Covering COVID-19 is a daily Poynter briefing of story ideas about the coronavirus and other timely topics for journalists, written by senior faculty Al Tompkins. Sign up here to have it delivered to your inbox every weekday morning.

By now you are familiar with the multi-step process the Food and Drug Administration and Centers for Disease Control and Prevention go through to approve the emergency use of vaccines. On Friday, the Johnson & Johnson one-shot COVID-19 vaccine will come before the Vaccines and Related Biological Products Advisory Committee that makes recommendations on the safety and efficacy of vaccines.

FDA researchers who have poured through the drug company’s data say the vaccine is both safe and effective. Johnson & Johnson says it could have 20 million doses out the door by the end of March if the FDA gives approval this weekend, as expected.

While being really effective at preventing COVID-19 infections by vaccine standards, the Johnson & Johnson vaccine is less effective than the stratospherically high efficacy of the Pfizer and Moderna shots. There is some data in the report that shows the Johnson & Johnson vaccine might be less effective for people over age 60 with risk factors like diabetes and heart disease.

But the Johnson & Johnson vaccine also produces noticeably less severe side effects than the other vaccines that have been approved.

It is not clear how effective the Johnson & Johnson vaccine is in preventing vaccinated people from spreading the virus to others.

COVID-era senior home vacancies

The National Investment Center for Seniors Housing & Care just finished a nationwide survey of senior care facilities (not including nursing homes) and found occupancy fell around 7% in the final three quarters of 2020 and January. It fell more in some places and less so in others, but the trend is clear. Seniors stayed away from congregational living because of COVID-19. Once vaccines are more available, we will see if there is the pent-up demand that experts say there is.

Do you really need to ‘fake’ a commute?

This story from The Washington Post caught my eye. The piece suggests that instead of plopping your coffee and yourself in front of your computer, maybe you should take a bike trip or walk around your neighborhood as if you are riding to work (or, alternatively, meditate) before you sit down at your laptop at home.

As strange as it may sound, there is some logic to it. The Post explains:

Jon Jachimowicz, an assistant professor of business administration in the organizational behavior unit at Harvard Business School, says commuting provides “a temporal and spatial separation between all the different roles we play.” It’s a buffer that eases the transition from one identity to the next, a consistent dose of in-between time to reflect and reset.

Before the pandemic, the average commute was 38 minutes each way, Jachimowicz’s research indicates. Not only have employees lost that buffer, but they have also taken on more work: about 48 extra minutes per day. They are also dealing with more meetings and more communication that spills into off hours, according to findings published by the National Bureau of Economic Research in July.

When we don’t psychologically detach from work, we risk becoming exhausted and burned out, says Samantha Pieknik, a licensed clinical psychologist in Phoenix. “We’ve lost that time to sit with ourselves and shake everything off from the day,” she says. “We’re working at home and we’re sleeping at work, and it’s really confusing for our brains.”

I do get where Pieknik is going with this. Until recently, I rode a motorcycle to and from work and found that time inside my helmet while I was going home was my detachment time. Now, the detachment time is the time it takes me to walk from one room of the house to another, about eight steps.

My wife, who is a therapist, says we have turned our home-based offices into office-based homes. She didn’t mean that as a compliment.

Should states allow doctors from other states to practice?

Governing, a website that speaks mostly to issues facing state lawmakers, makes the case that states should allow out-of-state doctors to practice across state lines without much or any additional training or certification. Governing’s reasoning goes like this:

Due to factors including aging patient populations and doctor retirement rates, the U.S. is expected to see a shortage of between 54,100 and 139,000 physicians by 2033, according to a recent report from the American Association of Medical Colleges. Among the states predicted to be hardest hit by the shortfall are Louisiana, Mississippi and New Mexico.

To address the public-health problems the current shortage has caused during the pandemic, some states have temporarily allowed out-of-state doctors to practice within their borders with little to no additional training or certification. State policymakers now have a great opportunity to make the temporary permanent.

The Governing article makes the case that states like the system the way it is because it generates money from licensing and certification. But in a pandemic, it even limits telemedicine.

Until recently, doctors were unilaterally barred from practicing in states where they had not been licensed. They couldn’t even provide telemedicine support to patients beyond their state borders. These laws were defended on the grounds that they promote safety, but as with most professional licensing laws, the real motivation was, at least in part, money. Medical boards have used licensing regimes to rake in over $100 million annually in certification and testing fees from aspiring doctors.

