The STATEment Archives - Advanced Benefit Consulting

Cybersecurity 2.0 – The Latest on Cyber-Attacks, Ransomware and the Need for Risk Assessments

Orange County Benefits Expert — Fri, 06 May 2022 21:45:07 +0000

By: Dorothy Cociu, RHU, REBC, GBA, RPA

Read this article in the Cal Broker June 2022 issue

Read the STATEment May / June 2022 issue

Read the Benefit Specialist July 2022 issue

It’s been about a year since we were all on pins and needles about cyber-attacks and the news that Colonial Pipeline, JBS Foods and many others had been breached and their data held for ransom, which resulted in gas shortages and price hikes in the East and meat and food shortages everywhere, followed by the 4^th of July weekend, 2021 cyber-attack against the software company Kaseya, which targeted many small companies in up to 17 countries, including the US, United Kingdom, South Africa, Canada, Argentina, Mexico, Kenya and Germany. Cybersecurity experts believe the REvil gang, which is a major Russian-speaking ransomware syndicate, was behind the attack, targeting the software company by using its network-management package as a means to spread the ransomware broadly through cloud-service providers. Luckily, the software company was able to shut it down quickly, but not before significant damage was done.

When I wrote my last article on this topic, “Cyber Attacks Hit Home…. The Next National Emergency?

Valuable Cybersecurity Tools to Keep You Safe,” published in The Statement, July/August, 2021 page 5, at: https://camsdev.net/CAHU/Magazine/July-August-2021/index.html and California Broker, August, 2021 https://www.calbrokermag.com/in-this-issue/cyber-attacks-hit-home-the-next-national-emergency/, I detailed how these attacks happened and gave some advice on how to keep your organization safe, as did many others, yet since then, we are still seeing the same issues popping up in the news on a far-too-regular basis… Breaches, hacks, cyber-attacks, ransomware…Why does this keep happening? Because for many people, unless and until it happens to them, they put off doing what they know they need to do… because it can’t happen to them, right? WRONG! It can, and it’s not a matter of “if” – it’s usually a matter of “when” it happens to you. Your company… Your data… in the hands of someone that shouldn’t have access to it… And then it’s too late. Your business is literally shut down. Your systems are basically dead. You’re scrambling to either restore from backups, pay the ransom, notify the authorities and the victims, and in all cases, you’re retracing your work, putting in hundreds of man hours (or thousands), or paying millions of dollars in crypto or other currencies, all to get your hands on what is already yours – your data!

How many times do you have to read about this stuff… hear about it on the news… listen to people who had it happen to them, before you actually do something to prevent it from happening to you? What’s the number? Ten? Thirty? One Hundred? More?

Let’s do a little review first on what has happened since early 2021…. Just in summary:

Colonial Pipeline – $4.4 million paid (but 64 bitcoin (approximately $2.3 million, was recovered by the US Government from a virtual wallet – the only known recovery to date of significance) – resulted in severe gas shortages, long lines and extremely high prices all over the East Coast.
JBS Foods, reportedly paid $11 million from the Memorial Weekend, 2021 attack, which caused sever meat shortages in an already pinched supply chain during the pandemic.
Kaseya Software hack occurred affecting customers in approximately 17 countries.
Microsoft Exchange Server Breach in early 2021, giving attackers full access to user emails and passwords on affected servers, administrator privilegeson the server, and access to connected devices on the same network. As of March, 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile’s Commission for the Financial Market (CMF).

Healthcare and insurance providers have of course been a huge target for cyber-attacks. We’ve heard of Anthem to Primera Blue Cross, Mass General, Cottage Health, UMass, Scripts and more, all falling victims to cyber criminals. It’s commonly felt that healthcare and medical information is susceptible to cyber-attacks because of the amount of highly sensitive data that they possess. Of course, the medical and insurance industries are subject to privacy and security laws such as HIPAA Security and HITECH, so there is a standard for protecting information. But as I said in my last article on this, there is no single federal law regulating cybersecurity or information security. We have a hodgepodge of state laws and minor federal laws, but no single protection source, as they do in the European Union and other nations.

Lately, it seems, mobile banking is among the latest victims, including Bank of America and Wells Fargo customers being scammed from outsiders using the mobile banking app Zelle to steal money from their accounts; and worse yet, the customers themselves allowed it to happen, because they thought they were talking to their banks, and instead of stopping it, they basically allowed the Zelle hackers to take money directly from their accounts.

Another very scary security scenario, in my opinion, is everyone’s use of QR Codes. They’ve become all the rage to use… but they are also susceptible to hacking, which I will discuss further later in this article.

And let’s not forget Mobile Ticketing and the requirement of season ticket holders and individual game purchasers to download their team’s league app, without thinking twice about it and not questioning the permissions they are granting, which can be a security nightmare.

So, for anyone reading this, it’s not over. That storm I talked about last summer and fall in my article referenced above has not passed. If we thought we were in the eye of that storm then, I hate to be the bearer of bad news, but it’s more than a season of continuing storms with no clear skies ahead as far as the trend for more cyber-attacks and ransomware, because most of us are allowing the bad guys to keep doing it!

As long as we still have that Weakest Link I discussed in the previous article – Human Beings- we will always have risks, and we need to learn how to manage those risks, now and in the long-run. Until we do, we will continue to hear news reports on breaches and ransomware, and companies will continue to be at risk.

I will provide you with some more detail on these recent breaches, hacks, scams and current risks you should be aware of below.

Microsoft Breach by Lapsus$ Hacker Group, March 2022

Just this past March, Microsoft announced it was breached by Lapsus$ Hacker Group… News reports said that a screenshot was taken indicating that Bing, Cortana and other projects had been compromised in this breach.

As I often do, I looked to my HIPAA Security/HITECH and IT Services and Security partners, Aditi Group, to offer some insight from an IT or technical perspective as to what happened, if there is anything Microsoft users need to be worried about, or things they need to do to protect themselves. I was able to gain some additional insight to share with you in my conversations with Ted Flittner and Ted Mayeshiba, principals of Aditi Group.

“This group has also just successfully attacked T-Mobile and a growing list of big-name companies,” stated Ted Flittner. “What happened with Microsoft is that hackers allegedly stole portions of source code for the search service Bing, and the navigation for Bing Maps and Cortana (Microsoft’s answer to Siri). Microsoft’s public statement is that obtaining portions of source code does not put the general public at risk.”

Flittner continued: “In truth, knowing the code can increase risk by allowing hackers to scrutinize it and find weaknesses that Microsoft hasn’t found or fixed. Since these services (Bing, Maps, Cortana) don’t require user login info, there probably is not a risk.”

Block (Formerly Square) Breach, April, 2022

More recently, Block (formerly Square) acknowledged that its Cash App had been breached by a former employee in December, 2021. It’s reported that over 8 million customers were affected. The breach included customer names, brokerage account numbers, portfolio information and stock trading activity. They are claiming that no other personally identifiable information or account credentials were leaked in the incident. What is the danger of this sort of breach? Again, I went to my tech experts.

“This a straightforward case of a former employee still able to log into Cash App’s system and download user reports,” stated Flittner. “These are the same reports the employee was authorized to view while still working there. Even if no personally identifiable info was accessed, the data that was downloaded is PRIVATE info that people only want to share with their tax accountant or investment advisor. That sort of info helps criminals pick which people to target in phishing scams. Think Frank Abagnale Jr, the real-life person played by Leonardo De Caprio in “Catch me if you can.” Frank just needed some info about people to pretend to be them…and scam money.”

T-Mobile Breach

I also discussed the recent T-Mobile attack by Lapsus$, since it was the same hacker group as the Microsoft hack, with Ted Flittner, and asked him to let us know what happened and how it happened.

“The T-Mobile attack by Lapsus$ did not breach customer data directly. T-Mobile has had its share of that, including a breach of 47 million customers’ personal data in 2021. This Lapsus$ attack involved BUYING T-Mobile employee VPN (virtual private network) login info. These were purchased on the dark web with the goal of escalating and accessing T-Mobile’s account management system and ultimately allowing hackers to “SIM swap.” That’s when you tell the phone company that the phone number is now tied to a different SIM card. This lets someone hijack your cell phone. And if your cell phone is used for account verification – text messages for example, the hacker now can bypass multifactor authentication.”

Flittner continued: “Though hackers didn’t get far enough this time, it highlights the problem of phone numbers being hacked. And why we recommend using multifactor authentication with a hardware key – like Yubico.”

Are Banking Apps Safe?

The world of banking has evolved to the now “must have” banking apps on your mobile devices. Banks need to draw new customers, and many of them are young and tech-savy. They’ve literally grown up on the technology some of us are still trying to adapt to in our everyday lives.

Zelle is used by many banks in the USA today for easy transferring and sending money. These banks include Bank of America, Capitol One, Wells Fargo, US Bank, JP Morgan Chase and PNC bank. Of course, Apple also offers their Apple Bank mobile app, and there are many more. But are they safe?

I briefly described earlier the recent scams using Zelle that cost customers of Bank of America and Wells Fargo hundreds to thousands of dollars as scammers spoofed the banks’ phone numbers and the customers were sent text messages, followed by a phone call, which informed them of an attempt to transfer funds. As a “preventive measure” the scammers gave instructions to the customers which instead sent their funds off to the scammers. The banks are not actually obligated to replace the money in their accounts if their customers authorized the money to be transferred, which in these instances happened.

So how do we keep our money safe if we’re using banking apps on our mobile devices? To assist me with this question, I once again went to Aditi Group, to give you more information from the tech side.

“These banking scams are really using age old tactics: pretending to be someone they’re not,” stated Ted Flittner. “The callers use false Caller ID for the phone call and text messages to innocent bank customers. They SAY they’re from Wells Fargo or BoA or another of the most common banks. Some people have been fooled into divulging their account credentials ‘to avoid attempted fraud.’ And in the process they ALLOW the fraud.”

Flittner continued: “This is not a failure by the application. This is a failure to understand how a fraud investigation really works. The financial institution doesn’t ask for your login credentials. But when you call them, they ask you to verify who you are – name, birthdate, address, last 4 numbers of your of social security number. We all need to be sure WHO we’re talking to on the other end of the line. Is it the BANK or a SCAMMER? We recommend always calling them back. Check the number they give you and see if it matches the phone number on the back or your credit card or the bank. It not, call the phone number you KNOW for your bank and ask about it.” That is something that we’ve encouraged people to do for several years.

“Banking Apps are as safe as using web browser normally,” continued Flittner. “Potential security problems include logging into apps when others can see you, or working on public wifi, where hackers may have obtained access to your phone or computer. Other problems are the general ones that apply whether it’s a mobile app or web browser on a computer, like using weak passwords or leaving your password around for others to find. And with phones, leaving them unattended without a strong password to keep others from doing bad things while you’re not looking.”

The Risks of Using QR Codes

QR Codes are all the rage… If you don’t have one and you’re trying to advertise something, you feel like if you don’t have one, you’ll be left behind and lose out to your competitors… And now it’s not just advertising… QR codes can be found everywhere now… The problem is, they too can be compromised. Thieves and bad actors have begun placing their own QR codes over the originals and sending your phones to unsafe sites where again, bad things can happen. Keep in mind, a QR code uses the phone’s camera… therefore it needs access to your camera, and will often ask for (and people automatically give) permission to view all of your files and photos on your device. Wait, what? All of your photos and all of your files? Are your company files in dropbox, which you can access from your phone? Are your emails from your customers, or their private information such as their names, phone numbers, account numbers, maybe credit card number in those files on your phone? If so, do you want every entity that you scan a QR code for to have all of that information? If not, you might want to think twice about using QR codes without scrutinizing them.

Again, I went back to my tech experts to provide some more detail from the technology side.

“Look before you leap,” stated Flittner. “Does the QR code look legit or is it like sticker graffiti on a traffic light pole? If it looks like someone pasted a sticker on the original, stop.” It sounds simple, but many people just don’t stop to take that second look, and that is a real problem.

“If you do scan the code, look at the website address (URL) that it shows before agreeing to load the page. Only use the QR code read apps or camera apps that let you choose to visit the website or not, instead of having it load automatically,” continued Flittner. “Once it loads, look at the website to be more certain it’s real before you enter any personal data, credit card or sensitive info.”

Mobile Ticketing Apps

Whether you’re a concert-goer or a sports fan, or anything in-between, it’s likely your event is now using Mobile Ticketing only. The problem with mobile ticketing apps is that they can be unsafe because people don’t always look at the permissions they are granting to the app when using, and automatically clicking yes to accept the terms without looking further or questioning the app’s intentions.

My company has season tickets for the Anaheim Ducks (NHL) and the LA Rams (NFL), and both have mobile ticketing… But me being me, and being worried about the dangers of mobile apps, always asks the team if I can get paper tickets. Yes, it’s old-fashioned, but much safter. Sometimes if you ask there is no charge to getting paper tickets. Sometimes you have to pay a paper ticket fee, but to me, it’s worth it. Why? What’s so scary about these apps?

I’ve seen these apps asking for permission to access your files, your photos, and get this, your network access in these apps. So, before you start clicking ok for all of these permissions you’re granting them, you need to slow down and figure out how to see all of the permission requests and how to say no to what they do not need and what you do not want to give them access to. If you’re not sure, contact an IT or security expert.

Another option is to have a second phone; one for business and one for things like mobile ticketing apps. For the latter, don’t store anything on the second phone. Use it only for those concerts or sporting events. (But yes, that can be expensive to have 2 phones – see if a very limited plan can be used for the latter).

Crypto Currency

Crypto currency is the latest rage… Everyone wants it, even buildings now display their names, but no one is regulating it. In January, 2022, it was reported that $30 Million was stolen in the Crypto.com breach. ($18 million in bitcoin and $15 million in Ethereum, as well as other cryptocurrencies). I asked Aditi Group if they could tell us more about crypto currency and the dangers of using it, and if people are buying it and trading with it, is there anything that can be done to protect them?

“There are probably THOUSANDS of crypto currency offerings now,” stated Flittner. “It takes very little to create one and make it public. And without regulation and with investor frenzy over potential profits to be made, it’s easy to get caught up in emotion and skip due diligence. Simply from an investment perspective, crypto investing is gambling. It can pay off for you or wipe your savings.

“From a security perspective, it requires smart and strong password management. The main path of breach is someone getting your login and password to your crypto wallet. Guard those passwords. Make them as strong as possible,” warned Flittner.

“Crypto.com, which is a crypto trading platform, was breached by hackers and discovered this January. Hackers were able to bypass the 2-factor authentication for user accounts and 483 accounts were accessed and $30 M in bitcoin and etherium (crypto coin) was stolen. Cryto.com reimbursed the user accounts and stopped other attempted transfers. They have since announced stronger ‘multi-factor’ authentication coming this year,” stated Flittner.

