View as a webpage / Share

Volume 21 — Issue 37 | September 16, 2021

Upcoming COVID-19 vaccination and testing requirements for EMS agencies

On September 9, the White House issued its Path Out of the Pandemic COVID-19 Action Plan. On the same day, the Centers for Medicare & Medicaid Services (CMS), in collaboration with the Centers for Disease Control and Prevention (CDC), also announced changes to emergency regulations impacting vaccination requirements.

Several provisions in these new legislative changes will impact emergency medical services (EMS) and ambulance agencies.

CMS’ requirements for vaccinations for nursing home workers will be expanded to include hospitals, dialysis facilities, ambulatory surgical settings, and home health agencies, among others, as a condition for participating in the Medicare and Medicaid programs. The decision was based on the continued and growing spread of the virus in health care settings, especially in parts of the U.S. with higher incidence of COVID-19. CMS is developing an Interim Final Rule with Comment Period that will be issued in October. These changes will essentially require EMS agencies that participate in federal health care programs like Medicare and Medicaid to mandate vaccination for all staff, with limited exceptions.

In addition, the Department of Labor’s Occupational Safety and Health Administration (OSHA) is developing a rule that will require all employers with 100 or more employees to “ensure their workforce is fully vaccinated or require any workers who remain unvaccinated to produce a negative test result on at least a weekly basis before coming to work.” OSHA will likely issue an Emergency Temporary Standard (ETS) soon to implement this requirement. If your agency has 100 or more employees, then you can expect a vaccine and testing mandate for your employees whenever the new OSHA ETS is published and then becomes effective.

Although these new vaccine and testing mandates have just been announced and are not yet implemented, EMS agencies should prepare now for changes likely to be implemented in the coming months from OSHA and CMS.

(Source: JEMS)

Highlights

Upcoming COVID-19 vaccination and testing requirements for EMS agencies

Lessons learned from 9/11 and responders’ evolving roles in today’s threat environment

FEMA updates National Risk Index

Webinar: CISA Cybersecurity Advisor discusses the cyber threat landscape and resources from CISA

Cyber Threats

The U.S. Fire Administration operates the Emergency Management and Response – Information Sharing and Analysis Center (EMR-ISAC).

For information regarding the EMR-ISAC visit www.usfa.dhs.gov/emr-isac or contact the EMR-ISAC office at: (301) 447-1325 and/or fema-emr-isac@fema.dhs.gov.

Lessons learned from 9/11 and responders’ evolving roles in today’s threat environment

A lot has changed for the emergency services because of lessons learned from the terrorist attacks that occurred 20 years ago on September 11, 2001.

Major improvements in building and fire codes resulted from the National Institute of Standards and Technology (NIST) recommendations from its investigations into the causes of the World Trade Center building collapses.

Many advances have been made since 9/11 in critical communications capability for responders. Limitations in emergency communications interoperability quickly surfaced in the massive response to the World Trade Center attack. Without these communications limitations, countless lives could have been saved. To prevent this tragic and preventable loss of life from ever happening again, a National Emergency Communications Plan (NECP) was set in motion and led to the development of a Nationwide Public Safety Broadband Network (NPSBN). From the NECP, the FirstNet Authority and the FirstNet public safety network were eventually born, along with many other initiatives to improve communications interoperability and priority telecommunications services for responders.

The National Commission on Terrorist Attacks Upon the United States, also called the 9/11 Commission, released its renowned report in 2004, calling for increased interagency collaboration across the entire nation and at all levels of government. For response agencies, one way the 9/11 Commission’s recommendations were implemented was through an increased focus on interagency exercises and partnerships. Emergency response organizations need to be prepared for a multitude of scenarios, including those where luring, secondary attacks, and cascading effects necessitate a complex response. The goal was, and still is, to achieve unity of effort across multiple collaborating agencies, using a common Incident Command System (ICS) structure under the National Incident Management System (NIMS).

