Thursday Miscellany

Photo by Juliane Liebermann on Unsplash

According to the Wall Street Journal and Bloomberg, legislative negotiations continue over the latest COVID-19 relief bill. This bill will be added to the omnibus spending bill for the federal government’s current fiscal year. That bill is ready to go. In order to allow time for the relief bill negotiations to conclude successfully, it’s likely that tomorrow Congress will extend the current continuing resolution into next week.

On the COVID-19 front —

  • The Food and Drug Administration yesterday “issued a new Emergency Use Authorization (EUA) for the BinaxNOW COVID-19 Ag Card Home Test for at-home use with a prescription. The BinaxNOW COVID-19 Ag Card Home Test is an antigen test that detects fragments of proteins from SARS-CoV-2, the virus that causes COVID-19, from a nasal swab sample. It is authorized for use at home with self-collected samples in individuals age 15 years or older who are suspected of having COVID-19 by a health care provider within the first seven days of symptom onset. The test is also for use with individuals aged four years or older who are suspected of having COVID-19 by a health care provider within the first seven days of symptom onset, when an adult collects the sample.The BinaxNOW COVID-19 Ag Card Home Test is being offered in partnership with eMed Labs, LLC., a telehealth service that will take users step-by-step through the sample collection process, explain how to perform the test, and provide assistance in reading and understanding the results.”
  • Today the Centers for Disease Control (“CDC”) released a report concluding that the COVID-19 virus can be transmitted person to person on a commercial airline. The report was based on an analysis of a commercial airline trip that occurred in Australia last March before people began to take protective measure seriously. The CDC’s point though is well taken. Be careful.

In other Health and Human Services Department news —

  • Today HHS released “the first-ever national plan to address the public health crisis caused by alarming increases in rates of sexually transmitted infections (STIs) in the United States over the past six years. The STI National Strategic Plan 2021-2025 (STI Plan) sets national goals, objectives, and strategies to respond to the STI epidemic. The plan will serve as a roadmap to help federal and non-federal stakeholders at all levels and in all sectors reverse the sharp upward trends in STI rates.”
  • Also today, “the Office for Civil Rights (OCR) at HHS released its 2016-2017 HIPAA Audits Industry Report that reviewed selected health care entities and business associates for compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.” Although the report is somewhat dated, the summary of findings likely are still relevant, in the FEHBlog’s view:
  • Most covered entities met the timeliness requirements for providing breach notification to individuals;
  • Most covered entities that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website;
  • Most covered entities failed to provide all of the required content for a Notice of Privacy Practices;
  • Most covered entities failed to provide all of the required content for breach notification to individuals;
  • Most covered entities failed to properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee;
  • Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management. 

The announcement concludes — “The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

ArsTechnica offers a comprehensive update on the SolarWinds hack.

The supply chain attack used to breach federal agencies and at least one private company poses a “grave risk” to the United States, in part because the attackers likely used means other than just the SolarWinds backdoor to penetrate networks of interest, federal officials said on Thursday. One of those networks belongs to the National Nuclear Security Administration, which is responsible for the Los Alamos and Sandia labs, according to a report from Politico.

“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” officials with the Cybersecurity Infrastructure and Security Agency wrote in an alert. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered.” CISA, as the agency is abbreviated, is an arm of the Department of Homeland Security.

Elsewhere, officials wrote: “CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”

So the hacking effort may expand beyond the identified Solarwinds “backdoor.” Wow.