“Part of the risk with crypto is once it’s stolen, you may have no recourse,” continued Flittner. “Crypto.com is rolling out a new Worldwide Account Protection Program that can insure your account up to $250,000 – if you meet certain conditions.” So if you’re thinking of investing in crypto currency, be sure you do your homework and put in the necessary security protocols before you invest.

How Do We Protect Ourselves and Our Companies?

So how do we protect ourselves from these common threats? As a privacy & security consultant and trainer, my first instruction is always to DO A RISK ASSESSMENT. You need to figure out where your risks are before you can mitigate those risks. You need to know where you are before you can move forward with a security plan.

“This is all about being aware of danger before it strikes,” stated Flittner. “And preparing to reduce risk and recover faster if it does.”

The Need for Risk Assessments – An Ongoing Security Tool

Every article I write about this topic and every training I do includes my preaching to you all about the need to do Risk Assessments. This means you must look at every device, every tool, every router, your network, and everything else to determine where the risks are, and figure out how to mitigate those risks.

According to Ted Flittner, “In basic terms, this is a comprehensive review of you or your business to consider what risks you may face (stolen computer, ransomware attack, even physical break-in), what inherent vulnerabilities you have (staff bringing their own computers, work at home, out of date software), the likelihood of each type of problem actually happening, and the impact if they do. Then we decide which items are really critical to address, less serious, and on down. Sometimes we conclude that chances are LOW that a problem happens, but the IMPACT would be catastrophic, so we take steps to avoid or easily recover (think Life Insurance).”

Flittner continued: “The result should be ACTION to address the dangers. HIPAA and HITECH require it for businesses that fall under HIPAA. And it’s often mentioned by the federal investigators as missing or lacking in HIPAA violations.”

Identifying technical vulnerabilities to include in their risk analysis, according to OCR in their March 17, 2022 Newsletter, “OCR Cybersecurity Newsletter: Defending Against Common Cyber Attacks,” (which I’ll mention again below and include the link to view it), include the following:

subscribing to Cybersecurity and Infrastructure Security Agency (CISA) alerts (https://us-cert.cisa.gov/ncas/alerts) and bulletins; (https://us-cert.cisa.gov/ncas/bulletins)
subscribing to alerts from the HHS Health Sector Cybersecurity Coordination Center (HC3);(https://www.hhs.gov/about/agencies/asa/ocio/hc3/contact/index.html)
participating in an information sharing and analysis center (ISAC) or information sharing and analysis organization (ISAO);
implementing a vulnerability management program that includes using a vulnerability scanner to detect vulnerabilities such as obsolete software and missing patches; and
periodically conducting penetration tests to identify weaknesses that could be exploited by an attacker.

Regulated entities, according to OCR, should not rely on only one of the above techniques, but rather should consider a combination of approaches to properly identify technical vulnerabilities within their enterprise. Once identified, assessed, and prioritized, appropriate measures need to be implemented to mitigate these vulnerabilities (e.g., apply patches, harden systems, retire equipment).

How often should a Risk Assessment be done? According to Ted Flittner: “We recommend a yearly review or when major changes happen with the business.”

Who should be involved in a Risk Assessment? Is it just IT? “Risks involve the whole team,” stated Flittner. “Key supporters of Risk Assessments should include executives, especially financial leadership. But really, everyone should be involved in some way.”

What are some of the areas in an organization that need to be looked at in a risk assessment? Again, I went to Aditi Group for their comments. “Everywhere that sensitive info moves throughout your business,” replied Flittner. “This could just be one department like Human Resources, or it could affect everyone.”

What sort of questions, tasks, need to be included in a Risk Assessment? Ted Mayeshiba of Aditi Group responded as follows: “Physical inventory – what devices hold sensitive data (PHI in HIPAA terminology). Important questions include: ‘Where does the data reside? What’s in ‘the cloud’ with 3^rd party companies? Who should access the sensitive info? And how do you control access? Is there a BA agreement in place? Does the 3rd party company have access to the data?’ All of these should be considered and discussed within your organization.”

We always recommend that a Risk Assessment be done by an independent third party. Why? “Three main reasons: first it’s not the main job of employees, so it rarely gets priority; second, outside eyes tend to notice problems that people who see the process every day can miss (can’t see the forest through the trees in front of them); and third, employees sometimes are reticent to admit to weaknesses in the process,” stated Flittner.

I asked Ted Flittner what message he would share with every business owner, large or small, related to Risk Assessments and their importance in protecting their data? Ted replied: “Know before it’s too late. Be Prepared. As a former Boy Scout, I learned to live by the motto long ago. Security is always evolving and where you didn’t think you have risk in the past may be totally different today. And the cost of problems like data breaches and ransomware are much higher than the cost of prevention.”

Weak Cybersecurity Practices

It is well known that a regulated entity that has weak cybersecurity practices makes itself an attractive soft target for hackers and cyber criminals. Weak authentication requirements are frequent targets of successful cyber-attacks (over 80% of breaches due to hacking involved compromised or brute-forced credentials, according to OCR). (Verizon. 2020 Data Breach Investigations Report. (2020, p. 19). Retrieved from https://enterprise.verizon.com/resources/reports/2020/2020-data-breach-investigations-report.pdf).

Weak password rules and single factor authentication are among the practices that can contribute to successful attacks. Once inside an organization, if the entity has weak access controls, this can further contribute to an attacker’s ability to compromise systems by accessing privileged accounts, moving to multiple computer systems, deploying malicious software, and exfiltrating sensitive data.

HIPAA rules state that regulated entities are required to verify that persons or entities seeking access to ePHI are who they claim to be by implementing authentication processes. (See 45 CFR 164.312(d): Standard: Person or Entity Authentication) A regulated entity’s risk analysis should guide its implementation of appropriate authentication solutions to reduce the risk of unauthorized access to ePHI. For example, authenticating users that access a regulated entity’s systems remotely (e.g., working from home) may present a higher level of risk to a regulated entity’s ePHI than users logging into their desktop computer at work. To appropriately reduce the higher level of risk of remote access, a regulated entity may consider implementing stronger authentication solutions, such as multi-factor authentication.

According to OCR’s March 17^th newsletter, implementing access controls that restrict access to ePHI to only those requiring such access is also a requirement of the HIPAA Security Rule. (See 45 CFR 164.312(a)(1): Standard: Access Control.) Here, too, the risk analysis should guide the implementation of appropriate access controls. For example, a regulated entity may determine that because its privileged accounts (e.g., administrator, root) have access that supersedes other access controls (e.g., role- or user-based access) – and thus can access ePHI, the privileged accounts present a higher risk of unauthorized access to ePHI than non-privileged accounts. Not only could privileged accounts supersede access restrictions, they could also delete ePHI or even alter or delete hardware or software configurations, rendering devices inoperable. To reduce the risk of unauthorized access to privileged accounts, the regulated entity could decide that a privileged access management (PAM) system is reasonable and appropriate to implement. A PAM system is a solution to secure, manage, control, and audit access to and use of privileged accounts and/or functions for an organization’s infrastructure. A PAM solution gives organizations control and insight into how its privileged accounts are used within its environment and thus can help detect and prevent the misuse of privileged accounts.

Regulated entities should periodically examine the strength and effectiveness of their cybersecurity practices and increase or add security controls to reduce risk as appropriate. Regulated entities are required to periodically review and modify implemented security measures to ensure such measures continue to protect ePHI. (See 45 CFR 164.306(e): Maintenance.) Further, regulated entities are required to conduct periodic technical and non-technical evaluations of implemented security safeguards in response to environmental or operational changes affecting the security of ePHI to ensure continued protection of ePHI and compliance with the Security Rule. (See 45 CFR 164.308(a)(8): Standard: Evaluation.) Examples of environmental or operational changes could include: the implementation of new technology, identification of new threats to ePHI, and organizational changes such as a merger or acquisition. But even if you’re not a HIPAA Covered Entity, these practices should apply to any organization due to the many other state and federal privacy and security rules, and as a matter or overall good business practice to keep your organization’s data safe.

New Federal Guidance on Defending Against Common Cyber-Attacks

In the past few months, both the IRS and HHS’s Office of Civil Rights have issued guidance and newsletters for HIPAA Covered Entities on keeping you safe against common cyber threats. I’ll try to highlight some of the most important tips. I would suggest you read the HHS Office for Civil Rights In Action March 17, 2022 Newsletter, “OCR Cybersecurity Newsletter: Defending Against Common Cyber Attacks,” which I mentioned above. It can be found at: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-first-quarter-2022/index.html. In addition, the IRS published several releases in February, 2022, to protect tax payers from scams and fraudulent activity (https://www.irs.gov/newsroom/irs-warning-scammers-work-year-round-stay-vigilant), , as well as announcing a transition away from the use of third-party verification involving facial recognition (https://www.irs.gov/newsroom/irs-announces-transition-away-from-use-of-third-party-verification-involving-facial-recognition). I will attempt to summarize some of the more important items discussed in these publications and provide additional commentary. I also want to point out that since we don’t have a single national entity regulating all forms of electronic and cybersecurity, even if you’re not a covered entity under HIPAA rules, the HIPAA Security and HITECH rules are very effective in protecting your organization from all types of electronic and cybersecurity threats. Simply, it’s all we have, for the most part, so use those rules to your advantage.

Phishing, Spear Phishing and Whaling

As discussed in my last article, one of the most common attack vectors is Phishing. This is a type of cyber-attack that is used to trick individuals into divulging sensitive information via electronic communications, such as by email, or by impersonating a trustworthy source. According to HHS, a recent report noted that 42% of ransomware attacks in Q2 of 2021 involved phishing.

If you’re subject to HIPAA Security and HITECH (meaning you are a HIPAA Covered Entity, such as a sponsor of a health plan, an insurance company or a provider of health care services) your workforce members should understand that they have an important role in protecting the ePHI of their organization from cyber-attacks, according to OCR. Part of that role involves being able to detect and take appropriate actions if someone in your organization encounters a suspicious email. The problem is, if they are not trained to detect suspicious emails, they will go unnoticed, and bad things generally tend to happen as a result. These regulated entities should train their workforce (there is that word again… train…) to recognize phishing attacks and implement a protocol on what to do when such attack or suspected attack occurs. Do you have such protocols in place in your organization? Do your employees know who they are supposed to report suspicious emails to in your organization? Is anyone assigned to be that person or department?

Ted Mayeshiba of Aditi Group had these words to share. “In the latest Office of Civil Rights Newsletter, the government has tipped their hand as to the raising of the threshold of ‘reasonable efforts’ for evaluating companies `’best efforts’ defending against common cyber-attacks. There is a new and repeated reference to ‘penetration attacks’ as a best practice which should be adopted by companies.”

Ted Mayeshiba continued: “Penetration testing is usually a third party outside attack on your company’s network by ‘friendly’ forces that test weaknesses in your network. This is really nothing new, this is done by Fortune 500 firms. It is the first time that we’ve witnessed this idea put forth in a regular OCR Cybersecurity Newsletter. Of particular interest was the reference to tie cybersecurity training programs with a follow up with friendly ‘phishing’, ‘spear phishing’ and ‘whaling’ attacks to test the effectiveness of the training. As attacks become more frequent and target even ‘small’ firms, it is becoming increasingly urgent to tighten cybersecurity for all firms.”

According to Mayeshiba, “‘phishing’ is a type of social engineering attack commonly used to steal user data including login credentials or other financial data. It commonly occurs when an attacker, masquerading as a trusted entity, dupes a victim into revealing sensitive information by opening an email, link or text message. ‘spear phishing’ is similar to phishing, but the attack includes specific information unique to the individual being attacked, thereby increasing the likelihood of the victim opening the email, link or text message.”

Another term not mentioned in the OCR Newsletter is ‘whaling’. Mayeshiba defines this as “similar to phishing, but the attack is specific to executives (C-suite) or to others where the bad actor masquerades as the executive to coerce a trusted employee to divulge sensitive information.”

According to the HIPAA Security Rule, regulated entities are required to implement awareness and training programs to all its workforce members, and such programs should be an ongoing and evolving process, so that it changes as new threats develop. Your management personnel should also be participating in training… I’ve seen far too often that they want their employees to be trained, but the executives fail to go through it themselves, and then when they are targeted, which they often are, because they have access to a generally a higher amount of ePHI in phishing email attacks, they don’t follow protocols, and they often are the reason for such schemes resulting in bad things happening.

The key to an effective security training program is repetition and periodic security reminders. In fact The Security Rule includes an addressable provision for such reminders. Are you doing this within your organization?

OCR suggests in their newsletter that covered entities should, for example, send simulated phishing emails to your workforce members to gauge the effectiveness of their security awareness and training program and offer additional, targeted training where necessary. An educated workforce can be an effective first line of defense and an integral part of a regulated entity’s strategy to defend, mitigate, and prevent cyber-attacks.

In my opinion, the worst type of training you can provide is a canned, “check-the-box” training consisting of a few simple presentation slides. It’s best to think of interesting, innovative ways to engage your workforce to understand the risks and prevent cyber-attacks.

OCR suggests that regulated entities can mitigate the risk of phishing attacks by implementing anti-phishing technologies. This could mean examining and verifying that received emails do not originate from known malicious sites. If an email is suspected of being a threat, it can be blocked and appropriate personnel can be notified to step in and deal with the threat head-on. Other approaches, according to OCR, can involve scanning web links or attachments included in the emails for potential threats and removing them if a threat is detected. Newer techniques can leverage machine learning or behavioral analysis to detect potential threats and block them as appropriate.

The key is developing and implementing “policies and procedures to protect ePHI from improper alteration or destruction.” It’s important to note that the Security Rule requires regulated entities to assess and reduce risks and vulnerabilities to the availability of ePHI, as well as confidentiality and integrity.

Anti-phishing technologies can impede or deny the introduction of malware that may attempt to improperly alter, destroy, or block authorized access to ePHI (for example, ransomware), and thus can be a helpful tool to preserve the integrity and availability of ePHI, according to OCR.

It is always advisable to combine an educated, engaged workforce with technical solutions in order to achieve the best opportunity to reduce or prevent phishing attacks.

Exploiting Known Vulnerabilities

I think most of you know and understand that hackers can penetrate an entity’s network and gain access to ePHI or other sensitive data by exploiting known vulnerabilities, where it is publicly known to exist. The National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD), which provides information about known vulnerabilities. Exploitable vulnerabilities can exist in many parts of your information technology infrastructure, such as on your server, your desktop, mobile device operating systems, applications, databases, your web software, your router, your firewalls, and other device firmware. Often known vulnerabilities can be mitigated by applying vendor patches or upgrading to a newer version. If a patch or upgrade isn’t available from the vendor, they may suggest actions you can take to mitigate a newly discovered vulnerability. These could include modifications of configuration files or disabling affected services.

It’s important to remember that older applications or devices may no longer be supported with patches for new vulnerabilities, so you will need to take appropriate action if a newly discovered vulnerability affects older applications or devices. If an obsolete and unsupported system cannot be upgraded or replaced, then additional safeguards must be implemented or existing safeguards enhanced to mitigate the known vulnerabilities until an upgrade or replacement can occur. This may involve increasing access restrictions, removing or restricting the old device from network access, or disabling unnecessary features or services.

