Responding to the July 2, announcement by IT software management company Kaseya VSA an that a supply-chain ransomware attack leveraged a vulnerability in the Kaseya RMM Tool against multiple managed service providers (MSPs) and their customers, the Office of Civil Rights (“OCR”) is urging health care providers, health plans, health care clearinghouses and their managed service providers (“MSPs”) and other business associates to follow guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (“FBI”) for customers affected by the Kaseya VSA Supply-Chain ransomware attack.
Organizations that used or used service providers that used these tools should review and take appropriate action in response to the guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI); and the Kaseya advisory.
CISA and FBI also recommend affected MSPs and other parties
- Contact Kaseya at firstname.lastname@example.org with the subject “Compromise Detection Tool Request” to obtain and run Kaseya’s Compromise Detection Tool available to Kaseya VSA customers. The tool is designed to help MSPs assess the status of their systems and their customers’ systems.
- Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
- Implement allow listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
- Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
CISA and FBI recommend affected MSP customers ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
CISA and FBI also recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: These actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack.For guidance specific to this incident from the cybersecurity community, see Cado Security’s GitHub page,Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack.Note: Due to the urgency to share this information, CISA and FBI have not yet validated this content.
For advice from the cybersecurity community on securing against MSP ransomware attacks, see Gavin Stone’s article, How secure is your RMM, and what can you do to better secure it?.
For general incident response guidance, CISA encourages users and administrators to see Joint Cybersecurity Advisory AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity.
If you are interested in a more detailed information about this or other developments discussed in this article, see here.
If you would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. For specific information or counsel about the these or other legal, management or public policy developments, Ms. Stamer’s work, experience, involvements, other publications, or programs, contact Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297, follow her on Facebook, LinkedIn or Twitter or see Cynthia Marcotte Stamer, P.C. Website.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.
Most widely recognized for her work with health care, life sciences, insurance and data and technology organizations, she also has worked extensively with health plan and insurance, employee benefits, financial, transportation, manufacturing, energy, real estate, accounting and other services, public and private academic and other education, hospitality, charitable, civic and other business, government and community organizations. and their leaders.
Ms. Stamer has extensive experience advising, representing, defending and training domestic and international public and private health care and life sciences, charitable, community and governmental, and other business organizations and their leaders, employee benefit plans, their fiduciaries and service providers, insurers, and others. A widely published author and popular speaker, Ms. Stamer also has published and spoken extensively on wage and other and other health care, human resources, employee benefits and other workforce and services; insurance; workers’ compensation and occupational disease; business reengineering, disaster and distress; and many other compliance, governance, risk management, operational and public and regulatory affairs concerns.
A former lead advisor to the Government of Bolivia on its pension project, Ms. Stamer also has worked internationally and domestically as an advisor to health, managed care, insurance, and other business, community and government leaders on these and other legislative, regulatory and other legislative and regulatory design, drafting, interpretation and enforcement, as well as regularly advises and represents organizations on the design, administration and defense of workforce, employee benefit and compensation, safety, discipline, reengineering, regulatory and operational compliance and other management practices and actions.
Ms. Stamer also serves in leadership of a broad range of professional and civic organizations and provides insights and thought leadership through her extensive publications, public speaking and volunteer service with a diverse range of organizations including as Chair of the American Bar Association (“ABA”) Intellectual Property Section Law Practice Management Committee, Vice Chair of the International Section Life Sciences and Health Committee, Past ABA RPTE Employee Benefits & Other Compensation Group Chair and Council Representative and current Welfare Benefit Committee Co-Chair, Past Chair of the ABA Managed Care & Insurance Interest Group, past Region IV Chair and national Society of Human Resources Management Consultant Forum Board Member, past Texas Association of Business BACPAC Chair, Regional Chair and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation and many others.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:
- COVID-ERA EMTALA Risks Highlighted By Missouri Hospital’s Patient’s Parking Lot Death
- Biden-Harris Plan To Beat COVID-19 Includes Plan To Expand Medicare, Other Health Care Plans
- Comment & Begin Preparation For Compliance With Proposed HIPAA Privacy Rule Changes
- Employers Sponsoring Health Plans Should Audit Compliance Now To Avoid Excise Tax, Other Liability
- Guard Against COVID-19 Fraud Scams
- Comment & Begin Preparation For Compliance With Proposed HIPAA Privacy Rule Changes
- CMS Relief Allows Pharmacies, Other Medicare Immunizers To Bill For LTC Patient Immunizations
- Participate In October 8 Free Kickin’ COVID-19: Reopening Texas Summit On Facebook Live
- Cyberhack Leads Health IT Network Provider To Pay $2.3 Million HIPAA Penalty
- Ezekiel Elliott COVID-Test Disclosure Highlights Health Care Provider & Plan HIPAA & Other Privacy Risks From Medical Testing & Other Medical
- Pennsylvania OCR Settlement Warns Others Against Disability Or Other Civil Rights Discrimination In COVID-19 Resource Allocation & Other Response
- CME Credit Offered For Providers Completing Online Replay Of 4/16 CDC Training On Certifying COVID-19 Deaths
- Proposed Privacy Rules Grant Health Plans New Flexibility, Add New Obligations
- Kickin’ COVID-19: Reopening Texas Summit October 8 On Facebook Live
- Employer Option To Defer Paying Some Employee Payroll Taxes Until 2021
- Free CDC COVID-19 Communication Resources
- DOL Invests $80.6 million in Apprenticeship Expansion Grants
- Businesses Should Confirm Using Benefits, Meeting Mandates Of Special COVID-19 Tax Rules
- Ezekiel Elliott COVID-19 Diagnosis Disclosure Outrage Highlights Need To Handle COVID-19 & Other Medical Information With Care
- Proposed Regulations Would Treat Direct Primary Care and Health Care Sharing Ministries Membership Dues As Qualifying Medical Expenses For Medical Deduction & HSA Reimbursement Purposes
- Wish Tax Guidance Were Clearer? Tell IRS/Treasury Your Suggested Topics For 2020-2021 Treasury Priority Guidance Plan
- New IRS Increased Health FSA Carryover, Gives COVID Health FSA Election Relief
- IRS Shares Initial CARES Act Plan Loan & Distribution Relief Guidance
- Employer Sponsors & Health Plans Face Rising Risk From Mental Health & Substance Abuse Coverage Violations
- Use Prudent Process To Manage Workforce & Other Business Changes To Help Minimize Business & Management Liabilities & Protect Future Recovery
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. ©2021 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™