When the COVID-19 crisis hit the U.S. health-care system last year, the limitations of state licensing quickly became apparent. Hospitals in regions with high COVID-19 case numbers were in desperate need of more physicians, and the temporary relaxation of cross-state licensing restrictions enabled hard-hit hospitals to staff up quickly to better cope with surges in COVID cases. As a result of this successful experiment born of crisis, even the AMA is now beginning to support the idea of universal licensing within the United States.

I have been working from home. Do I get to write that off on taxes?

Tax prep services say they are seeing a common theme in the first few weeks of the tax prep season. People keep asking if they can “write off” any of the costs associated with working from home. The answer is mostly, “no.”

USA Today explores the matter and finds:

People who receive a W-2 tax form from their employers (such as full-time employees) aren’t eligible for a home-office deduction, nor can they write off expenses that weren’t covered by their employers, tax experts say. The limitations are due to changes in the tax code made in 2017’s Tax Cuts and Jobs Act.

The tax overhaul suspended the business use of home deduction through 2025 for employees. It got rid of the deduction for unreimbursed employee expenses, which allowed remote workers to write off unreimbursed work costs that exceeded 2% of their adjusted gross income.

That may disappoint many workers who paid up for new desks, chairs and other supplies to create a functional home office. In that case, you might want to ask your employer to reimburse you or to provide a stipend to pay for the office supplies you need to do your work, tax experts say.

Self-employed workers — freelancers, consultants, gig workers and the like — can claim the home office deduction, (TurboTax expert Lisa) Greene-Lewis says. There are some limitations. First, the home office must be a dedicated space where you do your work and that isn’t used for another purpose. It must be your principal place of business.

That means if your home workspace is your kitchen table, you are not eligible for a deduction. If you can prove that you have dedicated space just for your office then you may be able to deduct the percentage of square footage from the indirect costs of your monthly electric bills or even the direct costs that are associated with your office space, such as repair bills.

While money is tight, be especially careful about taking a tax return advance

Those of you who get tax refunds will be getting them a little later this year — just when a lot of you need the dough. But MarketWatch warns you not to jump at those cash advances that tax prep services and others offer:

A refund advance from a tax preparer or a bank may seem especially tempting this year. But consumers should keep their eyes wide open, according to consumer advocates.

“These are really expensive products,” said Michael Best, a staff attorney at the National Consumer Law Center. Best, with others at the consumer advocacy organization, recently released a report on the fees and costs that lower-income taxpayers face during tax time, including potentially high-interest refund advance loans.

MarketWatch says these services come in different forms. One, called a refund anticipation loan or RAL, essentially covers the cost of your tax prep by deferring payment until the refund arrives. The other is called a refund anticipation check or RAC, in which you get the money now and the lender is paid when the refund arrives. But you can pay a high price for that very short-term loan. The Center for Responsible Lending offers some advice:

Watch out for RALs from non-bank financial firms, like payday lenders. RALs often carry extremely high interest rates and come with extra costs like electronic filing fees and fees to cash the loan check. You can end up spending more than 10% of your refund to get the money only a few days sooner.

Watch out for refund anticipation checks (RACs): A RAC is temporary bank account that a bank opens for you to direct deposit your tax refund from the IRS. Once the refund is deposited, the bank issues you a check or prepaid card and closes the account. RACs are not loans, and typically cost $30-35, but often come with add-on fees of hundreds of dollars more. And they don’t deliver refund any faster than the IRS can.

New data: Cybercrime skyrockets during work-at-home

When your office told you to work from home, everyone knew it would open some doors for cybercrime, and it has. But the amount of what came through the doors stunned even the experts. Crowdstrike, a cybersecurity company, says cyberintrusions grew 400% during 2019 and 2020. Some of the hacks came from individuals and some from “state-sponsored groups.” Both are apparently still at it, Crowdstrike says:

The findings suggest supply chain attacks, ransomware, data extortion and nation-state threats prove to be more prolific than ever. On the heels of unprecedented growth in eCrime, CrowdStrike has introduced a new eCrime index (ECX) in this year’s report.

The eCrime index will introduce you to threats you probably never heard of, like HammerPanda and OceanBuffalo and PinchySpider. These specific threats have targets called “Big Game Hunting,” or BGH’s, which include banks, which hackers target to dispense huge sums of cash from ATMs, just as an example.

Most of us are clueless about the relentless number of cybercrime attempts that ping your security constantly. Take a minute to go here and see what I mean.