The bottom line is, you need to do a risk analysis to determine these potential risks and vulnerabilities. Not once, but often and on an ongoing basis.

Read, Sink In, Repeat – The Need for Continued Training

Although I discussed this in detail in my first article, I do want to touch on it again… It’s imperative that employers take the time to train their employees on the electronic risks that are out there, because if you don’t, it only takes one wrong click on an emailed link to download malware, worms or other things that can bring your systems to a screeching halt. As Ted Flittner stated in that article, “Know company policies and why it matters to follow them. The key topic these days is email diligence. Don’t click on email links or download files that you don’t really know. Slow down and take time to scrutinize. Teach people how to recognize fakes and legitimate messages,” he stated. “And train people on how to react if malware, ransom, or phishing attempts succeed. Who should they call and what should they do next? That seems to be one of the glaring missing pieces in most employers’ privacy policies.”

Bottom line, train now and train often. You can never train enough. Things change, and so should your training. Keep up to date and keep up with the latest threats.

Same Message, Different Result?

Although to some extent I am sharing with you the same message as my prior article from 2021, I’m hoping for, someday soon, a different result. We don’t need to keep repeating the same mistakes and putting off for tomorrow something that should have been done yesterday. The only way to have a different result, a better result, with less hacks, less cyber-attacks, is to do what you know you need to do. Do a risk assessment. See where you are and where you want to be and develop policies and procedures to help you meet your goals. And don’t forget to train your employees regularly and often, keeping up to date with the latest threats. I’d like to think that perhaps someday soon I won’t have to keep writing these articles every year…. So let’s work on a different result, please!

Authors Note: I’d like to thank Ted Flittner and Ted Mayeshiba of Aditi Group for their assistance with this article. I can be reached at Advanced Benefit Consulting, dmcociu@advancedbenefitconsulting.com, or by phone at 714 693-9754 x 3. Ted Flittner and Ted Mayeshiba can be reached at AditiGroup.com, or by email at ted.flittner@aditigroup.com or ted.mayeshiba@aditigroup.com. Advanced Benefit Consulting & Aditi Group offer privacy & security training, consultation and implementation system assistance, as well as Risk Assessment services on an ongoing basis.

Dorothy Cociu is the President of Advanced Benefit Consulting, Anaheim, CA, and the current Vice President, Communications, of the California Agents & Health Insurance Professionals (CAHIP) 2021-2022.

References & Sources:

HHS Office of Civil Rights March 17, 2022 Newsletter, “OCR Cybersecurity Newsletter: Defending Against Common Cyber Attacks.”

IRS publications February, 2022: (https://www.irs.gov/newsroom/irs-warning-scammers-work-year-round-stay-vigilant) and (https://www.irs.gov/newsroom/irs-announces-transition-away-from-use-of-third-party-verification-involving-facial-recognition).

Plus sources referenced above in the article.

The post Cybersecurity 2.0 – The Latest on Cyber-Attacks, Ransomware and the Need for Risk Assessments appeared first on Advanced Benefit Consulting.

March 2022 HIPAA Privacy & Security And Other HHS/OCR & Related Federal Updates

Healthcare Benefits Specialist — Fri, 04 Mar 2022 19:38:10 +0000

From Dorothy Cociu, The STATEment Editor and HIPAA Privacy & Security, Consultant & Trainer

March 2022

There are no HIPAA, HHS or OCR updates for this issue, but the IRS has issued some important privacy-security related notices, which I thought I’d share with you. In addition, because it’s almost tax time, I wanted to provide you with some IRS-provided tips and information to assist you.

Read this article online in March-April Issue of The STATEment

Third Party Verification of Facial Recognition

On February 7, 2022, the IRS released in issue number IR 2022-27, a transition away from the use of third party verification involving facial recognition.

The IRS announced it will transition away from using a third-party service for facial recognition to help authenticate people creating new online accounts. The transition will occur over the coming weeks in order to prevent larger disruptions to taxpayers during filing season.
During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.

“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” said IRS Commissioner Chuck Rettig. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

The transition announced today does not interfere with the taxpayer’s ability to file their return or pay taxes owed. During this period, the IRS will continue to accept tax filings, and it has no other impact on the current tax season. People should continue to file their taxes as they normally would.

Warning About Scammers Working Year Around

On February 3, 2022, in IR-2022-25, the IRS issued a warning that scammers do indeed work year around, and stated that everyone should stay vigilant.

As the new year begins, the Internal Revenue Service reminds taxpayers to protect their personal and financial information throughout the year and watch out for IRS impersonation scams, along with other schemes, that try to trick people out of their hard-earned money.

These schemes can involve text message scams, e-mail schemes and phone scams. This tax season, the IRS also warns people to watch out for signs of potential unemployment fraud.

“With filing season underway, this is a prime period for identity thieves to hit people with realistic-looking emails and texts about their tax returns and refunds,” said IRS Commissioner Chuck Rettig. “Watching out for these common scams can keep people from becoming victims of identity theft and protect their sensitive personal information that can be used to file tax returns and steal refunds.”
The IRS, state tax agencies and the nation’s tax industry – working together in the Security Summit initiative – have taken numerous steps since 2015 to protect taxpayers, businesses and the tax system from identity thieves. Summit partners continue to warn people to watch out for common scams and schemes this tax season.

Text message scams

Last year, there was an uptick in text messages that impersonated the IRS. These scams are sent to taxpayers’ smartphones and have referenced COVID-19 and/or “stimulus payments.” These messages often contain bogus links claiming to be IRS websites or other online tools. Other than IRS Secure Access, the IRS does not use text messages to discuss personal tax issues, such as those involving bills or refunds. The IRS also will not send taxpayers messages via social media platforms.

If a taxpayer receives an unsolicited SMS/text that appears to be from either the IRS or a program closely linked to the IRS, the taxpayer should take a screenshot of the text message and include the screenshot in an email to phishing@irs.gov with the following information:

Date/time/time zone they received the text message
Phone number that received the text message

The IRS reminds everyone NOT to click links or open attachments in unsolicited, suspicious or unexpected text messages – whether from the IRS, state tax agencies or others in the tax community.

Unemployment fraud

As a new tax season begins, the IRS reminds workers to watch out for claims of unemployment or other benefit payments for which they never applied. States have experienced a surge in fraudulent unemployment claims filed by organized crime rings using stolen identities. Criminals are using these stolen identities to fraudulently collect benefits.

Because unemployment benefits are taxable income, states issue Form 1099-G, Certain Government Payments, to recipients and to the IRS to report the amount of taxable compensation received and any withholding. Any worker receiving a fraudulent or inaccurate 1099-G should report it to the issuing state agency and request a corrected Form 1099-G.

For details on how to report fraud to state workforce agencies, how to obtain a corrected Form 1099-G, how to find a list of state contacts and other steps to take related to unemployment fraud, taxpayers can visit the U.S. Department of Labor’s DOL.gov/fraud page.

Individuals may be victims of unemployment identity theft if they received:

Mail from a government agency about an unemployment claim or payment for which they did not file. This includes unexpected payments or debit cards and could be from any state.
An IRS Form 1099-G reflecting unemployment benefits they weren’t expecting or didn’t receive. Box 1 on this form may show unemployment benefits they did not receive or an amount that exceeds their records for benefits they did receive. The form itself may be from a state in which they did not file for benefits.

A notice from their employer indicating the employer received a request for information about an unemployment claim.

Email phishing scams

The IRS does not initiate contact with taxpayers by email to request personal or financial information. The IRS initiates most contacts through regular mail delivered by the United States Postal Service.

If a taxpayer receives an unsolicited email that appears to be from either the IRS or a program closely linked to the IRS that is fraudulent, report it by sending it as an attachment to phishing@irs.gov. The Report Phishing and Online Scams page at IRS.gov provides complete details.

There are special circumstances when the IRS will call or come to a home or business. These visits include times when a taxpayer has an overdue tax bill, a delinquent tax return or a delinquent employment tax payment. The IRS may also visit if it needs to tour a business as part of a civil investigation (such as an audit or collection case) or during a criminal investigation. The IRS provides specific guidance on how to know it’s really the IRS knocking on your door.

Phone scams

The IRS does not leave pre-recorded, urgent or threatening messages. In many variations of the phone scam, victims are told if they do not call back, a warrant will be issued for their arrest. Other verbal threats include law-enforcement agency intervention, deportation or revocation of licenses.
Criminals can fake or “spoof” caller ID numbers to appear to be anywhere in the country, including from an IRS office. This prevents taxpayers from being able to verify the true call number. Fraudsters also have spoofed local sheriff’s offices, state departments of motor vehicles, federal agencies and others to convince taxpayers the call is legitimate.

The IRS (and its authorized private collection agencies) will never:

Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. The IRS does not use these methods for tax payments.
Threaten to immediately bring in local police or other law-enforcement groups to have the taxpayer arrested for not paying.
Demand that taxes be paid without giving the taxpayer the opportunity to question or appeal the amount owed.
Ask for credit or debit card numbers over the phone.

Generally, the IRS will first mail a bill to any taxpayer who owes taxes. All tax payments should only be made payable to the U.S. Treasury and checks should never be made payable to third parties.

For anyone who doesn’t owe taxes and has no reason to think they do:

Do not give out any information. Hang up immediately.

Contact the Treasury Inspector General for Tax Administration to report the call at IRS Impersonation Scam Reporting.

Report the caller ID and/or callback number to the IRS by sending it to phishing@irs.gov (Subject: IRS Phone Scam).

Report it to the Federal Trade Commission on FTC.gov. Add “IRS Telephone Scam” in the notes.

For anyone who owes tax or thinks they do:
View tax account information online at IRS.gov to see the actual amount owed. Taxpayers can also review their payment options.

Call the number on the billing notice or
Call the IRS at 800-829-1040. IRS employees can help.

Help for victims of ID theft

Unfortunately, scams and schemes can often lead to identity theft. While identity theft can have many consequences, the IRS focuses on tax-related identity theft.

Tax-related identity theft occurs when someone uses an individual’s stolen Social Security number (SSN) to file a tax return claiming a fraudulent refund. Taxpayers may be unaware of this activity until they e-file a tax return and discover that a return has already been filed using their SSN. Or, the IRS may send them a letter saying it has identified a suspicious return using their SSN.

If a taxpayer learns their SSN has been compromised, or they know or suspect they are a victim of tax-related identity theft, the IRS recommends these additional steps:

Individuals should respond immediately to any IRS notice; call the number provided.

Taxpayers should complete IRS Form 14039, Identity Theft Affidavit (.pdf), if an e-file tax return rejects because of a duplicate filing under their SSN or they are instructed to do so by the IRS. Individuals can use a fillable form at IRS.gov, then print and attach the form to their paper return and mail according to instructions.

Victims of tax-related identity theft should continue to pay their taxes and file their tax return, even if they must do so by paper.
Taxpayers who previously contacted the IRS about tax-related identity theft and did not have a resolution should call for specialized assistance at 1-800-908-4490.

More information is available at: IRS.gov/identitytheft or the Federal Trade Commission’s identitytheft.gov.

The official IRS website is IRS.gov. People should be aware of imitation websites ending in .com. This applies to other IRS tools, too, like Free File — they all end in .gov.

For more information, visit Tax Scams and Consumer Alerts on IRS.gov. Additional information about tax scams is available on IRS social media sites, including YouTube videos.

More information:

Taxpayer Bill of Rights

Tax Time Guide: American Rescue Plan changes can boost refunds for many families; people should file even if they haven’t for years

In IRS Release 2022-29, dated February 8, 2022, The IRS provided this information on refunds:

The Internal Revenue Service today urged Americans to file a 2021 federal income tax return so they can take advantage of key tax benefits included in the American Rescue Plan and other recent legislation.

Often, individuals and families can get these expanded tax benefits, even if they have little or no income from a job, business or other source. This means that many people who don’t normally need to file a return should consider doing so this year. Because claiming these benefits could result in tax refunds for many people, individuals should file an accurate return electronically and choose direct deposit to avoid processing delays and speed delivery of their refund.

Expanded tax benefits

A new fact sheet, FS-2022-10, available now on IRS.gov, describes many of these expanded tax benefits. But the IRS emphasized that these benefits are only available to people who file a 2021 federal income tax return. Benefits include:

An expanded Child Tax Credit: Families can claim this credit, even if they received monthly advance payments during the last half of 2021.

An increased Child and Dependent Care Credit: Families who pay for daycare so they can work or look for work can get a tax credit worth up to $4,000 for one qualifying person and $8,000 for two or more qualifying persons.

A more generous Earned Income Tax Credit: The American Rescue Plan boosted the EITC for childless workers. There are also changes that can help low- and moderate-income families with children.

The Recovery Rebate Credit: Those who missed out on last year’s third-round of Economic Impact Payments (EIP3), also known as stimulus payments, may be eligible to claim the RRC. This credit can also help eligible people whose EIP3 was less than the full amount, including those who welcomed a child in 2021. A deduction for gifts to charity: The majority of taxpayers who take the standard deduction can deduct eligible cash contributions they made during 2021. Married couples filing jointly can deduct up to $600 in cash donations and individual taxpayers can deduct up to $300 in donations. In addition, itemizers who make large cash donations often qualify to deduct the full amount in 2021.

See the fact sheet for more information.

The IRS reminds early filers that by law, the agency cannot issue EITC refunds before mid-February. The same rule applies to refunds that include the Additional Child Tax Credit (ACTC). This year, the ACTC is typically claimed by Americans abroad who did not have a main home in the United States for more than half of 2021. Normally, the mid-February restriction does not apply to the Refundable Child Tax Credit (RCTC) claimed by people who had a main home in the U.S., unless they also claim the EITC.

Helpful reminders

The IRS urges everyone to make sure they have all their year-end statements in hand before filing their 2021 return. Besides all W-2s and 1099s, this includes two statements issued by the IRS — Letter 6419, showing their total advance Child Tax Credit payments, and Letter 6475, showing their total EIP3 payments. Individuals can also use IRS Online Account to see the total amounts of their third round of Economic Impact Payments or advance Child Tax Credit payments. Married spouses who received joint payments will each need to sign into their own account to retrieve their separate amounts.

For most Americans, the tax-filing deadline is April 18, 2022. For residents of Maine and Massachusetts, the deadline is April 19, 2022. For Americans who live and work abroad, it’s June 15, 2022. Anyone who needs more time to file can get an automatic extension until Oct. 17, 2022.

Taxpayers can find answers to questions, forms and instructions and easy-to-use tools online at IRS.gov. They can use these resources to get help when it’s needed at home, at work or on the go.

This news release is part of a series called the Tax Time Guide, a resource to help taxpayers file an accurate tax return. Additional help is available in Publication 17, Your Federal Income Tax.

