Healthcare News & Insights

Healthcare employees at frontline in battle against ransomware

GettyImages-513880355Healthcare providers, particularly senior executives, officers and directors, have a legal obligation to adopt procedures and policies to proactively address security threats, like ransomware, and protect patient data at all costs. Failure to do so may give rise to legal and regulatory liability, loss of stock value, loss of revenue and damage to business reputation. In this guest post, Mike Overly, an information security lawyer at an international law firm, details one of the most effective means of reducing the threat of ransomware which is often overlooked: employee training and education.


As recent attacks have shown, no healthcare organization or provider is safe from ransomware threats, and the results of an attack can be devastating. By many reports, ransomware has already caused hundreds of millions of dollars in damages, with no end in sight. Nearly 50% of victims have paid to recover access to their data. Nearly 40% of those victims expect to be attacked again in the future. Given the ease with which ransomware can be propagated, the effectiveness of attacks, the untraceable ransom payments, and very low risk to the perpetrator of ever being brought to justice, we can expect a continuing rise in these types of attacks.

Employees at the frontline

In many recent attacks, the initial entry point into the target organization has been attributed to employees who have clicked on attachments or hyperlinks in email or on websites that provide the means of compromising their employer’s systems.

Even highly sophisticated personnel can be at risk. Consider a simple example: A hacker decides to target the cardiologists at a large hospital. The hacker trolls the hospital’s website for the names of its cardiologists. The hacker then searches the web for a nationally recognized cardiology researcher. Next, the hacker inserts a piece of ransomware into a PDF file with the title Draft Article. Finally, the hacker spoofs a message from the cardiology researcher to each of the hospital’s cardiologists asking for input on a draft article. It’s extremely likely that one or more cardiologist will click on that PDF within a few hours, allowing the ransomware to insinuate itself into the hospital’s systems.

Training is key

There’s no question that proper employee education and training could avoid many ransomware attacks. However, most training in this area amounts to little more than a handout provided to employees or a lunch-time presentation. The knowledge is quickly lost. To be effective, training and associated vigilance needs to be repeated periodically so that the information is truly internalized.

Below is a useful checklist to educate employees and encourage shared responsibility for information security. By keeping these measures in mind, employees can dramatically increase, not only the security of their employer’s systems and data, but also their own personal computers and data. All too frequently, the security of one can impact the other.

This checklist is intended to supplement, not replace, a business’ formal security and information protection policies and procedures.

Websites, social media and public email

  • Don’t get hooked on someone’s fishing line. Don’t reply to or click on links in emails, pop-ups, or websites that ask for personal information, financial information, health information. Never click on links or open files in an email from someone you don’t know or weren’t expecting.
  • Always proceed with the understanding that no public email or messaging service (e.g., services provided by online services such as Google, Yahoo!, Microsoft, Skype and others) is secure and that all communications will be stored and, potentially, viewed by others.
  • Avoid sending highly sensitive information through unsecured email, texts or other communications (e.g., Gmail, Yahoo mail, text apps on smartphones, etc.).
  • Don’t forward internal email, documents or other information to a personal email address or download to personal devices for access outside of your employer’s systems. Your employer cannot protect the information once it’s been removed or shared outside the company.
  • When submitting personal or other sensitive information via a website, make sure you see the site’s address begin with https, as opposed to http. Think “s” stands for secure. Https uses encryption to send information across the Internet, thus, reducing the risk that the information will be improperly accessed.
  • Think before you submit. Once submitted to a website or transmitted through an online communication service, the information is public. You never know where the information will show up. There’s no such thing as deleting information from the Internet. The Internet is forever.
  • Exercise caution using services and devices that record your communications (e.g., Google Voice, Siri, Cortana, Skype, VOIP applications, mobile app-based texting, etc.).
  • Before posting pictures and videos online, remember they may contain GPS data showing where the picture was taken.
  • Be mindful of backup applications running on personal devices (e.g., DropBox, iCloud, Carbonite, etc.) making copies of sensitive company information and storing them online.
  • Think before you open. If you don’t know the sender, unsure of why the attachment was sent or, if it looks suspicious, don’t open the attachment. Better to verify with the sender than infect your computer or network.
  • PDF files are a very popular way of distributing viruses. Before opening a PDF, be sure you know where it came from.
  • When installing apps on your smartphone be cautious of requests to access your calendar, contacts, texts, GPS and other data. In most instances, there’s no reason for these apps to have access to your data and, in almost all instances, whatever you choose to share will likely be analyzed and sold to others.

Only authorized software

  • Don’t download or install unauthorized or unapproved software or applications from the Internet.
  • In particular, never install encryption software, remote access, backup or other similar software without the express approval of your information security personnel.
  • Always be certain of the source of downloaded software (i.e., you’re actually getting the software from the true creator of the software). It’s common for hackers to create fake websites and even “hijack” visitors from official websites where applications can be downloaded. In some instances, the top search results on Google and other search engines point to disguised hacker websites where your personal information may be stolen and viruses propagated.
  • For your personal computers, make sure you have anti-virus and firewall software installed. There are many inexpensive complete security packages available for home systems. Also, always promptly install security and other updates to your personal computer and mobile device operating systems.

Be constantly vigilant

  • Be suspicious of calls from unrecognized numbers alleging to be security or other officials asking for confidential information, including account access credentials and passwords. Look up the person calling and call them back at their published number.
  • Never reveal personal or business account access credentials or passwords in email or telephonically. No valid security personnel will ever ask you to reveal that information using either of these methods.
  • Be wary of urgent requests to issue checks or take action to avoid some issue without confirming the source.
  • Monitor the physical security of laptops, smartphones and other mobile devices.
  • Avoid using public Internet Wi-Fi to access company systems without use of a secure virtual private network.
  • If something is suspicious, report it.

Mike Overly  is an information security lawyer at Foley & Lardner LLP. He holds six cyber-related certifications.




Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind