Critical Incident Stress Management and the Emergency Manager

Emergency Managers’ role during an incident requires that decision-making is done under various levels of stress. Emergency Managers experience stress like that of traditional first responders. However, they must operate under additional pressures in complex coordination, fluid response efforts, varying levels of professionals, and political influence. Additionally, decision-making is often required to be made with little or incomplete information. The concern and stress related to unintentional negative outcomes further muddle the decision-making process. The potential effects of stress-causing health issues are quite real. Fortunately, there are actions to offset and mitigate negative effects.

Before the COVID-19 pandemic, and subsequent ongoing response, research showed that Emergency Managers and staff experienced a host of mental and physical health issues, including PTSD, anxiety, depression, heart disease, stroke, and hypertension, to name a few. It is logical to assume that in post-COVID-19 response research and surveys that an increase of these issues will be reported.

For decades, Critical Incident Stress Management (CISM) has been in place to provide military combat veterans, and ultimately civilian first responders (police, fire, ambulance, emergency workers, and disaster rescuers), with a crisis intervention protocol for those who experienced trauma. CISM utilizes techniques by trained professionals (usually in the same field as those needing assistance) to include inner dialogue, coping, debriefing, defusing, and pre-crisis education.

 

Moving forward, recommendations will be made that will include, at a minimum, passing legislation that classifies Emergency Managers as a “high-risk” occupation population. Also recommended is that a statewide team of trained Emergency Managers be assembled and ready for deployment throughout the jurisdictions as needed, either by request or as a courtesy check during, or following, an incident that impacts the state or any of the jurisdictions within the state.

In an upcoming issue of the newsletter, we will further explore the risks to mental and physical health to Emergency Managers, current issues that Emergency Managers are contending with during the COVID-19 response, potential negative impacts to the individuals and the profession as a whole, and recommendations to mitigate the challenges Emergency Managers are facing.

Friday, September 10th: CHHS Presents “Public Health Emergencies 20 Years after 9/11” and “Preventing a Cyber 9/11”

CHHS will be hosting two additional (virtual) panels this week as we approach the 20th anniversary of 9/11. The panels will focus specifically on public health and cybersecurity. We hope you will tune in live this Friday to hear from your colleagues working on these issues.

 

Friday September 10th 1:00pm

Public Health Emergencies 20 Years after 9/11

Join CHHS experts as we discuss the ways the U.S.’ perception and response to public health emergencies has evolved in the past 20 years. Moderated by Public Health Program Director Trudy Henson, panelists include Senior Law and Policy Analyst Christine Gentry, Law and Policy Analyst Jessica Pryor, Public Safety Technology Program Director Chris Webster.

 

Join Zoom Meeting:

https://umaryland.zoom.us/j/99773901036?pwd=QUsyZUUrODljMWhwWXNDc2RKOFJBQT09

Meeting ID: 997 7390 1036

Passcode: 878664

 

Friday September 10th 2:00pm

Preventing a Cyber 9/11

Over the past 20 years, cyber threats have risen to the forefront of challenges that government and the private sector face. Join CHHS’ virtual panel discussion on Friday, September 10 at 2:00pm to learn about what we are doing to help state and local jurisdictions become better prepared for cyber incidents. Additionally, hear about how businesses are addressing cybersecurity threats and navigating the complex landscape of data privacy law from Maryland Carey Law graduate and Cybersecurity and Crisis Management Law Certificate recipient, Rachel Cooper (’17).

 

Panelists: Ben Yelin, JD, CHHS Program Director for Public Policy and External Affairs; Netta Squires, JD, MSL, CEM, CHHS Senior Law and Policy Analyst; Rachel Cooper, JD, Maryland Carey Law Grad ’17, Cyber Security Counsel, McKesson

Moderator: Markus Rauschecker, JD, CHHS Cybersecurity Program Director

Join Zoom Meeting:
https://umaryland.zoom.us/j/97246048273

Meeting ID: 972 4604 8273

No passcode needed

CHHS To Participate In Maryland Carey Law School Anchor Event Commemorating 20th Anniversary of 9/11 Attacks

The program speakers will examine the laws and policies that were adopted in response to the 9/11 terrorist attacks and discuss how effectively these decisions have addressed the changing threats faced by the United States over the last twenty years; specifically, the shift from large, international organizations to decentralized and increasingly domestic actors. Emphasis will also be given to the vast expansion of the “surveillance state” and the ensuing public backlash. The panel will also consider how this approach as impacted the US’s ability to prepare for and respond to other types of emergencies and whether new federal legislation is needed.

The event will take place Monday, August 30th at 12pm ET at the University of Maryland Carey Law School, Room 107 (Overflow Room 108).

For those who are unable to attend in person, the Live Stream can be accessed here: https://www.youtube.com/watch?v=cZtF1QSJHYI

NY Times: The Supreme Court won’t block Indiana University’s vaccine mandate

NY Times: The Supreme Court won’t block Indiana University’s vaccine mandate

 

New: Summer 2021 CHHS Newsletter Released

CHHS has released its semiannual newsletter, which highlights some of the work we’ve done over the past several months. The newsletter includes a welcome message from CHHS Founder and Director Michael Greenberger.

Check it out here:

CHHS Summer 2021 Newsletter

In the Aftermath of Van Buren v. United States

By CHHS Extern Mike Rovetto

A few weeks ago, the Supreme Court released its decision in Van Buren v. United States, and the implications this case has for nearly every business and employer in the country could be potentially staggering. Before going into the implications of the case, a brief introduction is warranted.

A more perfect case could not have been presented to the Court to answer the question of what “exceeding authorized access” means under the Computer Fraud and Abuse Act (CFAA). Van Buren centered around a police officer who sold information that he procured from the state DMV to an undercover FBI informant. Van Buren had procured the data using his valid police credentials to log into the police database and download the files.

The FBI charged Van Buren for violating the CFAA, a 1986 law that makes it a crime to illegally access a database. The CFAA has been deemed the federal computer trespass law which subjects anyone to criminal liability who “intentionally accesses a computer without authorization or exceeds authorized access.” Van Buren was ultimately convicted of the charge and on his appeal to the Eleventh Circuit, argued that “exceeds authorized access applies only to those who obtain information which their computer access does not extend, not to those who misuse access that they otherwise have”. The circuit denied his appeal, which led to the Supreme Court of the United States granting a writ of certiorari. Van Buren’s argument before the Court revolved around one basic idea; the CFAA only criminalized accessing files that one is not authorized to access; it did not criminalize misusing information that one did have authorization to access.

In a 6-3 decision, the majority ruled in favor of Van Buren’s view that the language of the CFAA only prohibited illegally accessing data (i.e., hacking), it did not prohibit illegal misuse of data that one was able to lawfully access. The Court came to the correct conclusion. Professor Orin Kerr, a law professor and expert on cyberlaw from the University of California – Berkley, analogized this case perfectly: essentially, this case boils down to criminalizing a contract dispute. Every citizen in the US should rightly shudder at a police officer violating their privacy in such a way, Van Buren’s actions (by accessing the database) criminal. What Van Buren did by accessing the database was certainly a firing offense, but one would not expect to be led out of a workplace in handcuffs because you accessed Facebook or sent a personnel email in violation of the company’s computer policy. A result the majority feared could happen considering the government’s policy on the subject which does not ban criminalizing conduct based solely on contractual disputes.

Highlighting an interesting point raised by Justice Thomas in his dissent, the Justice notes that Van Buren’s actions were similar to that of a property trespasser (defining a trespasser as someone who has legal access to a property for one purpose, but enters the property for another ulterior purpose, then he is trespassing.) The Justice then continues with this: “What is true for land is also true in the computer context; if a company grants permission to an employee to use a computer for a specific purpose, the employee has no authority to use it for other purposes”. This analogy is curious considering that in 2017, Justice Thomas joined Justice Alito’s concurrence in Packingham v. North Carolina, which rejected equating the cyberworld to the physical world. Regardless, the Justice’s example here still equates to a contract dispute. Fireable? Yes. Criminal? No.

In an interesting turn of events, the Court remanded back to the Ninth Circuit Linkedin v. hiQ, a case which stems from mining data off Linkedin user profiles after a cease-and-desist letter was ignored by hiQ. The Court remanded the case to determine if its Van Buren decision affected the lower circuits decision in how it interpreted the CFAA. The outcome of that case could land back in the hands of the Supreme Court in the coming years.

The President’s Executive Order on Cybersecurity

By CHHS Extern Mike Rovetto

A few weeks ago, multiple news agencies covered a memo President Biden’s administration released calling on private business entities to do more against the threat of ransomware and to “better understand [their] critical role”. While the President’s Executive Order is a good first step in fixing the nation’s cybersecurity problem, the E.O. does not go far enough for the simple fact that it only affects federal agencies and government contractors with active government contracts.