I’ll be sure to provide additional Agency Updates in the next issue of The Statement! ##

From Dorothy Cociu, The STATEment Editor and HIPAA Privacy & Security, Consultant & Trainer

March 2022

Third Party Verification of Facial Recognition

On February 7, 2022, the IRS released in issue number IR 2022-27, a transition away from the use of third party verification involving facial recognition.

Warning About Scammers Working Year Around

On February 3, 2022, in IR-2022-25, the IRS issued a warning that scammers do indeed work year around, and stated that everyone should stay vigilant.

These schemes can involve text message scams, e-mail schemes and phone scams. This tax season, the IRS also warns people to watch out for signs of potential unemployment fraud.

Text message scams

Date/time/time zone they received the text message
Phone number that received the text message

The IRS reminds everyone NOT to click links or open attachments in unsolicited, suspicious or unexpected text messages – whether from the IRS, state tax agencies or others in the tax community.

Unemployment fraud

Individuals may be victims of unemployment identity theft if they received:

Mail from a government agency about an unemployment claim or payment for which they did not file. This includes unexpected payments or debit cards and could be from any state.
An IRS Form 1099-G reflecting unemployment benefits they weren’t expecting or didn’t receive. Box 1 on this form may show unemployment benefits they did not receive or an amount that exceeds their records for benefits they did receive. The form itself may be from a state in which they did not file for benefits.

A notice from their employer indicating the employer received a request for information about an unemployment claim.

Email phishing scams

Phone scams

The IRS (and its authorized private collection agencies) will never:

Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. The IRS does not use these methods for tax payments.
Threaten to immediately bring in local police or other law-enforcement groups to have the taxpayer arrested for not paying.
Demand that taxes be paid without giving the taxpayer the opportunity to question or appeal the amount owed.
Ask for credit or debit card numbers over the phone.

For anyone who doesn’t owe taxes and has no reason to think they do:

Do not give out any information. Hang up immediately.

Contact the Treasury Inspector General for Tax Administration to report the call at IRS Impersonation Scam Reporting.

Report the caller ID and/or callback number to the IRS by sending it to phishing@irs.gov (Subject: IRS Phone Scam).

Report it to the Federal Trade Commission on FTC.gov. Add “IRS Telephone Scam” in the notes.

For anyone who owes tax or thinks they do:
View tax account information online at IRS.gov to see the actual amount owed. Taxpayers can also review their payment options.

Call the number on the billing notice or
Call the IRS at 800-829-1040. IRS employees can help.

Help for victims of ID theft

Unfortunately, scams and schemes can often lead to identity theft. While identity theft can have many consequences, the IRS focuses on tax-related identity theft.

If a taxpayer learns their SSN has been compromised, or they know or suspect they are a victim of tax-related identity theft, the IRS recommends these additional steps:

Individuals should respond immediately to any IRS notice; call the number provided.

Victims of tax-related identity theft should continue to pay their taxes and file their tax return, even if they must do so by paper.
Taxpayers who previously contacted the IRS about tax-related identity theft and did not have a resolution should call for specialized assistance at 1-800-908-4490.

More information is available at: IRS.gov/identitytheft or the Federal Trade Commission’s identitytheft.gov.

The official IRS website is IRS.gov. People should be aware of imitation websites ending in .com. This applies to other IRS tools, too, like Free File — they all end in .gov.

For more information, visit Tax Scams and Consumer Alerts on IRS.gov. Additional information about tax scams is available on IRS social media sites, including YouTube videos.

More information:

Taxpayer Bill of Rights

Tax Time Guide: American Rescue Plan changes can boost refunds for many families; people should file even if they haven’t for years

In IRS Release 2022-29, dated February 8, 2022, The IRS provided this information on refunds:

Expanded tax benefits

An expanded Child Tax Credit: Families can claim this credit, even if they received monthly advance payments during the last half of 2021.

A more generous Earned Income Tax Credit: The American Rescue Plan boosted the EITC for childless workers. There are also changes that can help low- and moderate-income families with children.

See the fact sheet for more information.

Helpful reminders

Taxpayers can find answers to questions, forms and instructions and easy-to-use tools online at IRS.gov. They can use these resources to get help when it’s needed at home, at work or on the go.

This news release is part of a series called the Tax Time Guide, a resource to help taxpayers file an accurate tax return. Additional help is available in Publication 17, Your Federal Income Tax.

I’ll be sure to provide additional Agency Updates in the next issue of The Statement! ##

The post March 2022 HIPAA Privacy & Security And Other HHS/OCR & Related Federal Updates appeared first on Advanced Benefit Consulting.

CAA’s No Surprises Act IFRs Spark Administrative Questions and Industry Concerns While Awaiting Further Guidance

Healthcare Benefits Specialist — Thu, 16 Sep 2021 21:46:54 +0000

By: Dorothy Cociu, RHU, REBC, GBA, RPA, LPRT

President, Advanced Benefit Consulting & Insurance Services, Inc.

Read article in Sep-Oct issue of The STATEment

Read article Part 1 in Oct issue of California Broker

Read article Part 2 in Nov issue of California Broker

Download pdf copy of this article

We’ve all been there, or know someone close to us that has, or for health agents, you’ve seen this from the clients we all serve. You need healthcare, you see a doctor or go to an emergency room. You may even be hospitalized. If it’s an emergency, you go to the nearest emergency room, which may or may not be part of your health plan’s network. Even if the ER is part of the network, you are seen by an ER doctor, who it turns out, is not part of the network. Or you have surgery, and although the surgery center may be a network facility, the surgeon or assistant surgeon, or more commonly, the anesthesiologist or radiologist, is not. You go about your life, you pay your co-pays or coinsurance, and think everything will be fine, because after all, you have insurance! One day, you come home from work, check your mail, and there is an envelope with a medical provider’s address on it. You open it, thinking it’s only a confirmation of the insurance payment, or a copy of the plan’s EOB or something. And then, as you’re staring at the black and white in front of you, the text becomes blurred, you start to feel tunnel-vision coming on, because you’re staring at a bill from the provider that says you owe $800+ dollars, even though your most recent EOB that you received says that the bill was paid by your health plan. After the initial shock, you think it’s a mistake, so you wait until the next day and call your health plan, and you discover that the health plan has paid everything it was supposed to pay, so the provider has “balanced billed” you the difference between the billed charge and the amount paid by your health plan.

Imagine now (or recall from personal experience if it’s happened to you) a similar situation after you were hospitalized for a major surgery. There was only one hospital near you, or perhaps they had to move you to a hospital that specializes in the type of care you need. You thought you did all of the right things. You had the surgery or procedure pre-authorized, and again, you thought everything would be fine after you pay your co-pays or coinsurance, because once again, you have insurance! And then it arrives in the mail… that “surprise” bill that says that you owe $47,500 for your recent hospitalization or surgery expenses. This time, it’s not just tunnel-vision; it is panic. Your body is drenched in sweat and you are visibly starting to shake, because you don’t have $47,500 right now to pay for this! As someone who in my past ran a third party administrator and have seen many, many balance bills, I will tell you that I’ve seen balance bills of over $125,000 for hospitals and over $75,000 for air ambulance charges, and I’ve heard of them up to $100,000!

Some people actually ended 2020 and began 2021 in a positive financial position, because they were able to keep their jobs during the pandemic, and because you were stuck at home, you didn’t spend much, so your bank account balance is higher than normal. But for many, it’s been a tough financial 18+ months. COVID has impacted our lives in so many ways, including, in many cases, our income. We may feel lucky that we didn’t lose our jobs, but basic expenses, like the cost of buying a home, the cost of fuel for your vehicle, and the cost of groceries we need have all increased, and our pay has decreased or stayed the same. Or perhaps you were laid off, and you’re now just starting to get back on your feet, but it seems like everything you do or need to buy is now more expensive. Your savings account has decreased, or perhaps been depleted.

Whatever your financial position may look like right now, none of us wants a surprise medical bill. The good news on that front is that recent federal actions, it is hoped, will stop these sorts of provider practices from happening in the future.

For some time, many in the health insurance industry have asked for two important pieces of legislation…. transparency in health care costs and the control of providers that “balance bill” their patients after insurance payments and normal plan co-payments and coinsurance have been paid, an amount in excess of the expected or “usual and customary” or “reasonable” amount. This “Surprise Billing” practice is so common that it has become almost the norm. It’s definitely one of the most important issues in the healthcare industry in the minds of consumers, and therefore, the legislators. Recent legislation on both of these items will soon be in effect. New legislation, as we all know, often comes confusion and misunderstanding. I will attempt today to break these rules down for you in understandable terms.

On July 1, 2021, federal departments (HHS, DOL and Treasury, as well as the Office of Personnel Management (OPM)) released an interim final rule IFR) with a comment period on the No Surprises Act (NSA – if you choose to use an acronym, and not the National Security Administration, which could get confusing), which is part of the Consolidated Appropriations Act (CAA) of 2021; one of the largest pieces of legislation in the health care and insurance industry since the ACA, and it goes into effect on January 1, 2022. This rule is entitled “Requirements Related to Surprise Billing: Part 1.” This was followed by Frequently Asked Questions (FAQs) in late August, which dove into many provisions of the No Surprises Act and Transparency in Coverage rules.

Background

Most health plans, whether they are group plans, individual plans, a Marketplace plan or Medicare plans, offer a network of providers and facilities (your PPO or EPO network – or “in-network” providers) that agree to accept payment at an established, contracted rate. Non-network providers generally charge higher amounts as there is no contract rate pre-established for that service or stay. In many cases, the out-of-network provider may balance-bill the patient for the difference between the billed charge and the amount that the health plan or insurance has paid, unless it’s prohibited by state law. Balance bills can happen in both emergency and non-emergency care.

In the case of an emergency, as briefly described above, the patient usually goes to the nearest emergency room. In many cases, although the ER is a network-contracted facility, many of the providers that work inside of that facility may not be part of those networks. Often emergency rooms are staffed by independent contractors or doctors not belonging to many networks; they are often non-negotiated third parties, providing services such as anesthesiology, pathology, radiology, rehabilitative care, physical therapy, or neonatology. In many cases, the patient has no control over the physician or other provider inside those facilities. When I was managing a TPA some years ago, we called these “forced providers.” It’s unfortunate, but common, and even more so because most consumers do not routinely ask their providers inside of an emergency room or hospital if they are contracted… Perhaps a good practice may be to ask simply, “who pays you?” Let’s face it… Most people are too concerned with getting care in an emergency situation, and family members are too concerned about their loved ones to ask those basic questions. The result is often a balance bill.

We also see this often in the event that you need an air ambulance… you generally do not have the ability to select an air ambulance from a network provider directory. Air ambulance companies have notoriously over-charged in many circumstances.

It’s important to note that in most cases, surprise bills usually do not count toward your deductibles or out-of-pocket maximums, which many people do not understand.

According to CMS (Fact Sheet – Requirements Related to Surprise Billing: Part 1 Interim Final Rule with Comment Period, July 1, 2021):
• A recent study found that payments made to providers by people who got a surprise bill for emergency care were more than 10 times higher than those made by other individuals for the same care.
• 9% of individuals who got surprise bills paid more than $400 to providers, which may result in financial distress for consumers, given recent findings that show 40% of Americans struggle to find $400 to pay for an unexpected bill.
• Studies have shown that in the period from 2010-2016, more than 39% of emergency department visits to in-network hospitals resulted in an out-of-network bill, increasing to 42.8% in 2016. During the same time, the average amount of a surprise medical bill also increased from $220 to $628.
• Although some states have enacted laws to reduce or eliminate balance billing, these efforts have created a patchwork of consumer protections. Even in a state that has enacted protections, they typically only apply to individuals enrolled in insured health insurance coverage, as federal law generally preempts state laws that regulate self-insured group health plans sponsored by private employers. In addition, states have limited power to address surprise bills that involve an out-of-state provider.

It is important to understand that the provisions of the No Surprises Act relate back to former ACA requirements, such as the requirement of plans to reimburse emergency services at a rate at least the amount that would have been paid in-network, regardless of whether or not there was a network in place. The ACA did not, however, prevent the out-of-network emergency room from any sort of balance billing.

The interim final rules generally apply to group health plans and health insurance issuers offering group or individual coverage, including grandfathered health plans, effective January 1, 2022. The No Surprises Act does not apply to retiree-only plans, excepted benefits, short-term limited-duration plans, Health Reimbursement Accounts (HRAs), flexible spending accounts (FSAs) or health savings accounts (HSAs).

What Is the Intention of The No Surprises Act?

The No Surprises Act was passed in December, 2020, as part of the Consolidated Appropriations Act of 2021, and goes into effect, as mentioned above, on January 1, 2022. The intention of the law is to protect consumers from the types of balance-billing or surprise billing practices described above. The No Surprises Act focuses on billing practices in certain non-network situations by limiting the amount of the bill to the amount that would have been payable under an in-network arrangement. This piece of legislation was bipartisan, which is not exactly common in Washington in recent years. That tells you that everyone seems to agree on the intent… To protect consumers from these horrendous and detestable provider practices. However, I do want to mention up front that although this legislation, as it stands now, protects consumers from these practices in non-network situations, it may not fully protect self-funded health plans when they use financing methods such as reference-based pricing, which I will address later in this article.

Summary of The No Surprises Act’s Interim Final Rules (IFR)

Protections addressed in the No Surprises Act apply primarily to emergency services, non-emergency services delivered by out-of-network providers at an in-network facility, and out-of-network air ambulance services.

If a plan or health insurance coverage provides for any benefits for emergency services, this rule requires emergency services to be covered without any prior authorization, regardless of whether the provider is an in-network or out-of-network emergency facility. In addition, plans must cover emergency services regardless of other terms or conditions of the plan or health coverage, other than exclusions due to coordination of benefits or any waiting period.
The interim final rule limits cost sharing for out-of-network services to be limited to the amount paid in-network, and requires such cost sharing to count toward any in-network deductibles and out-of-pocket maximums. Most importantly, it prohibits balance billing.

The IFR state that these limitations apply to out-of-network emergency services, air ambulance services furnished by out-of-network providers, and certain non-emergency services furnished by out-of-network providers at certain in-network facilities, including hospitals and ambulatory surgical centers.
Specific provisions of the No Surprises Act limit out-of-network services to billing amounts without cost-sharing requirements that are greater than those applied in-network, and limits cost-sharing as if the total amount billed for services are equal to the “recognized amount.” Commonly, in an out-of-network scenario, this has been limited to the Usual, Customary & Reasonable (UCR) amount. Under the No Surprises Act IFR, the amount must be calculated based on one of the following amounts:
• An amount determined by an applicable All-Payer Model Agreement under section 1115A of the Social Security Act.
• If there is no such applicable All-Payer Model Agreement, an amount determined under a specific state law.
• If neither of the above apply, the lesser amount of either the billed charge or the “qualifying payment amount,” (or QPA), which is generally the plan or issuer’s median contracted rate. (We now have a new industry acronym – QPA – for qualifying payment amount, ju in case you are confused).