(ThreatCloud from CheckPoint Security)

Cybersecurity and anti-virus provider Kaspersky also has a fascinating “real-time” threat map. There, you will learn about a phishing attack involving “malformed URLs” and something called the “Silver Sparrow” attack involving thousands of Mac computers.

ZDNet says the 2021 cybertrend is to steal then threaten to publish sensitive data unless the victim pays up. This technique was fairly rare at the beginning of 2020. Then it grew:

Over the course of the past year, many of the most successful ransomware gangs have added an additional technique in an effort to coerce victims into paying ransoms after compromising their networks – publishing stolen data if a payment isn’t received.

As 2020 started, only the Maze ransomware gang was using this tactic. But as it ended, an additional 17 ransomware crews had taken to publishing stolen data of victims if they didn’t receive payment.

However, according to cybersecurity company Emsisoft’s ‘State of Ransomware’ report, there are victims of ransomware attacks that are entirely capable of restoring their network from backups and have successfully done so – but are still paying a bitcoin ransom of hundreds of thousands or millions of dollars to cyber criminals in an effort to prevent cyber criminals from leaking stolen information.

“Like legitimate businesses, criminal enterprises adopt strategies that are proven to work, and data theft has indeed been proven to work. Some organizations that were able use backups to recover from attacks still paid the ransom simply to prevent their data being published,” said the report.

The CrowdStrike report says the pandemic has also invited new kinds of BGH attacks on health care providers:

With the emergence of the COVID-19 pandemic in 2020, the healthcare sector has further come under acute risk of cyber exploitation. The COVID-19 pandemic has initiated a wave of cyber activity from both eCrime and nation-state adversaries that are taking advantage of the uncertainty around the pandemic to launch spam campaigns, or—in the case of targeted intrusion adversaries—have new collection requirements on scientific information that could assist a national government in its COVID-19 response and vaccine development.

Other key findings from the 2021 Global Threat Report include:

The healthcare industry will continue to face significant threats from criminal groups as CrowdStrike Intelligence confirmed 18 Big Game Hunting enterprise ransomware families infected 104 healthcare organizations in 2020.

Adversaries from the Democratic People’s Republic of Korea (DPRK) will be motivated to enhance cyber operations in 2021 due to COVID-19 and a resulting food shortage.

China will focus on supply chain compromises and the targeting of key western verticals in support of the 14th Five Year Plan and the COVID-19 vaccine including academic, healthcare, technology, manufacturing and aerospace.

ZDnet reports that it is already unfolding. Government, health care and universities are the biggest targets right now. You can see it in the charts I linked to above and in the year-end data:

Ransomware attacks claimed thousands of victims during the past year, with hundreds of government agencies, healthcare facilities, schools and universities, as well as private companies, among those hit by cyber-criminal attempts at extortion.

According to the report, public sector organizations in the US were particularly badly hit by ransomware attacks with at least 2,354 government, healthcare and educational institutions impacted.

They included 1,681 schools, colleges and universities, 560 healthcare facilities and 113 federal, state and municipal governments and agencies. Meanwhile, over 1,300 private companies were also hit by ransomware attacks.

I recommend that journalists at least browse through the Crowdstrike study. You will pick up some lingo that at some point you will probably need to know. It will also give you some ammo to ask local hospitals, health care groups and governments about their cybersecurity plans. No doubt local and state governments will be asking for more money in the next budget to add protection and the people who say yes or no will have no idea what they are asking for or why.

A new word for you: Qshing

A QR code still sticks on a table in front of a closed bar in the city center of Essen, Germany, Monday, Nov. 2, 2020. (AP Photo/Martin Meissner)

QR codes are becoming increasingly important for touchless purchases, so you should learn the word that the cool people use for the abuse of QR — and that is “qshing.”

The virus alert company McAfee listed QR code abuse as a top-five threat for 2021.

Tools for journalists: Tracking your electrical grid and suppliers

Power lines in Houston on Feb. 16, 2021. (AP Photo/David J. Phillip)

The Society of Environmental Journalists turned to veteran journalist Joseph A. Davis to compile a handy guide on how to better understand America’s electrical grid. After the Texas energy supply debacle, you may be looking at both the supply hiccups and security concerns that threaten our electrical grid. SEJ reminds you, “The time to get to know your regional grid environment is before the disaster. With enough data, they may help you anticipate it.”

We’ll be back tomorrow with a new edition of Covering COVID-19. Sign up here to get it delivered right to your inbox.