The 9/11 Commission Report also called for better interagency collaboration in the realm of intelligence sharing to more effectively thwart terrorist attacks. Changes in legislation since 9/11 have enabled law enforcement and the Federal Bureau of Investigation (FBI) to share more intelligence information through state and regional fusion centers and the FBI’s Joint Terrorism Task Forces (JTTFs).

The terrorist threat environment has changed significantly since 9/11. While the attacks of September 11, 2001 were complex, well-planned, large-scale attacks carried out by a foreign terrorist organization (FTO) within our own borders, in today’s threat environment, terrorist tactics, techniques and procedures (TTPs) are increasingly carried out by domestic violent extremists (DVEs) or “lone wolf” terrorists in local communities all across the country. These are much smaller attacks than 9/11 was. They are often committed with less planning and simpler tactics on soft targets using easily obtained weapons. To combat today’s domestic terrorist threats, counterterrorism efforts are increasingly focused at the local level.

Today, local emergency response agencies have a significant role in homeland security and counterterrorism efforts. There are many ways to stay informed and involved:

• The Joint Counterterrorism Assessment Team’s (JCAT’s) Intelligence Guide for First Responders and Counterterrorism Guide for Public Safety Personnel are a great starting point for general awareness.
• You can join various information-sharing networks in order to access “sensitive but unclassified” information for real-time situational awareness and to stay informed about domestic and foreign terrorist groups.
• You can recognize and report suspicious activity through information-sharing mechanisms aligned with the Nationwide Suspicious Activity Reporting (SAR) Initiative.
• If you are interested in working directly with your state or regional fusion center, you can receive training as a Terrorism Liaison Officer (TLO), also sometimes referred to as a Fusion Liaison Officer (FLO) or an Intelligence Liaison Officer (ILO).

(Sources: Various)

FEMA updates National Risk Index

Last month, the Federal Emergency Management Agency (FEMA) announced a major update to its National Risk Index. The National Risk Index is a resource that visually identifies traits within communities most at risk from natural hazards. The tool was originally released in November 2020 at a limited capacity but is now fully updated with significant new features.

The National Risk Index is available for use by state, local, tribal and territorial partners. By providing standardized risk data and an overview of multiple risk factors, the tool can help communities, especially those with limited flood mapping and risk assessment capabilities, prepare for natural hazards. The application analyzes risk factors from 18 natural hazards, expected annual losses, social vulnerability and community resilience and supports informed risk reduction decisions for mitigation planning and emergency management. 

The Index can assist communities in:

• Updating emergency operations plans.
• Enhancing hazard mitigation plans.
• Prioritizing and allocating resources.
• Identifying the need for more refined risk assessments.
• Encouraging community-level risk communication and engagement.
• Educating homeowners and renters.
• Supporting the development and adoption of enhanced codes and standards.
• Informing long-term community recovery.

The updated National Risk Index includes the ability to generate more customized analyses and reports, including community risk profiles and risk comparison reports for any county or census tract. Users can now share reports via unique links, save them as printable PDFs or extract the underlying data in spatial or tabular formats. The Index based its ratings on data from the best available resources from 2014 through 2019. Routine updates are expected to keep ratings current.

The National Risk Index is free and easy to use by anyone interested in planning for mitigation or learning about their community’s natural hazard risks. Visit FEMA's National Risk Index webpage for more information.

(Source: FEMA)

Webinar: CISA Cybersecurity Advisor discusses the cyber threat landscape and resources from CISA

A Cybersecurity Advisor (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA) will be hosting a webinar discussing the cyber threat landscape, the mechanics of cyberattacks and ransomware, and best practices and protective measures. The webinar presentation will also highlight several no-cost cybersecurity resources provided by CISA.

The Department of Homeland Security’s (DHS) Cybersecurity Advisors offer assistance to help prepare and protect private sector entities and State, Local, Tribal and Territorial (SLTT) governments from cybersecurity threats. CSAs promote cybersecurity preparedness, risk mitigation, and incident response capabilities, working to engage stakeholders through partnership and direct assistance activities.