According to the IFR, the All-Payer Model Agreement is an agreement between the Centers for Medicare & Medicaid Services (CMS) and a state to test and operate systems of the all-payer payment reform for the medical care of residents of the state under the authority of Section 1115 A of the Social Security Act, and it may voluntary or mandatory for a given payer.

Emergency services also include any post-stabilization services, unless all of the following conditions are met:
• The treating provider determines the patient is able to travel using non-medical transportation to an available provider or facility;
• The provider or facility provides notice and obtains consent;
• The patient is in a condition to receive the information and provide informed consent;
• The provider or facility satisfies any additional requirements or prohibitions under state law.

Employer/Plan Sponsor Concerns

Employers are just now starting to realize that all of the provisions of the No Surprises Act will impact them. I asked our attorney, Marilyn Monahan of Monahan Law Offices, what she thinks are the most important/impactful sections that affect employers and their insured participants? Marilyn responded as follows:
a. “The restrictions on surprise billing for out-of-network emergency and non-emergency services will be good news to many participants who have experienced—or who are worried about experiencing—surprise medical bills. During open enrollment, employers should consider the most effective way to explain these new rules, so that participants understand when and how they apply.
b. The new restrictions on ancillary services provided in conjunction with a non-emergency visit to an in-network facility (such as anesthesiology, pathology, radiology, and diagnostics) will also be good news, since the definition of ‘ancillary services’ encompasses a broad range of services that have often been the basis for surprise bills in the past.
c. Employers with self-funded plans should review their plan documents to ensure that the terms are consistent with the IFR. These employers should also communicate with their TPA to ensure that the TPA will be prepared to administer benefits according to the new rules as of the applicable effective date and make any amendments to their services agreement that may be necessary. In fact, a detailed conversation with the TPA about the implementation process for the many provisions in the CAA that impact health and welfare plans is essential.”

Administrative Concerns & Confusion Over the No Surprises Act

The No Surprises Act throws confusion into the claims payment industry by requiring that coverage be provided without limiting what constitutes an emergency medical condition, solely on the basis of diagnosis codes, such as the ICD-10 codes, which are common in claims adjudication use. The federal departments appear to have expressed their disapproval of claims practices which do not look at all of the facts and circumstances, relying solely on the diagnosis codes to determine if a claim is eligible for payment. Many plans and claims administrative practices will automatically deny an emergency claim, for example, based on a pre-determined list of final diagnosis codes without regards to the actual symptoms being presented to them at the time of care. It is often only following claim denial that a plan or claims administrator will review all of the facts, and generally upon a formal (but sometimes informal) appeal.

If you review the term “emergency medical condition,” it refers to a medical condition manifesting itself by acute symptoms of sufficient severity (including severe pain) such that a prudent layperson, who possesses an average knowledge of health and medicine could reasonably expect to either 1) place their health in serious jeopardy, 2) seriously impair bodily functions, or 3) cause serious disfunction to a bodily organ or part. In general, it requires a plan to consider anything a prudent layperson should consider, given all documentation and all symptoms, without relying solely on an ICD-10 code. This includes mental health and substance abuse disorders. Plans must ultimately determine whether the standard was met by reviewing presenting symptoms, without imposing any type of time limit between onset and presentation for emergency care.

I asked Marilyn what she thinks plan sponsors and administrators need to focus on to apply this prudent layperson standard in an emergency situation? Marilyn responded: “If the plan documents apply a different standard to claims for emergency services, amendments will have to be made. The TPA’s claims procedure manual and processes must also be updated. The TPA should also consider this guidance from the preamble: ‘the determination of whether the prudent layperson standard has been met must be based on all pertinent documentation and be focused on the presenting symptoms (and not solely on the final diagnosis).’ Based on this reminder, the revised claims procedures should also include, as necessary, updated record keeping requirements that will enable the plan to prove that it is has satisfied the new legal standard in each case. The emphasis placed on the prudent layperson standard in the preamble to the regulations implies that this issue may be a priority for the Departments. (86 Fed. Reg. 36872, 36879-36880.)”

In relationship to the administrative and legal process for plans, including plan documents and plan communications, Marilyn continued: “The Surprise Billing IFR—along with the other provisions of the CAA applicable to health and welfare plans—place many new obligations on plans and issuers. Employers with fully insured plans should communicate with their carriers to ensure the carriers intent to comply on time. Employers with self-funded plans have more work to do. The changes created by the CAA will probably require changes to plan documents, ID cards, provider directories, and more. They may also require changes to the terms of TPA contracts and claims processing manuals. Employers should be prepared to discuss with their TPA who will be responsible for implementing each relevant section of the CAA, and the timeframe for implementation. Employers should also consider whether any changes need to be made to the written contract with the TPA, including adjustments in cost, scope of services, indemnification, and other key clauses.”

Some plans and administrators may be concerned that if you can’t control costs by using strict ICD-10 codes, what can plans and administrators do to control the cost of health care, particularly in a self-funded health plan? Plans may have to find alternate ways of reducing or maintaining costs, such as higher ER copays or coinsurance, raising deductibles, or having additional deductibles for ER services. Other ways of keeping ER costs down in a health plan is to educate your employees on more cost-effective steps prior to walking into an emergency room. This would include things like using Urgent Care Centers instead of high-cost emergency rooms, or for many services that are not life-threatening, implementing new or encouraging plan participants to use Telehealth options.

Qualifying Payment Amount – QPA – Applications to Self-Funded Health Plans

The definition of a qualifying payment amount and applications to the marketplace are a bit confusing… Particularly in the self-funded market. The QPA is defined as the median of the in-network (or contracted) rate in a geographic area, and applies in other portions of the law, including the base-line factor that an arbiter may consider when they determine the final amount to be paid under the new federally-established independent dispute resolution process (IDR – yes, another new acronym).

Another important self-funded consideration is that ERISA must always pre-empt state surprise billing laws when applied to self-funded plans. The IFR allows the option for self-funded plans to voluntarily opt-in to a state law.

Under the No Surprises Act, when a self-funded plan and an out-of-network provider cannot agree on a rate, they must go through an independent dispute resolution process. The IFR stated that a median contract rate should be determined by taking into account every group health plan offered by the self-insured plan sponsor. The IFR allows for administrative simplicity for self-funded plans to permit the TPA who processes their claims to determine the QPA for the plan sponsor by calculating the median contract rate based on all of the plans that it processes and administers claims for. The IFR states that the contracted rates between providers and the network provider for the health plan would be treated as the self-insured plan’s contracted rates for purposes of calculating the QPA.

Third Party Administrators will find the No Surprises Act quite complicated, and frankly, quite expensive to administer. TPAs will need to set up their claims payment systems to administer the QPA. Most self-funded health plan sponsors will rely on their TPAs to assist them with all of the No Surprises Act requirements, and it will likely be the norm for TPAs to assist self-insured plans with the Model Notice that is required. Ultimately, the No Surprises Act will be costly to administer for TPAs. They will need to determine the QPA, which will not be easy and will not be cheap in most cases. In addition, changes will need to be made in understanding the implications of the ER services determination – and taking the extra steps up front to examine more documentation and understand symptoms, rather than initially denying a claim up front, and all of that will cost more; in claims adjudication training, in system adjustments, and more. Not to mention the QPA’s independent dispute resolution process. What this means to self-funded employers is that they should expect their claims fees to increase due to the No Surprises Act.

The geographic regions used to determine the contracted rates will follow the metropolitan statistical areas (MSA) used by both Medicare and the U.S. Census. The IFR includes the “rule of three” expansion, meaning that if a plan cannot identify three rates to determine a median rate within an MSA, then the plan is permitted to increase the size of the MSA to include the state as a single region.

The IFR issued clear guidelines for steps to be taken in order to determine the appropriate rate, using primarily databases. This piece ties in directly with the Transparency rules, which were in part also addressed in the IFRs. One important provision that was included in the IFR addressed self-insurance industry concerns related to the possibility of conflicts of interest while using databases. The IFR states that the organization maintaining the database cannot be affiliated with, controlled by, or owned by any health insurance issuer, provider, or healthcare facility.

Although the IFR did not address all self-funded concerns, the rules did for the most part, follow comments made from industry associations such as the Self-Insurance Institute of America (I am a member of this association), and overall, the self-funded industry seems pleased with the initial set of rules, and are anxiously awaiting additional guidance.

From an administrative perspective, many of the requirements were not addressed in Part 1, but we’re hoping those will follow soon in expected fall rules and guidance. We are expecting more guidance on the arbitration/IDR process to be released in early September.

Independent Dispute Resolution (IDR) Process

Although I mentioned the IDR above, I wanted to come back to it and explain a bit more about how this will work. Under the Interim Final Rules (IFR), if a payer, such as a carrier or health plan, cannot resolve a payment settlement with a provider, then the payer and provider must resolve the payment dispute using methods of negotiation and arbitration. The No Surprises Act requires payers to send an initial payment or denial of payment of a claim no longer than 30 days after a claim is submitted. After the 30-day period, either party may begin negotiations on a claim. If the parties involved cannot agree on payment terms during the 30-day period, then they will move to an Independent Dispute Resolution (IDR) process. This process may be initiated within 4 days after the end of the open negotiation period of the 30 day period (for a 34-day window). Each entity will offer a final payment amount and then the arbiter will use a variety of factors to determine the final amount, including geographic areas, service codes, etc. The intent is to make it fair to both parties.

Under the IDR process, they are not allowed to use lower payment rates such as Medicare or Medicaid.

The good news is that the IDR does not impact the consumer or plan participant. The dispute is between the provider and the health plan. The provider has no recourse against the consumer, and therefore, it is not an adverse benefit determination.

The agencies will issue the IDR process by December 27, 2021, so we can expect a happy holiday season….

Facility/Provider Notices

cilities and Providers. The first is the Patient Consent for Out-of-Network Care, which requires providers and facilities to provide a notice to a patient regarding potential out-of-network care. The patient must consent to such out-of-network care and any additional costs that may be incurred. However, there are exceptions. A patient is not required to sign the form and should not sign it if they didn’t have a choice of health care providers when they received care (i.e. a forced provider).

There is also a Public Notice requirement for facilities and providers to post a one-page notice on a public website. The Model Disclosure Notice Regarding Patient Protection Against Surprise Billing is required under Section 2799B-3 of the Public Service Act. A provider must make publicly available such notice by posting it on a public website of the provider or facility, and provide a one-page notice that includes information in a clear and understandable language on 1) the restrictions on providers and facilities regarding balance billing in certain circumstances, 2) any applicable state law protections against balance billing, and 3) information on contacting appropriate state and federal agencies in the case that an individual believes that a provider or facility has violated the restrictions against balance billing.

The Model Notices can be found at: https://www.cms.gov/httpswwwcmsgovregulations-and-guidancelegislationpaperworkreductionactof1995pra-listing/cms-10780.

Health Insurance and Health Plan Notice

Health insurers and Health Plans must provide a notice to individuals about their rights under the No Surprises Act. There is a Model Notice available on the DOL website (although it has been on and off the site a few times since I started researching for this article, so they could be updating it). The notice must be posted on the plan’s website and be included on each EOB for an item or service covered by the No Surprises Act. Although TPA’s may assist in preparing this notice for self-funded plans, the plan sponsor has the ultimate responsibility for compliance. Plan participants can expect that their EOBs will become quite thick when they receive them in the mail… Hence, more administrative/postage costs also.

I asked Marilyn if a plan is self-insured and uses a TPA, is there coordination that is needed between the plan sponsors and the TPA about the notices that are included in the EOB? Does (or should) the Plan Sponsor notices be the same, consistent notices? I expressed to her my fear that the plan notice may differ from the TPAs notice, causing some confusion and possible liability. Marilyn clarified: “The IFR contains new notice and posting requirements. For example, health care providers must provide certain notices to the plan or issuer, and additional notices to patients. Another notice and posting requirement applies to plans and issuers; plans/issuers must post and provide certain notices to participants, including a notice that should accompany explanations of benefits (EOB). Regulations have not yet been issued on the mandate applicable to plans/issuers. In the meantime, the Departments expect plans/issuers to comply using a ‘good faith, reasonable interpretation’ of the CAA. Also in the meantime, a model notice has been issued which may be used by plans/issuers. Ultimately, in the case of a self-funded plan, the responsibility for issuing compliant notices rests with the plan, and not the TPA. The employer should therefore work with its TPA to ensure that compliant notices are prepared and distributed, and that all legal requirements are satisfied.”

No Surprises Act Impact on Self-Funded Health Plans Using Reference-Based Pricing

The No Surprises Act’s limitation on balance billing for services provided in an “in-network” facility by an out-of-network provider is likely to be quite problematic for self-funded plans that use Reference-Based Pricing as their financing method, in place of a PPO network. Because there is no network, and all claims are generally paid at a reference-based rate (most commonly a percentage above known Medicare Rates, such as 150% or 200% of Medicare), such self-funded health plans and their RBP vendors will need to discuss how they intend to deal with the No Surprises legislation, sooner rather than later.
Financing plans with reference-based pricing have grown in popularity over the last decade. However, as RBP has become more prevalent in the industry, hospital systems have become more knowledgeable about it, and at times, have refused payment entirely from RBP plans, and instead, have opted for immediate balance billing to all plan participants. In response to these provider actions, certain RBP vendors are struggling to produce solutions that will limit disruption to employer and employees while attempting to retain as much of the savings that RBP Plans have been known for. RBP plans generally pay claims at a stated percentage above Medicare (such as 140%, 150%, 200%, etc.), while PPO contracts, although a great savings over non-contracted provider rates, generally result in (if compared to Medicare, which of course their rates are not based on) costs ranging from 300% to 800% of Medicare rates. Sadly, I’ve seen many initial bills from hospitals coming in at over 1,000% of Medicare rates when no network is in place.

“Work-arounds” for RBP vendors have included (so far) one-off facility agreements, creating a networked facility, or single case agreements, which is negotiated often-times prior to the participant entering the facility for service. An example is a known procedure or surgery, such as an ACL reconstruction, hip replacement or other procedure. In these cases, some RBP vendors have opted to offer pre-payment to the facility, to encourage them to accept the patient at the RBP rate. There is concern, however, that such pre-negotiated rates could be perceived as a contracted rate, and may set precedents. One of the administrative concerns of this type of solution is the burden that would likely result from pre-negotiations, as well as a possible delay in service while negotiations are in the works.

Another work-around may be direct provider contracts, but those may likely be limited to certain services only, and if providers result in providing additional services, they could opt to balance-bill for those additional services, which may or may not be prohibited under the No Surprises Act, depending on the type of service.

It is assumed by most in the self-insured industry that work with RBP plans that the level of payment for RBP plans may end up increasing to a higher percentage, to still provide savings over PPO plans, but not at the wide difference we are seeing currently. Many of us are expecting payment levels to raise from the 140%-200% rate to perhaps raise to something more like perhaps 200% to 250% for normal facility payments, to cut back on the provider pushback and possible refusal to accept patients under RBP plans.

