October 19, 2021

Volume XI, Number 292


October 18, 2021

Subscribe to Latest Legal News and Analysis

Are You Effectively Training Employees in Battle Against Ransomware?

No health care organization or provider is safe from ransomware threats, and a slew of recent noteworthy attacks have driven the point home. The results of an attack can be devastating to the organization, and hundreds of millions of dollars in damages have already been reported.

Health care providers, particularly senior executives, officers, and directors, have a legal obligation to adopt procedures and policies to proactively address these information security threats and protect patient data at all costs. Failure to do so may give rise to legal and regulatory liability, loss of stock value, loss of revenue, and damage to business reputation. And yet, one of the most effective means of reducing the threat of ransomware is often overlooked: employee training and education. Cybersecurity, Technology

Employees at the Frontline

By simply clicking on infected attachments or hyperlinks in e-mail, employees could be compromising their employer’s systems.

Many ransomware attacks could be avoided through proper employee education and training. However, most training in this area amounts to little more than a handout provided to employees or, at best, a lunch-time presentation and the knowledge is quickly lost. To be effective, training and associated vigilance needs to be repeated periodically so that the information is truly internalized.

Below is a useful checklist to educate employees and encourage shared responsibility for information security. By keeping these measures in mind, employees can dramatically increase, not only the security of their employer’s systems and data, but also their own personal computers and data. All too frequently, the security of one can impact the other.

This checklist is intended to supplement, not replace, a business’ formal security and information protection policies and procedures.

Web Sites, Social Media, and Public E-mail

Don’t get hooked on someone’s phishing line. Do not reply to or click on links in emails, pop-ups, or websites that ask for personal information, financial information, health information. Never click on links or open files in an e-mail from someone you do not know or weren’t expecting.

Always proceed with the understanding that no public e-mail or messaging service (e.g., services provided by online services such as Google, Yahoo!, Microsoft, Skype, and others) is secure and that all communications will be stored and, potentially, viewed by others.

  • Avoid sending highly sensitive information through unsecured e-mail, texts, or other communications (e.g., Gmail, Yahoo mail, text apps on smartphones, etc.).

  • Do not forward internal email, documents, or other information to a personal email address or download to personal devices for access outside of your employer’s systems. Your employer cannot protect the information once it’s been removed or shared outside of our systems.

  • Do not send emails to an email address you do not recognize. Your employer will not ask you to send confidential or sensitive information to an unknown email. If you are unsure, then pick up the phone and verify with the sender before hitting send.

  • When submitting personal or other sensitive information via a website, make sure you see the site’s address begin with https, as opposed to http. Think “s” stands for secure. Https uses encryption to send information across the Internet, thus, reducing the risk that the information will be improperly accessed.

  • Think before you submit. Once submitted to a web site or transmitted through an online communication service, the information is public. You never know where the information will show up. There is no such thing as deleting information from the internet. The internet is forever.

  • Exercise caution using services and devices that record your communications (e.g., Google Voice, Siri, Cortana, Skype, VOIP applications, mobile app-based texting, etc.).

  • Before posting pictures and videos online, remember they may contain GPS data showing where the picture was taken.

  • Be mindful of backup applications running on personal devices (e.g., DropBox, iCloud, Carbonite, etc.) making copies of sensitive company information and storing them online.

  • Think before you open. If you don’t know the sender, unsure of why the attachment was sent, or if it looks suspicious, don’t open the attachment. Better to verify with the sender then infect your computer, or worse, the network.

  • PDF files are a very popular way of distributing viruses. Before opening a PDF, be sure you know where it came from.

  • When installing apps on your smartphone be cautious of requests to access your calendar, contacts, texts, GPS, and other data. In many, if not most, instances, there is no reason for these apps to have access to your data and, in almost all instances, whatever you choose to share will likely be analyzed and sold to others. 

  • Only Authorized Software

    • Do not download or install unauthorized or unapproved software or applications from the Internet.

    • In particular, never install encryption software, remote access, backup or other similar software without the expressly approval of our information security personnel.

    • Always be certain of the source of downloaded software (i.e., you are actually getting the software from the true creator of the software). It is common for hackers to create fake web sites and even “hijack” visitors from official web sites where applications can be downloaded. In some instances, the top search results for piece of software on Google and other search engines point to disguised hacker web sites where your personal information may be stolen and viruses propagated.

    • For your personal computers, make sure you have anti-virus and firewall software installed. There are many inexpensive complete security packages available for home systems. Also, always promptly install security and other updates to your personal computer and mobile device operating systems. 

    Be Constantly Vigilant

    • Be suspicious of calls from unrecognized numbers alleging to be security or other officials asking for confidential information, including account access credentials and passwords. Look up the person calling and call them back at their published number.

    • Never reveal personal or business account access credentials or passwords in e-mail or telephonically. No valid security personnel will ever ask you to reveal that information using either of these methods.

    • Be wary of urgent requests to issue checks or take action to avoid some issue without confirming the source.

    • Monitor the physical security of laptops, smartphones, and other mobile devices.

    • Avoid using public internet Wi-Fi to access company systems without use of a secure virtual private network.

    • If something is suspicious, report it.

    © 2021 Foley & Lardner LLPNational Law Review, Volume VI, Number 159

    About this Author

    Chanley Howell, Intellectual Property Attorney, Foley Law Firm

    Chanley T. Howell is a partner and intellectual property lawyer with Foley & Lardner LLP, where his practice focuses on a broad range of technology law matters. He is a member of the firm's Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices and the Sports and Health Care Industry Teams.

    Mr. Howell represents companies in a variety of technology law areas, such as:

    • Data Privacy and Security Compliance – Counsel and advise clients with respect to compliance...

    Michael R. Overly, Intellectual Property Attorney, Foley lardner Law Firm

    Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law. Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security &...

    Eileen R. Ridley, Foley Lardner, Arbitration Lawyer, High Tech Litigation Attorney

    Eileen R. Ridley is a partner and litigation lawyer with Foley & Lardner LLP. Ms. Ridley has extensive experience in litigating, arbitrating and trying complex commercial matters for a variety of industries including the high-tech, oil and gas, telecommunications, construction, insurance and health care industries. She is the firm’s Chief Diversity Partner, a role in which she is a catalyst for and leader in carrying out the firm’s commitment to diversity. Ms. Ridley serves on the firm's national Management Committee and is vice chair of the Litigation Department....

    Aaron K. Tantleff, Foley Lardner, E-Commerce lawyer, IP Attorney, Patents

    Aaron K. Tantleff is a partner and intellectual property lawyer with Foley & Lardner LLP. His practice focuses upon providing legal and strategic guidance regarding information technology, outsourcing, licensing, consulting, professional services, e-commerce, manufacturing, supply, and distribution agreements, as well as product acquisitions, strategic alliances, mergers and acquisitions, and private equity investments where technology and intellectual property are of significant importance and value. Mr. Tantleff is a member of the firm’s Technology...