The U.S. approaches cybersecurity much in the way it does other regulatory matters, in a laissez faire manner that focuses more on self-regulation. In a cybersecurity self-regulatory scheme, an industry is expected to “police themselves” and set standards for how best to protect their cyber-infrastructure. Proponents of this approach argue that self-regulation is the best practice because the industry itself is the best entity to determine what vulnerabilities the industry has. If the past year has shown us anything, it should show that the self-regulation of the cyber world lacks the necessary security proponents argue comes from industry expertise. The city of Baltimore was attacked with ransomware. Public reports of the attack stated the cost to the city was over $18 million to restore services, such as payment processing for utility bills, basic email communications, and critical emergency systems like 911. Last year, reports began surfacing of a security breach within the State Department. It was revealed that SolarWinds, a government IT contractor who specializes in providing software for supporting IT infrastructure, was hacked by Russian nationals who inserted malicious code into software that allowed the hackers to “hide in plain sight” and appear as legitimate network traffic. Ultimately the SolarWinds hack has affected dozens of federal and state agencies as well as private enterprises who downloaded the infected software. The hack compromised systems and allowed the hackers to steal information such as FireEye’s hacking tools that they use to test client’s security. And this past March, Microsoft, one of the largest software companies in the world, suffered a data breach in their Microsoft Exchange Server Platform which hosts entities ranging from police departments to credit unions. The attack saw over 30,000 organizations which represent and/or holds data for millions of people across the country, have private email communications stolen. Victims of the hack include law firms, infectious disease experts, defense contractors, and higher education intuitions.

Recently the District of Columbia Metropolitan Police Department was the victim of a major data breach. An attack on the Department’s IT servers saw dozens of private personnel files, including home addresses, cellphone numbers, and more released by hackers after payment demands were refused. Just last month, the group responsible released raw intelligence related to everything from the Jan. 6 riots to intelligence on criminal activity. The hacking group  In Florida, in what might be the first active cyberterrorist attack on U.S. soil that could cost American lives, hackers were able to access a water treatment facility command and control system and attempted to poison an entire city’s water supply. Finally, in two back-to-back attacks on major critical infrastructure, major portions of the country were severely disrupted. The Colonial Pipeline attack saw gas shortages for weeks that disrupted the entire East Coast. In that case, a ransomware attack locked down a critical pipeline that feeds gas from New Jersey to Texas and touches nearly every state in-between. If that wasn’t enough, the most recent attack on the nation’s critical infrastructure, this time an attack on our nation’s food supply, should be. In that attack, criminal groups related to Russia forced a shutdown of one of our nation’s largest meat suppliers.

To sum, we have three major metropolitan areas, one critical federal agency, two critical infrastructure sectors, with about eleven states and millions of people affected by some type of cybersecurity attack. And for all but one, that is just within the last eight months. Self-regulation cannot fix this. Experts from both the private and public sectors agree on this. Microsoft President stated before Congress “We need to impose a clear, consistent disclosure obligation on the private sector”. Chairman Richard Glick of the Federal Energy Regulatory Commission response to the Colonial Pipeline attack highlights the issue completely “Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors”. If self-regulation were capable of meeting this threat, the Department of Homeland Security would not be issuing new regulations for pipeline security measures.

What is clear from the evidence over the last two years is that self-regulation in the cybersecurity and data privacy realm is failing. Leaders from across multiple sectors have called on the government to provide leadership in this area and establish standards that companies must abide by. While there has been some action in the last few months, President Biden’s Executive Order, the President’s appointment of an a National Cyber Director, and DHS’s move to regulate pipeline security are excellent first steps, there are still massive shortcomings in the way cybersecurity is handled across a wide breadth of sectors in the United States. While the President’s E.O. is a good first step at the federal level, it does nothing to address infrastructure at the state level. Another question to ask is, does the E.O. affect business entities’ with non-government contracts (say Boeing’s commercial manufacturing)? Further, the E.O. does nothing for the thousands of other small-to-moderate sized businesses that store sensitive data that do not have government contracts at all. The U.S. needs to stop relying on business entities to police themselves and instead empower the most capable entity it can create with the ability to propose standards, regulate all cyber-related industries in the U.S., and enforce regulations like mandatory breach notification, encrypting all personal information, and requiring basic security measures like firewalls. When it’s your own industry base calling for regulations like mandatory breach notification, it’s past time to call for that same industry to do better.

Public Health Emergency Leads to the Need for Privacy Legislation

By CHHS Extern Nicole Fullem 

Due to the COVID-19 pandemic healthcare systems were forced to move to a more remote environment and required to adopt telehealth services to bring care to patients.  The Department of Health and Human Services (HHS) defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient professional health-related education, public health and health administration.”  At the beginning of the public health emergency, HHS relaxed the Health Insurance Portability and Accountability Act (HIPAA) rules in response to the increase in telehealth services.  HHS’s guidance recognized that some of the technologies may not fully comply with the requirements of HIPAA Rules, however, HHS explained that it would not impose penalties for noncompliance with the regulatory requirements under HIPAA.  These relaxed requirements are for the duration of the national emergency, however, it is likely that telehealth services are likely here to stay.  In December 2020, HHS saw a need to deliver better care and provide patients more access to their protected health information and therefore, proposed modifications to the HIPAA Privacy Rule.  The proposed rule looks to improve information sharing, create greater family involvement in the care of individuals who are experiencing emergencies, and gives greater flexibility for disclosures in emergency or threatening circumstances, such as a public health emergency.  However, there remains concerns surrounding the privacy of health information.