Because we are still awaiting guidance, I asked two RBP vendors I work with about how they intend to deal with the No Surprises Act. When asked how HS Technologies, an RBP vendor based in Orange County, California, will adjust, President Ryan Day responded as follows: “The No Surprises Act impacts reference-based pricing programs with no facility network. The Interim Final Rule published in July specifically mentions these types of plans in the context of indemnity plans, acknowledging that the scope is limited to emergency facility and professional claims.

If there is no facility network associated with a plan, there can’t be a scenario where a member is surprised by receiving services at an in-network facility from an out-of-network provider. This limited scope doesn’t apply when there are one-off agreements with a facility. Our reading of the rule made clear that these agreements would now make it a surprise bill if a member receives out-of-network care at a facility that has such an agreement.”
Ryan continued with additional solutions. “HST will be able to identify these surprise bill scenarios and, when the plan includes access to a MultiPlan network, ensure the plan administrator has the network QPA needed to determine the member’s cost share.” HST is now part of Multiplan, with contracted national networks such as PHCS and MultiPlan.

I asked the same question of Larry Thompson, Chief Revenue & Strategy Officer for AMPS, another RBP vendor. Larry stated: “There are many pieces to this. Our Chief Legal Counsel is working on a White Paper to address all of this, and I will provide it once it is complete. In the interim, here are few things to consider. The Act does not specifically target RBP or repricing. While it does address OON, we are prepared to assist our clients who use us for this service. More to follow from our CLO.”

I also asked Ryan how they propose to bridge the gap if/when facilities refuse to accept payment entirely from RBP plans? Ryan replied: “HST has routinely experienced a 98% acceptance rate from providers, recognizing not only the fair reimbursement we generate, but also the benefits we can bring to high-accepting facilities. Our HST Connect application helps to steer plan members to those providers, delivering the steerage benefits they typically only expect from network participation. We also engage the provider at key points before service is rendered, to ensure they understand the plan benefits. Should the facility disagree with the reimbursement, our PAC program and settlement portal make it efficient for the provider to engage in the negotiation now required by the No Surprises Act. Any subsequent arbitration resulting from an inability to reach agreement will leverage the analytic and arbitration support services of MultiPlan to help our employers present the best case.”

Larry Thompson, when asked the same question, responded as follows: “Rarely does this happen – less than 1% of our members ever face this problem. When they do, our advocates work with the facility to explain how our program works, and in the majority of the cases, access is allowed. Failing that, we offer single case agreements so that the facility will allow service. Barring that, we can revert to safe harbor contracts we have in AMPS America, or redirect the service to another facility.”

I also asked Larry how the RBP vendor will coordinate these efforts with the TPA? “Our TPA’s are the first line of contact for most members and providers,” responded Larry. “Through our integration the TPA will know when to transfer members to our Advocacy or Care Navigation teams to resolve any issues with providers.”

Lastly, I asked Ryan what types of plan changes/provisions they are recommending plans that are using reference-based pricing add to their plan documents specifically related to the No Surprises Act? “We are considering adjusting the negotiation corridor to allow for settlement above the typical level for surprise bills specifically ER claims. We are also looking at changing the default reimbursement for ER claims that are impacted by the No Surprises Act.”
Many questions remain related to RBP plans by the Departments in future guidance. We don’t know whether the Departments will treat pre-negotiated rates as contracted rates or “network” rates. Several industry groups are known to have asked the Departments for further guidance in this area, so we expect answers in the coming months.

Federal vs. State Balance Billing Laws

It is important to note that the No Surprises Act is not intended to displace any state balance billing laws. The issue of state vs. federal law is quite complex and I suggest you seek the advice of legal counsel on this. I will attempt to summarize just the basics of the interaction, but again, this is only a brief summary.

The Interim Final

Rules defer to existing state requirements with respect to state laws and states that have an established process in place to resolve payment disputes and allow for arbitration. Self-funded plans have the option to opt into a state law where payment standards of the state are expanded, with full protection against balance billing.

Existing federal law says that the out-of-network provider must have a patient sign a consent to receive non-emergency services, but the sate law might prohibit an individual from providing consent to be balance-billed. If a state develops model language that is consistent with the No Surprises Act, HHS will consider a provider or facility that makes appropriate use of the state-developed model language to be compliant with the federal requirement. Again, this is quite complex. I asked Marilyn Monahan if she could comment on the state of California’s balance billing laws and how they will interrelate with the No Surprises Act… “Existing state limits on balance billing – and California has some – will remain in effect for fully insured plans, to the extent that they provide participants with greater rights than they are entitled to under the CAA.”

Enforcement

Enforcement of the No Surprises Act is similar to that of the Affordable Care Act. If a fully insured plan sponsor contracts with a third party, then the third party will be responsible for compliance. In a self-funded health plan, the employer plan sponsor will be responsible for compliance, even if they contract with a third party, such as a TPA, to assist them with providing all of the necessary requirements. The Department of Labor will regulate self-funded plans, and fully insured plans will be regulated by the states.

As of now, it is stated that up to 25 health plan audits per year will be performed to ensure compliance with the Act, starting in 2022. If, however, the Departments should receive a consumer complaint, they can audit that consumer’s health plan.

Complaints

The No Surprises Act requires the Departments to establish a process for receiving complaints regarding potential violations of the law by providers and insurers. They announced their intention to create one system to intake all complaints related to the various components of the law and direct them to the various departments. The IFR clarifies that there will be no time-limit on complaint filing, but the relevant departments must respond in writing no later than 60 business days after a complaint is received. The regulations contained within the IFR are set to be effective on September 13, 2021, which is 60 days after its publication in the Federal Register.

Next Steps & Conclusion

If you’re feeling stressed over these rules, or if just reading them is making you have that tunnel vision I mentioned in the beginning, or you begin to panic or sweat, remember to breathe, and remember, the goal of this legislation is to help people and prevent surprise billing practices. Anything new is often confusing and frustrating. Just take one step at a time and keep an eye out for the anticipated end game. Won’t it be nice to one day soon, not have to listen to the anxiety in your family member or your clients’ voices and angst in their eyes when they tell you they’ve received an unexpected, surprise medical bill? The No Surprises Act won’t help in every case, but it should help the majority of cases in which surprise medical bills show up in our mailboxes. Personally, I’m hoping they expand the No Surprises Act (or offer something similar) to cover other provider bills not covered under this legislation.

We are anticipating additional guidance on many parts of the CAA and Transparency rules in the next few months. We expect rules on the IDR process (sections 103 and 105) around the first of September, as well as patient-provider dispute resolution (section 112), patient protections through transparency (section 112), and price comparison tools before the year is out. In addition, we are expecting guidance on the Broker Compensation Disclosure rules under the CAA around October of this year (although many parties, such as NAHU, have asked for a delay of implementation date until after the rules are released and brokers have time to review and implement the requirements). I expect that my next article will be focused on many of these new rules, so we can look forward (or not!) to that!

Helpful Links

If you need/want additional information, you can visit the following links to assist you…
Interim Final Rule and Comment Period: CMS: https://www.cms.gov/files/document/cms-9909-ifc-surprise-billing-disclaimer-50.pdf
Federal Register: https://www.federalregister.gov/documents/2021/07/13/2021-14379/requirements-related-to-surprise-billing-part-i
CMS Fact Sheets: https://www.cms.gov/newsroom/fact-sheets/requirements-related-surprise-billing-part-i-interim-final-rule-comment-period
https://www.cms.gov/newsroom/fact-sheets/what-you-need-know-about-biden-harris-administrations-actions-prevent-surprise-billing
References: All of the links above, plus NAHU Webinar, “Surprise! An Overview of the First Balance Billing Interim Final Rule”, By Josh Gertz and Deanna Sizemore, July, 2021; “Interim Final Ruling for the No Surprises Act Meets Industry Approval,” The Self-Insurer, August, 2021.

Author’s Note

I’d like to thank Marilyn Monahan, Ryan Day and Larry Thompson for their assistance with this article. I’d also like to thank NAHU for the informative webinar in July, which started me on the path to fully research this topic.

About the Author

Dorothy Cociu is the Vice President, Communications for the California Association of Health Underwriters and the President of Advanced Benefit Consulting & Insurance Services, Inc., Anaheim, CA. She also hosts the Benefits Executive Roundtable Podcast series on many important educational topics. Other educational articles, educational classes and other important information can be found on her company’s website at advancedbenefitconsulting.com. She can be reached at dmcociu@advancedbenefitconsulting.com. Educational classes can be found on her educational platform, the Empowered Education Center, at https://advancedbenefitconsulting.com/empowered-education-center/.

The post CAA’s No Surprises Act IFRs Spark Administrative Questions and Industry Concerns While Awaiting Further Guidance appeared first on Advanced Benefit Consulting.

Cyber Attacks Hit Home – The Next National Emergency? Valuable Cybersecurity Tools to Keep You Safe

Orange County Benefits Expert — Tue, 13 Jul 2021 14:51:42 +0000

By: Dorothy Cociu, President, Advanced Benefit Consulting & Insurance Services, Inc.
CAHU Vice President, Communications

Read Article in August issue of California Broker

Read Article in Jul-Aug issue of The STATEment

Read in Oct issue of America’s Benefit Specialist

Most of us are still licking our wounds from COVID-19. For the past nearly 18 months, we’ve all lost so much. From illness and death of family members and loved ones to the loss of income, food insecurity and massive amounts of stress, to dealing with zoom learning for kids, and doing our jobs from home, we’ve been hurting. Most of us were looking forward to the predicted 2021 improvements, with vaccines available now for all who want them, infections down, and travel beginning to see a new life. By June 15, 2021, California opened up its economy, and we had hope. Yes, our income may still be lower than pre-pandemic levels and some may still be struggling, but for the first time in so many months, we saw a glimmer of optimism and confidence that the future could be bright again.

However, just as we were beginning to smile more, feel comfortable going out to eat at our favorite restaurants with family and friends, and for many, hugging our parents for the first time in over a year, another cloud has begun hanging over our heads. And at times, the cloud turned to pouring rain and then bolts of lightning… A new national emergency seems to be claiming our freedoms and our hopes and dreams. This time, the emergency isn’t about a virus. It isn’t about quarantine or loneliness. It’s about blatant attacks on our infrastructure, our pipelines, our airports, our healthcare, our food supply, our power plants, and our business operations. This enemy isn’t a single germ or microorganism or pathogen. It’s a seemingly widespread and growing network of hackers and cyber criminals who exploit our weaknesses to infiltrate our networks and databases, quite often for profit. In some cases, it’s just simply about knowing they can, and rattling our nerves. But often, in cases like Colonial Pipeline, JBS Foods and many others, it’s about holding data hostage, and demanding cash payment or bitcoin in amounts of tens of millions of dollars, just so that companies can get their systems back up and running. And what has the Federal Government often recommended when someone is hit with ramsomware? Quite often, agencies such as the FBI has said simply, “Pay it.”

The only good thing that these recent nationally reported attacks have done is raise awareness, which I am grateful for. The question is, what will it take for people to take this seriously? East coast residents saw the results first-hand with the closure of gas stations, and when they could finally find gas, there were miles-long lines waiting for the limited supply, and high prices (although sadly, those prices were often still less than what we pay daily in California for gas for our vehicles). We’ve all felt it in the raising of food prices, particularly meat prices, in our grocery stores, and in the inability to get the goods and services we need when we need them. As if last year’s toilet paper shortage wasn’t bad enough… I’m not sure if our nerves can handle food and gas shortages for long periods of time…

This storm has not passed. In fact, the clouds are darkening and gaining strength; at times it feels as though we’re in the eye of the storm, and at other times, just on the outskirts. No matter where you are, you can still feel the rainfall, the humidity, the ferocious winds. With limited laws and no national, combined effort to combat it, the storm will rage on, until we all take control and stop it ourselves.

The Weakest Link

The problem is, in the simplest of terms, that systems can only be as secure as their weakest link. In most cases, the weakest link is us… Yes, the most common denominator is human beings. Humans are, as we all know, human. We make mistakes, and we sometimes have short-term memories. If not constantly reminded of something, we forget. Or at times, we just ignore, because it’s easier. In many cases, we simply aren’t properly trained to protect one of our most valuable company assets… our data.

In many instances, it has taken only a single individual, perhaps someone highly respected who cares greatly about their job and the company they work for, to take down an organization, although perhaps unknowingly. It may only take one misstep to throw the organization into turmoil, and subject it to a cyber attacker who is demanding millions of dollars…. Can it be avoided? Yes, but at what cost?

Generally, the cost is doing a proper risk assessment, understanding your risks, and doing something to mitigate those risks. The cost is ramping up your network and database security, and the cost is taking the time, energy and effort to do one thing… Properly train your employees. In most cases, many of the largest breaches in the United States and across the world may have been avoided, if only the organization had spent some time, energy and financial resources protecting themselves with these steps.

Federal & State Laws & Regulations Overview

Unlike other nations, such as the European Union, the United States has no single federal law regulating cybersecurity or information security. Although several states have cybersecurity and data breach laws, one of the few federal laws we have is HITECH, which came out of the American Recovery & Reinvestment Act in 2009, which ramped up HIPAA Security, and protects the electronic medical information of an individual. In addition to HIPAA Medical Records Privacy & Security and HITECH, we have the federal law of GLBA (Gramm-Leach Bliley Act), which protects financial information within banks, financial institutions, mortgage companies, insurance companies, and by extension, agents. We also have little known federal Computer Fraud and Abuse Act (CFAA) for prosecuting cybercrime, Sarbanes-Oxley (applies to public companies), and the Federal Trade Commission (FTC),which, since 2002, has assumed a leading role in policing corporate cybersecurity practices. In that time, it has brought more than 60 cases against companies for unfair or deceptive practices that endanger the personal data of consumers. Also on the federal side, we have the Children’s Online Privacy Protections Act (COPPA) and the FDA regulations for the use of electronic records in clinical investigations and a few other little known federal privacy protections. But, there is no single regulation or oversight. There is a hodge-podge of laws, and often the government agencies don’t work together to fight cyber crime as other nations have.

Here in California, we have even more privacy laws in effect, including the Confidentiality of Medical Information Act, Confidentiality of Social Security Numbers, a Data Breach Notification Law, a Customer Records law, and of course the California Consumer Privacy Act (CCPA), to name a few.

Even though some of these laws, including HITECH, require electronic security, is that enough? Sadly, recent history has proven it is not. Even with these federal and state requirements, we continue to see hospital after hospital, medical group after medical group, and individual medical practitioners fail to fully implement the security measures required by federal and state laws. We see multiple businesses in all industries subjected to ransomware, and their email, their data files and more are held for ransom. Nearly every week, we are hearing in the news of another cyberattack that has slowed down meat production, fuel for automobiles and aircraft, and more.

