, but CISA has extended the comment deadline another 30 days to July 3 to allow more time for stakeholder comments. CHIME is drafting a response. Our next workgroup call is scheduled for Tuesday, May 14th at 2:30 p.m. ET. For those interested in joining the call please contact Chelsea Arnone at carnone@chimecentral.org.
| |
|
405(d) Infographic: How to Implement Data Classification
Key Takeaway: The 405(d) Program has released a new infographic, “How To Implement Data Classification.” It is designed for small, medium, and large organizations to start implementing Data Classification best practices.
Why It Matters: There is a vast amount of data in healthcare environments – ranging from PII to ePHI (i.e., treatment information, SSNs, insurance numbers, billing information) to research information, to business sensitive information. Data classification is based on understanding where data resides, where it is accessed, and how it is shared. Organizations need to identify the types of data files and types of records relevant to each category of classification such as sensitive, internal use or, public use, which in turn can help them decide how it should be protected.
| |
|
CISA & Partners Release Fact Sheet on Defending OT Operations Against Ongoing Pro-Russia Hactivist Activity
Key Takeaway: CISA, in collaboration with U.S. and international partners, published a joint fact sheet, Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity. This fact sheet provides information and mitigations associated with cyber operations conducted by pro-Russia hacktivists who seek to compromise industrial control systems (ICS) and small-scale operational technology (OT) systems in critical infrastructure sectors.
Why It Matters: The pro-Russia hacktivist activity appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects. However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments. CISA and partners encourage OT operators in critical infrastructure sectors to apply the recommendations listed in the fact sheet to defend against this activity.
| |
|
U.S. Sanctions Senior Leader of the LockBit Ransomware Group
Key Takeaway: The U.S. has revealed the identity of and imposed sanctions on Dmitry Khoroshev, a senior leader of the LockBit ransomware group. Khoroshev has been designated by the U.S. Treasury for his involvement in developing and disseminating LockBit ransomware. This designation is part of a global effort involving the UK, Australia, and other international partners to dismantle ransomware networks. The U.S. Department of State is offering a reward of up to $10 million for information that leads to the identification or location of any individual(s) who hold a key leadership position in the LockBit group, and a reward of $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in LockBit ransomware activities.
Why It Matters: The Russia-based LockBit ransomware group is one of the most active ransomware groups in the world and is best known for its ransomware variant of the same name. It has targeted over 2,500 victims worldwide and is alleged to have received more than $500 million in ransom payments. Since January 2020, affiliates using LockBit have attacked organizations across an array of critical infrastructure sectors, including healthcare. These actions “reflect the commitment of the U.S. to a long-term, coordinated, and sustained approach to disrupting and degrading the ransomware ecosystem.”
| |
|
CISA Announces Secure by Design Pledge
Key Takeaway: CISA announced a voluntary “Secure by Design” pledge, focused on enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS). Physical products such as IoT devices and consumer products are not scoped in the pledge, though companies who wish to demonstrate progress in those areas are welcome. You can find the pledge here, and the statements of support here.
Why It Matters: Software manufacturers participating in this voluntary pledge commit to working towards seven goals over a year, documenting progress or challenges faced if unable to show measurable progress. They have discretion in how they meet criteria, and CISA encourages transparency in sharing approaches. The pledge aims to complement and build on existing software security best practices, including those developed by NIST and other federal agencies, and international and industry best practices.
| |
|
New Guide on Equity for Digital Health Developers
Key Takeaway: The Agency for Healthcare Research & Quality (AHRQ) has a new resource, the Digital Health Equity Framework, available to help developers of digital health technologies reduce implicit bias.
Why It Matters: In a recent blog post the agency discusses their investments to reduce disparities and help developers address equity given the dearth of existing resources on this topic. AHRQ worked with Johns Hopkins University and the National Committee for Quality Assurance (NCQA) to address this gap.
| |
College of Healthcare Information Management Executives (CHIME)
| | | | |