CSAs are distributed personnel assigned to 10 regions throughout the U.S., which are aligned to the Federal Emergency Management Agency (FEMA) regions. CSAs engage organizations in order to cultivate partnerships, deliver cybersecurity services, and create channels of communication to DHS cyber programs and Department leadership.

This webinar will be held on Thursday, Sept. 30 from 1:00 to 2:00 p.m. EST. It is open to a national audience. Registration is required.

(Source: CISA)

Cyber Information and Incident Assistance Links

MS-ISAC
SOC@cisecurity.org
1-866-787-4722

IdentityTheft.gov

IC3

Cybercrime Support Network

General Information
Links

FTC scam list

CISA alerts

Law Enforcement Cyber Center

TLP Information

Ransomware Risk Management: Draft NISTIR 8374 available for comment

The National Cybersecurity Center of Excellence (NCCoE) has released a revised draft report, NIST Interagency or Internal Report (NISTIR) 8374, Cybersecurity Framework Profile for Ransomware Risk Management, for public comment. This revised draft addresses the public comments provided for the preliminary draft released in June 2021.

The public comment period is open through October 8, 2021. See the publication details for a copy of the draft and instructions for submitting comments. You can also contact us at ransomware@nist.gov.

(Source: NIST)

MS-ISAC: End-of-Support Software Report - September 2021

The importance of replacing software before its End-of-Support (EOS) is critical. EOS occurs when software updates, patches, and other forms of support are no longer offered, resulting in software becoming prone to future security vulnerabilities. The Multi-State Information Sharing and Analysis Center (MS-ISAC) compiles a monthly report for EOS software with dates in the next 12 months. Download the list of EOS software dates that MS-ISAC is currently aware of: EOS Report - September 2021.

(Source: MS-ISAC)

Hackers could increase medication doses through infusion pump flaws

From pacemakers and insulin pumps to mammography machines, ultrasounds, and monitors, a dizzying array of medical devices have been found to contain worrying security vulnerabilities. The latest addition to that ignoble lineup is a popular infusion pump and dock.

Infusion pumps automate delivery of medications and nutrients into patients' bodies, typically from a bag of intravenous fluids. They are particularly useful for administering very small or otherwise nuanced doses of medication without errors, but that means the stakes are high when problems do arise. As a result, products are extremely locked down at the software level; it's supposed to be impossible to send the devices commands directly. But researchers from the security firm McAfee Enterprise ultimately found ways to get around this barrier.

(Source: Wired)

Microsoft rolls out passwordless login for all Microsoft accounts

Microsoft is rolling out passwordless login support over the coming weeks, allowing customers to sign in to Microsoft accounts without using a password. Instead, they can choose between the Microsoft Authenticator app, Windows Hello, a security key, or phone/email verification codes to log into Microsoft Edge or Microsoft 365 apps and services.

The company first allowed commercial customers to rollout passwordless authentication in their environments in March after a breakthrough year in 2020 when Microsoft reported that over 150 million users were logging into their Azure Active Directory and Microsoft accounts without using a password.

(Source: Bleeping Computer)

The InfoGram is distributed weekly to provide members of the Emergency Services Sector with information concerning the protection of their critical infrastructures.

Fair Use Notice:
This InfoGram may contain copyrighted material that was not specifically authorized by the copyright owner. The EMR-ISAC believes this constitutes “fair use” of copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use copyrighted material contained within this document for your own purposes that go beyond “fair use,” you must obtain permission from the copyright owner.

Disclaimer of Endorsement:
The appearance of external hyperlinks does not constitute endorsement of the linked websites or the information, products or services contained therein. Reference to any specific commercial products, process or service by trade name, trademark, manufacturer or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the EMR-ISAC or the U.S. government.

Section 504 Notice:
Section 504 of the Rehabilitation Act requires that FEMA grantees provide access to information for people with disabilities. If you need assistance accessing information or have any concerns about access, please contact FEMAWebTeam@fema.dhs.gov.