I’ve been preaching (and teaching, in seminars, webinars, on podcasts, writing articles, etc.) HIPAA Privacy & Security protections since 2002, just prior to the effective date of HIPAA Medical Records Privacy, which went into effect in 2003 or 2004, along with HIPAA Security in 2005. When I wrote my HIPAA Manual in 2000 and updated it beginning 2002 and for many years after with all of the Privacy & Security applications, I did my best to teach people how to protect their companies, mostly in terms of physical and administrative security… From teaching them to lock paper records down, double-protect SSNs and mental health information, to assist them with creating written policies and procedures and create their internal processes, and of course I did privacy training all over the country… HIPAA Security in 2005 brought to it the electronic component, so again, I did the rounds and wrote about it, taught seminars, helped employers and providers with implementation. It wasn’t until HITECH in 2009, however, that it was taken somewhat seriously, when HHS and OCR started treating business associates the same as covered entities, and when penalties and enforcement ramped up, that we began to understand the importance of protecting our data. It was in 2009 that even I, who had been doing privacy & security training for 7 years at that point, knew I was out of my league, and had to find technology partners to assist with the complexities of HITECH, because, after all, it’s all about IT functions and technology. Yes, it was taken more seriously, but not seriously enough. And today, it’s not just about medical records. It’s about our internal systems, our personal and business financial information, people stealing identities, and now, it’s about having our data ripped from our systems and held in the hands of an invisible enemy. Even with these federal and state requirements, we continue to see data hacked and often, companies just pay up, because they knew the risks, but failed to take the necessary steps. To many, it was an understanding that it could happen, but an unwillingness to do the work, invest the funds, and implement strong company-wide policies to secure data. To some of those, they felt it was worth the risk. Pay now or pay later- and choosing to put off what could have helped them avoid the dangers of today’s cyber-crimes. Some of those are indeed paying later. Much more than they may have wanted or imagined, because the wide-spread thought process is, it can’t happen to me. We’re starting to realize now that it can.

In 2021, the “new normal” is being reminded almost daily about the current storm, the new national emergency (in my words, not the official government’s words), and that is cybercrime. We need strong cybersecurity measures to combat that emergency. The question is, are you willing to do what it takes to protect yourselves and your company’s data?

The First Steps Toward Data Protection

Now that this new national emergency is among us, what are we going to do to stop it, or at least slow it down, get a handle on it, and try to eventually end it?

First, take a step back and evaluate where you are. When was the last time you did a complete risk analysis – a true risk assessment – for your organization, including physical, technical and administrative security? Have you ever? Have you evaluated your systems, done mock trials to find weaknesses? Or have you turned your back on it, thinking ‘we’ll get to it someday.’? Well, folks, some day is here, and you need to take action now, or you could be the next victim of cybercrimes.

Some Real-World Actions To Keep You Safe

To share additional perspectives rather than mine, I brought in some reputable industry experts to assist me in this article; Ted Mayeshiba (Ted M.) and Ted Flittner (Ted F.), principals of Aditi Group, a Technology and IT Services and Consulting firm (and in full disclosure, my company’s technology partners), and Zach Ayta, Director of Partnerships and Sidd Gavirneni, CEO and Co-Founder of Zeguro, a Cybersecurity consulting and Cybersecurity Insurance company.

Recent Ransomware Attacks in the News (Colonial Pipeline & JBS)

My first question to them was this…Recent large ramsomware attacks like Colonial Pipeline and JBS Foods have shown us that hackers are exploiting security weaknesses and holding the data of many companies hostage, and often demanding millions of dollars to unlock their own data, which in turn, has shut down supplies for critical goods and services. Can you explain to us, in layman’s terms, just what we mean when we say ransomware is a form on malware targeting systems? What exactly do these malicious actors do in these situations?

“Ransomware is simply encryption software loaded onto your machine or network, which is NOT of your choosing,” stated Ted Mayeshiba (Ted M.). “It was loaded onto your machine by a bad actor. The bad actor then encrypts all of the data on your system so you can’t read it. Their request to you is if you ever want to read or use any of your files again, pay them and they will give you instructions to decrypt the files.”

Sidd Gavirneni of Zeguro was asked the same question, and responded as follows: “Ransomware has become increasingly prominent in recent years and has grown significantly during the COVID-19 pandemic, with new ransomware samples growing by 72% in the first six months of 2020. This type of malware encrypts data in an information system and demands payment in exchange for regaining access. The payment is commonly demanded in cryptocurrencies due to their untraceable nature. Though the malicious actors claim that they will unencrypt data after the ransom is paid, there is no guarantee that users will receive the decryption key, and according to the Center for Internet Security (CIS), one ransomware variant deletes files even if the ransom has been paid.”

I do want to point out that, as you may have heard in the news, that U.S. authorities have recovered millions of dollars in digital currency that was paid to the hackers who were responsible for the east coast fuel pipeline attack, the Colonial Pipeline. According to the Wall Street Journal (updated June 7, 2021, by Dustin Volz, Sadie Gurman and David Uberti), investigators seized approximately 64 bitcoin, which is valued at approximately $2.3 million, from a virtual wallet. This particular attack was carried out by a suspected Russian-based criminal gang, according to the Justice Department. It was reported that Colonial paid $4.4 million to the hackers because they were unsure how badly the cyberattack had breached its systems or how long it would take them to bring the pipeline back online.

This was the first (at least that I’ve heard of) time that the US government has actually been successful in getting part of the paid ransom blocked on a major case, so I would not count on the government to help every company out there. This one affected our fuel supply and started a media frenzy, and people were desperately looking for fuel for their vehicles, and frankly, that type of publicity is not good for a somewhat new Administration in Washington, so I’m sure there was immense pressure to do something to show US strength in fighting cybercrime. What about the other attacks? Did the government step in for those? Most of the time, the answer to this date has been no. You need to rely on yourselves, and avoid it from happening in the first place.

Public Entities Are Not Exempt from Hackers

Public entities have also been breached, such as Steamship Authority of Massachusetts, the Washington DC Metro Police, the University of California, Michigan State University and others. People are wondering how they are supposed to protect their data when these large public entities aren’t even able to protect theirs. What are some basic things that can be done to protect your company’s data, and how do we convince organizations that this is serious? Again, I went to experts for answers.

“How do you protect yourself? This is malware, so you use all good hygiene practices we’ve spoken about on many occasions, like our trainings and in our podcasts. You must keep your software and browsers up to date, use Multi Factor Authentication, and most importantly, don’t click on links you aren’t expecting, etc.” stated Ted M. “How can you protect data? Well, in the case of a small library in Indiana, they had their card catalog hacked and encrypted. What they do now is keep a backup of all their critical data offline. If they get hacked, they wipe everything clean and restore from backup. For a small business, this is a very practical solution. For someone like Colonial Pipeline, they discovered it would take many days to do because the entire infrastructure was encrypted. For those larger companies, we would recommend a separation of systems to prevent the unrestricted spread of malware. Sierra Wireless (another very large Fortune 500 firm) was a victim of ransomware. It attacked their administrative functions, but their operational functions were unaffected. The customers were unaware. Most administrative functions were back in days, fully functional within a week. No ransom was paid.”

So, is the answer to just back up your data? Yes, that’s a good practice, but you cannot rely entirely on your backups. As Ted M. said, this takes time that many companies may not have, particularly if they are an essential service or business. To many organizations, time is money. And no one likes to lose money. But would you rather lose your data?

In my discussions with the experts, I went on to ask them, how does the COVID-19 stay at home scenario add to the risks of data breaches and cyber-attacks? What can be done to mitigate this, since many companies decided during COVID that they can save money by having certain employees work from home for the long-term? What are some basic must-dos and don’ts that companies should be practicing?

“The spread of ransomware throughout a connected network is the largest risk for a small business,” replied Ted M. Your machines in the office may be “locked down”. Machines at home, less so. At home there are many areas of weakness. Family members. Open ports. Memory sticks may be inserted which are infected. Wireless networks can be hacked. IoT devices (Alexa, Nest, etc.) may be hacked. Multiple entry points, multiplied by the number of employees out of the office in coffee shops or other public places, multiplies the risk.”

Ted M. continued: “What can be done? Work policies must be enforced at home. You should set up machines at home with a separated family account, work account and administrator account. NO ONE BUT the employee should have access on the work account on a machine. You need to restrict rights to the various accounts so work product cannot be breached or compromised.”

You may be thinking, how do I do that? For that, I would highly recommend that you contact a reputable IT services company. Most individuals cannot do that alone (although some teenagers in your household may be able to, but not willing to do so!). However, be sure if they are working with machines that are owned by your organization or contain any type of company data, that the IT service providers you use are HIPAA (for medical information) and/or GLBA (if you deal with financial information) compliant, and be sure if you sponsor a company health plan, that you get a HIPAA Business Associates Agreement signed. You may also need a GLBA vendor agreement in place.

Hacker Groups in the News – Are They The Only Danger?

Recent news reports have named certain hacker groups that have been linked to recent large breaches and ransomware schemes. We’ve heard about DarkSide, REvil group, Avaddon, Evil Corp, DoppelPaymer Gang and more. I asked Ted Mayeshiba and Sidd Gavirneni if we should be worried only about these more infamous groups, or should we be focusing mitigation efforts on a wider range of hackers? Who should we be afraid of, and why?

“The larger groups offer Ramsomware as a Service (RaaS),” said Ted M. This means they put kits together for any middle school whiz kid to use and distribute. They leverage servers and infrastructure where payments are processed and the heavy lifting of hacking is done. It’s the democratization of evil. What this means, however, is that “spearphishing” will become more dangerous. More people, who are likely to know more about you, may send more enticing emails with links for you to click. Social media is now an attack vector. Therefore, it’s important that you NOT use the same photo for business and personal media accounts. Facial recognition software has progressed now, so hackers are able to associate facts on your Instagram account tied with facts on your LinkedIn account to give a good picture of enticements for the hacker to use against you.”

People often give me a hard time about why I don’t have social media on my phone and why I don’t have an Instagram account…. Hmmmm… I wonder why? And for those of you that may not understand the humor, a phone is also a device that needs to be protected and secured. All devices do, if they are used for company business. Much to my frustration at times, my phone is encrypted, and I download very few applications on it. Those that are downloaded are approved by Aditi Group. Phones can get hacked too, and if they are connected to your networks at the office, they can be just as dangerous as a laptop. For social media, I primarily use a tablet that is not connected to any office networks or databases.

“The most important goal is to protect your business – irrespective of the size or type of a malicious actor group,” stated Sidd. “And this is because there are many, many more malicious actors that are not in the news – including newbies. The average cost of a breach for small businesses is $3.6M, and we have seen instances of ransomware attacks by amateur cyber criminals.”

Keep in mind, many of these are faceless individuals, clicking away at holes, trying to find a way into your network. It could be someone next door to you. It could be a friend of your son or daughters’. Social media, as Ted M said, is now a major source for your personal information and a breeding ground for hackers, including, as Sidd mentioned, the newbies.

Healthcare and Insurance Group Attacks

Turning to something close to probably everyone reading this article, healthcare and insurance groups have always been a huge target for hackers and cyber-attacks. From Anthem to Primera Blue Cross to Mass General, Cottage Health, UMass, and more recently, Scripps, have all fallen victim to cyber criminals. Since much of our reading audience is in the healthcare and health insurance business, or a field supporting that business, are there certain things this industry should be doing more of to protect patient and customer medical data?

“Healthcare related businesses usually are subject to Federal HIPAA laws and local State laws that require “de-identify” patient info or protect it,” stated Ted Flittner (Ted F.). “Protection falls on data when At Rest, In Motion, and Deleted. And we must Control Access to just the people who are Authorized to see data. Making all that happen is a lengthy topic and starts with knowing your company.”

Ted F. continued: “The most common statement made by Health and Human Services and Office of Civil Rights in HIPAA violation cases is a lack of adequate RISK ASSESSMENT by the companies. The first responsibility is to understand your own company risks of violating HIPAA privacy rules. The second responsibility is to make a plan to reduce or eliminate those risks.” Of course, Ted F is speaking my language, because as I said above, I’ve been doing HIPAA Privacy & Security Training since 2002, and it’s one of the most important things I tell my students, which are generally CFOs, CEOs, corporate Presidents, Partners, as well as Human Resources professionals and insurance agents. But telling them and having them listen isn’t enough. They have to do something about it. They need to take action.

Ted F. continued: “Number one: get an outsider’s view of your business risk. The actions following a risk assessment are specific to the company.”

Sidd Gavirneni took a somewhat different approach to my question. “Cybersecurity is all about People, Processes, and Technology – making sure that businesses are looking at it holistically.”

“Healthcare is extremely susceptible to cyber-attacks because of the amount of sensitive data, the third party tools and products being used, and the proliferation of IoT devices,” continued Sidd. “So, we always recommend starting with understanding your ecosystem, and creating cybersecurity processes around that ecosystem. There are many things you need to do, but we’ll talk about only a few things that healthcare businesses can get started with:

Ensuring that you continuously maintain an inventory of all software and devices you are using, and patching them at least once a month with any software updates.
Encrypt all data
Make sure that you are backing up all data continuous, but also have a process to restore that data
People are the primary root cause of breaches. So, train all your employees, consultants, and contractors on cybersecurity best practices. This cannot be a “once a year” effort. It needs to be at least once per month, so it stays top of mind.”

I can’t agree with Sidd more. Too many companies, in my opinion, train their people once, and then forget about it. Some even go so far as to train every two to three years, but with technology changing, and employees being those human beings I mentioned, it just doesn’t stick with them. If you’re a business owner, I implore you to read these words and let them sink in… Then read them again and again until you remember them. Your best defense is to train your employees, your consultants, and contractors on privacy and security of all types, and keep doing it, over and over. Once a month may be overkill for some companies, but for many others, it could be the difference between getting hacked and being safe. Know your business and talk to a consultant to help you determine what type of training and how often you need it for your employees, given your situation.

No Industry is Safe

No one is safe. No industry is safe. Even professional sports teams have been victims of cybercrimes recently. The Houston Rockets were hit with a ransomware attack, even after they claim to have prevented some attacks. This attack was reported as minor, but is it really minor if at least one person falls victim to these attacks and pays?

“It can appear minor to the victim if the dollars are low and they learn their lesson and tighten security,” stated Ted F. “Depending on the type of ransomware attack. Some are simply caused by an executable file that just encrypts data. Some attacks are real breaches into a company’s network AND the lock-up of their data. These situations are a lot more complex and mean the attackers may HAVE copies of some or all of the data. And of course, any payment of ransomware boosts the motivation of these pirates to attempt more plunders. Sometimes even to the same victim all over again.”

Software Updates and Patching

One of the most important things I want to talk about today are software updates and patching and why that’s important. Apple Mac OS recently released an update to address vulnerability that was allowing malware to work around privacy settings. Microsoft 365 had vulnerabilities in email applications. Microsoft also released patches for limited and targeted attacks. What should businesses be doing to assure that updates and patches are installed and used? How important is this? Once again, I asked the experts.