The remote environment and increased use of telehealth services creates privacy concerns for many people.  Although the new Privacy Rule may provide for better access to patient protected health information, some individuals have expressed concerns­—the disclosure of medical records without requiring patient’s authorization may lead to an unintended release of an individual’s sensitive information to a third party.  In addition, patients would be allowed to verbally request their health information, and there are concerns that information may be released to the wrong party or more information is released than a patient would like to a third party.  More broadly, the telehealth services led to a greater increase around email exchanges between physicians and patients and an increase of sharing protected health information between patients, providers, and third-party organizations.  Inevitably, questions remain how to further protect patient privacy while allowing new and evolving technology to help deliver better care.  Importantly though, the public health emergency has demonstrated gaps that exist in privacy legislation, specifically in the area of healthcare and health information.

Medical records remain one of the most valuable types of information, and especially during the public health emergency protected health information has been at a higher risk than it typically is.  In 2020, about 26 million patients records were exposed to unauthorized parties in the United States.  The rise in healthcare cyber-attacks stems from the poor handling of patient records and moving these records to cloud services.  When HIPAA was designed in 1996 it did not account for cybersecurity and more importantly, it has not been modified to keep up with the conditions that lead to modern healthcare cyber-attacks.  HIPAA only applies to direct patient care providers and it does not account for other third-party platforms such as fitness and personal health applications that may also collect personal data.

Conversations regarding previous callings for HIPAA to be modified are coming up again.  There may need to be more changes to HIPAA, so that technology can be used in a way that enhances privacy protection and improves information sharing.  Congress and HHS are urging that now is the time for privacy gaps to be addressed either through federal privacy legislation, or through modification to the HIPAA rule.  As HHS awaits feedback on the new proposed privacy rule, at least 15 states have introduced privacy legislation, and a House Democrat introduced the first comprehensive federal privacy bill of the year—Information Transparency and Personal Data Control Act.  It is likely that states will continue to move forward with privacy legislation, but there continues to be a need for a broad federal standard

CHHS is Hiring!

CHHS is hiring! We are looking for both JDs and those with advanced degrees in other relevant fields. Learn about the positions and apply at the links below (links work best on computers, and not on mobile devices):

umb.taleo.net/careersection/… (candidates with a JD)

umb.taleo.net/careersection/… (candidates other advanced degree)

HITECH Act Amendment and What It Means for Incentivizing Cybersecurity Safeguards

By CHHS Extern Emma Barbato

Ransomware attacks on healthcare organizations were up 50% in the third quarter of 2020. Since 2016, ransomware attacks on healthcare organizations has cost the healthcare system around 157 million dollars.  Because  many ransomware attacks count as Health Insurance Portability and Accountability Act (HIPAA) violations, all of this leads to a large potential for fines and risk assessments that can be quite costly for organizations. 2020 saw more penalties imposed on HIPAA covered entities (which include health plans, clearinghouses, and certain health care providers) and business associates by the Health and Human Services (HHS) Office for Civil Rights than any other year since the HHS was given the authority to impose financial penalties for HIPAA violations. As ransomware and data privacy breaches become more common place, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, Hitech amendment HR 7898, adopted in January 2020, attempts to incentive organizations to adopt NIST or other viable Cybersecurity safeguards that might prevent ransomware attacks on healthcare systems.

The HITECH amendment allows for organizations to mitigate fines from HIPPA violations by requiring that “recognized cybersecurity practices” be considered by the Secretary of HHS in determining any HIPAA fines, audit results or mitigation remedies. If an entity has adopted the NIST Cybersecurity Framework or HITRUST CSF for example, it will be taken into consideration when calculating fines related to security breaches. Adoption of security best practices will mitigate remedies that would otherwise be agreed between an entity and the HHS to resolve potential violations of the HIPAA Security Rule

The amendment allows covered entities and related organizations some flexibility when applying “recognized security practices.” The term is broad and refers not only to procedures developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act and 405(d) of the Cybersecurity Act of 2015, but also any other processes that address cybersecurity that are recognized through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.” Because the definition for “recognized security practices is broad it allows for scalability that takes into account the size, scope, and complexity of each organization. For many organizations this makes NIST a great jumping off point for creating a recognized cybersecurity prevention framework.

Based on the protection that the amendment provides, it makes sense for organizations that aren’t already implementing a NIST or other recognized framework to adopt or update their cybersecurity protocols. The HITECH amendment allows organizations to use their cybersecurity practices as a defense against HIPPA fines. While the amendment mainly benefits institutions attempting to mitigate some of the financial ramifications of a data breach, the upside for patients is that better security practices might lead to stopping ransomware attacks before they jeopardize valuable personal health information.