“Remember that HIPAA requires that ‘Covered Entities’ – those subject to HIPAA always use computer systems and software that are still supported by their makers. That’s because we know that weaknesses are continually bubbling up to the surface. And as they appear, companies scramble to push out patches as software updates,” responded Ted F.

“Sometimes these weaknesses are glaring holes. But most often they are rarely encountered combinations of keystrokes and commands that can unintentionally allow hackers to get in or take control of computers. Once a vulnerability becomes known about by hackers, they share with other hackers and malware code is written and deployed around the world. The most common way to spread those viruses is with spammy emails with links we shouldn’t click on…”

And how many times have we seen just that? Employees, again, your weakest link, should know better but they don’t, or they forget. You must train them of the dangers, and you must do it frequently.

“Some exploits can be made on computer servers directly – like the ones in your office or running the stuff “in-the-cloud” without any users clicking on email,” continued Ted F. “These are the kind of exploits that we see when a website is “hacked” and you see ads for ED or cheap drugs. They are also the attack opportunities like Microsoft had with their Exchange email software this year. That one event allowed more than 30,000 Exchange email severs to be attacked by malware before patches were deployed.”

I continued this discussion with Ted F. “Hackers rely on the time window of opportunity between when an exploit is revealed and when software companies publish updates. But most importantly, before users – you and I, update our computers.” Timing, as Ted F said, is everything. And often, only a short amount of time is enough to set the path towards data destruction or ransom attacks.

“Patching is critical, and should be done as frequently as possible,” stated Zach Auta of Zeguro. “If an organization is unable to automate patches so that they are installed as they become available, then patching should be done on regular intervals, more often than just monthly.”

The Travel Industry

The travel industry has also been hit hard recently after a devastating 15+ months. Booking.com, Malaysia Airlines, British Airways and more have been victims. As people and businesses are now starting to finally start traveling again, for both vacations and business, what can they do to keep their information safe?

“Lost or stolen phones are the number one way that data gets intercepted when you’re traveling,” stated Ted F. So, I asked for a list of “to-dos”, and Ted F replied:

Back up your phone
Secure your phone with a strong password – just a few thumb strokes or a 4-digit pin.
Only use public wifi with a virtual private network or VPN. IT Service companies like ours can set up a hardware VPN or you can subscribe to VPN software.
Don’t text or email secret info like your passwords to family or office while traveling. SMS and email are inherently insecure – like sending postcards. Set up password storage programs – LastPass, Dashlane, etc before you travel.
Be mindful or who is watching or listening to phone calls when you tell someone your name, address, birthday, social security number, or credit card number over the phone. Use an ear bud and not a speaker phone.”

Because these things are so common, I pressed Ted F. for more information. “We also avoid downloading and installing apps which may be convenient but really are not necessary. These apps from travel companies and smaller businesses may have flaws and may not be updated as quickly as operating systems and big software programs.”

There we are again, back to the dangers of apps on phones… With all of the sports events moving to mobile ticketing only, that was a tough one for me. I may have to buy a second mobile phone just to use for mobile ticketing!

Working From Home Dangers

Another thing we should be concerned about, particularly now with more people continuing to work from home, are kids and online gaming, as there are always issues with security. What about the parents of those kids? What can be done to keep your kids, as well as your data, safe while playing online games?

“The only real way to protect your data and allow online and multiplayer games is to keep the gamers separate from any computers and phones that have your business data or sensitive personal info”, replied Ted F. Don’t allow games on your computers, and never on business machines. Use separate networks. Virtual Local Area Networks (VLANs) use the same internet provider, same wires, but special hardware creates separate virtual networks that can’t talk to each other. So, kids can be on their own, and you or Work can be on another. Risky games on the Kid’s Network won’t affect you on the Work Network. It can be all inside your home. I recommend you call an IT Service company like ours to learn more or have us set it up.”

Zach Ayta had additional ideas on this subject. “Malicious actors will stop at nothing to creatively gain access to information or hardware through gaming platforms. Parents should encourage the following:

Avoid participating in chat, when possible
Never share personal information about yourselves or your personal lives
Avoid clicking links provided in chats
Online download gaming updates from app stores or within the game, never from external websites/sources
Only add gaming friends/contacts that they know in real life (IRL).”

New Cybersecurity Regulations

Moving on to another subject, I asked the experts about new cybersecurity regulations. The Dept of Homeland Security is working on regulations… The Transportation Security Administration and Cybersecurity and Infrastructure Security Agency are getting involved. I asked them how much they think the government can help with this problem? Even if we have regulations, will that solve the problems?

“Rules don’t really change human behavior,” stated Ted F. matter-of-factly. “Regulations may lead to more widespread use of security steps like 2-factor authentication (like when your bank sends a confirmation code to login). But rules won’t prevent people from clicking on email links to malware. And we all know that people still have to follow the rules. HIPAA was enacted in 1996, [and has been enforced since the Privacy & Security Rules went into effect in] 2003. But companies still routinely violate HIPAA rules.”

That they do. All you have to do is take a glance at HHS/OCR’s “wall of shame,” which they seem to be very proud of, to see just how many entities violate HIPAA Privacy & Security rules, as well as HITECH, regularly.

“We still need to be aware, train our co-workers to be aware, and assess our risks, put measures in place to help reduce risk, and consider insurance for when the unexpected does happen,” continued Ted F.

“The increase in regulatory frameworks is unsurprising, but necessary,” stated Sidd Gavirneni. “One of the challenges is that passage of regulations is an archaic process, and often by the time they are instituted, the technology world may have evolved well beyond the scope of the regulations. Secondly, current regulations fail to motivate organizations to go above and beyond what is required of them.”

In case you haven’t been reading the news or watching it on television or online, the recent meeting between President Biden and Russian President Putin put cybersecurity in the forefront. Although nothing specific came out of that meeting, the two did agree to “begin consultations on that issue.” (Russian President Putin in a post-meeting interview). But, we all know, actions speak louder than words, and I’m guessing it will be quite some time before we see any real actions from the US and Russia in a combined effort, if ever.

Training for Employees

Let’s talk about proper training for the front-line workers of businesses. Those who sit at a computer most of the day… We’ve mentioned training a number of times in this article so far, but as far as I’m concerned, you can’t talk about it enough. What kind of training do employees need to help protect their company’s security?

Ted F. was more than happy to discuss this topic again. “Know company policies and why it matters to follow them. The key topic these days is email diligence. Don’t click on email links or download files that you don’t really know. Slow down and take time to scrutinize. Teach people how to recognize fakes and legitimate messages,” he stated. “And train people on how to react if malware, ransom, or phishing attempts succeed. Who should they call and what should they do next?” That seems to be one of the glaring missing pieces in most employers’ privacy policies.

“Employees are often the first and last line of defense against security incidents and equipping them with the education they need to change their behavior is important,” stated Sidd Gavirneni. “The key for any effective training is that it is not one size fits all. A robust training program should address both the knowledge gaps in an employee’s cybersecurity aptitude and risks that they face in their job functions. Additionally, many security awareness programs fail because every employee takes the same training at the same time, typically annually. Ongoing training on a monthly basis helps keep security top of mind.”

How do you train your employees? Every company, every industry is different. However, there are easy training tools you can use. Up-to-date video training is cost effective and easy for Human Resources. However, if you use video training, it’s best to incorporate live interactions within it. Personally, I like to create my training videos with stopping points in the video where you can literally hit pause and do role playing with your staff, or other interactions, to keep them engaged and aware. I also include statements in my videos, usually at the end, where I inform the employees that their employer will now distribute your internal policies and review them with you, to make sure that the employer is actually prepared to have the training.

We also find that more than one voice or face in a training is good, particularly in longer training. One voice, no matter how effective they are, can cause someone to lose interest after a time. Short (one hour or less) trainings are usually ok with a single voice, but longer ones may lose the audience.

I personally love in-person, live training, although I had to convert to web-based training during COVID. In-person training allows the trainer to look the employees in the eyes, see where they are confused and stop to see how you can help. Now that we are opening up again, and more people are vaccinated, we will be going back to live training in the next couple of months.

I tend to shy away from on-line only training with no interaction, because people tend to not pay as much attention. If you are using an online only training tool, be sure to use one that has tests that employees must pass. If using this type, use also double-authentication to be sure that you are in fact training the person you think you are training, and not having one person take everyone’s test (and perhaps get paid to do it by others).

The most important thing is to decide what groups need to be trained, and train specific to each of those levels. In HIPAA Privacy & Security training, I generally prefer 4 to 6 hours for Privacy & Security Officers and privacy work group members. Most don’t do that… But I do like to be complete, and it’s far too complicated to do in an hour at that level. I also like to do Supervisor & Manager training, as they have specific roles in monitoring and enforcing the policies of your organization, which is usually about a 2-hour training the first time, with follow-ups ongoing. I believe electronic training and cybersecurity training is mandatory for everyone. If it’s provider group, then of course specific training is needed to address the requirements of a provider. Basic All Employee Training is also needed, which in my opinion, should include electronic security and cybersecurity training today.

Each company’s privacy officer and security officer should appoint a privacy work group to deal with day-to-day functions, including proper training. That group should determine the most appropriate means of training that meets the needs of your organization.

If you’re not sure what type of training you need or how to go about it, you can certainly contact any of us involved in this article for assistance. I know I’m happy to help you, and I know Aditi and Zeguro would be as well.

Cybersecurity Insurance

Cybersecurity Insurance is now available, yet many employers still haven’t even thought about adding it. Is it affordable and is it worth the price? I believe it is, and our experts agree, wholeheartedly.

“This is just like other insurance questions. If you can afford not to be insured, ok. If you can’t afford the potential loss or cost of being without coverage, GET INSURANCE,” stated Ted F. “The cost of ransomware for example could include the ransom itself, cost of forensics investigators to determine if they took your data, the cost of bad press, possible legal penalties for breach, and customer lawsuits for letting hackers get their data. We think insurance is a great idea.”

Obviously, this was an easy question for Sidd, as the CEO and co-founder of Zeguro, a cybersecurity liability company.

“Cybersecurity insurance is a critical part of a robust cyber risk management program. Premiums are determined by a number of factors, including but not limited to an organization’s industry, projected revenue, amount of sensitive/confidential information, and security/process controls. In general, I would describe cyber insurance as being relatively affordable for what is covered, but those costs are rising as insurers realize that their underwriting models were not fit for the risks they were taking on. It is important that organizations work with insurers that have a deep understanding of cybersecurity and cyber risk and uses more than financial modeling to evaluate premiums, so costs stay down over the long term.”

Conclusion

In conclusion, I would ask that you think about the current storm we’re in. The clouds have not yet begun to part. We are a long way from that. But you have tools available to you to help you take shelter and weather the storm, and hopefully, see clear skies ahead…. You may have to invest it in financially and with administrative processes such as real training, but it would be money well spent. Let’s combat the new national emergency with knowledge and action, and take control of our data, before it’s too late. ##

Author’s Note & Mini Biography:

I’d like to thank the contributors to this article, Ted Mayeshiba and Ted Flittner from Aditi Group, as well as Sidd Gavirneni and Zach Ayta of Zeguro for their assistance. Aditi Group can be reached at (855) Go-Aditi (855-462-3484) or info@aditigroup.com, and Zeguro can be reached at (855) 980-0660. If you need or want my assistance, you can reach me at (714) 693-9754 x 3 or email me at dmcociu@advancedbenefitconsulting.com.

Dorothy Cociu is the President of Advanced Benefit Consulting, and a veteran Privacy & Security consultant and trainer, with expertise in HIPAA Privacy & Security, HITECH, GLBA and related laws. She is the author of a HIPAA manual for employers and trains and consults nationally on physical and administrative security, as well as some facets of HIPAA Security. She relies on her technology partners, Aditi Group, for the IT security complexities of HITECH. Dorothy is the host of her company’s own podcast, Benefits Executive Roundtable, and is an instructor for many CE courses for CAHU and its local chapters, as well as SIIA, PIHRA, SHRM and other associations. She is the Vice President, Communications, of CAHU. She is also an HRCI instructor, and her firm is an HRCI provider. Advanced Benefit Consulting is also a CE provider for the California Department of Insurance. They recently launched their new education platform, Empowered Education Center, Powered By Advanced Benefit Consulting & Aditi Group, whichprovides on-demand classes for HRCI credit, general employer education, Privacy & Security education and training, and coming soon, CE credit for agents on the platform (pending DOI approval at this time). Her firm and her technology partners also do live training and have a monthly subscription service available for employee privacy & security training, including Cybersecurity.

The post Cyber Attacks Hit Home – The Next National Emergency? Valuable Cybersecurity Tools to Keep You Safe appeared first on Advanced Benefit Consulting.

The STATEment Archives - Advanced Benefit Consulting

Cybersecurity 2.0 – The Latest on Cyber-Attacks, Ransomware and the Need for Risk Assessments

By: Dorothy Cociu, RHU, REBC, GBA, RPA

March 2022 HIPAA Privacy & Security And Other HHS/OCR & Related Federal Updates

From Dorothy Cociu, The STATEment Editor and HIPAA Privacy & Security, Consultant & Trainer

March 2022

Third Party Verification of Facial Recognition

Warning About Scammers Working Year Around

Text message scams

Unemployment fraud

Email phishing scams

Phone scams

Help for victims of ID theft

More information:

Taxpayer Bill of Rights

Expanded tax benefits

Helpful reminders

From Dorothy Cociu, The STATEment Editor and HIPAA Privacy & Security, Consultant & Trainer

Third Party Verification of Facial Recognition

Warning About Scammers Working Year Around

Text message scams

Unemployment fraud

Email phishing scams

Phone scams

Help for victims of ID theft

More information:

Taxpayer Bill of Rights

Expanded tax benefits

Helpful reminders

CAA’s No Surprises Act IFRs Spark Administrative Questions and Industry Concerns While Awaiting Further Guidance

By: Dorothy Cociu, RHU, REBC, GBA, RPA, LPRT

Background

What Is the Intention of The No Surprises Act?

Summary of The No Surprises Act’s Interim Final Rules (IFR)

Employer/Plan Sponsor Concerns

Administrative Concerns & Confusion Over the No Surprises Act

Qualifying Payment Amount – QPA – Applications to Self-Funded Health Plans

Independent Dispute Resolution (IDR) Process

Facility/Provider Notices

Health Insurance and Health Plan Notice

No Surprises Act Impact on Self-Funded Health Plans Using Reference-Based Pricing

Federal vs. State Balance Billing Laws

The Interim Final

Enforcement

Complaints

Next Steps & Conclusion

Helpful Links

Author’s Note

About the Author

Cyber Attacks Hit Home – The Next National Emergency? Valuable Cybersecurity Tools to Keep You Safe

By: Dorothy Cociu, President, Advanced Benefit Consulting & Insurance Services, Inc.CAHU Vice President, Communications

By: Dorothy Cociu, President, Advanced Benefit Consulting & Insurance Services, Inc.
CAHU Vice President, Communications