On Friday, May 12, 2017, a damaging ransomware attack swept across more than one hundred countries and infected tens of thousands of computers. As is becoming all too common, the hackers transmitted the ransomware via a phishing e-mail, and then, once the user clicked the bait, the hackers used a method thought to have been developed by the National Security Agency, and locked businesses out of their systems. The ransomware impacted businesses both large and small, notably including sixteen of Great Britain’s hospitals forcing them to turn patients away, FedEx, the Russian Interior Ministry and a large Spanish telecommunications company. While in the wake of the attack, affected businesses must focus on damage control and clean-up, unaffected businesses should react and take steps to protect themselves ahead of being on the receiving end of the next cyber incident. Accordingly, here are five things that all businesses can do.

1. Install All Patches and Upgrades to Systems When Issued. In the case of this ransomware attack, Microsoft released a patch weeks before the attack hit, which would have protected systems by not permitting the ransomware to take hold.

2. Back-Up All Vital Data on a Continuous Basis. This is of particular importance in ransomware attacks. Ransomware encrypts a victim’s data and will only provide a key for access upon the payment of ransom. The payment of a ransom, however, may be unnecessary when up-to-date backups are available.

3. Employee Training. Employees should be trained on a regular basis on how to identify phishing e-mails and how to avoid cyber attacks.

4. Purchase and/or Examine Cyber Security Insurance Policy for Compliance. If your business currently has a cyber security insurance policy, ensure that the policy adequately covers your needs and ensure that your business meets the security
requirements attested to in such policy.

5. Perform a Risk Assessment and Develop a Response Plan. Assessing current systems will help to identify vulnerabilities that can be addressed proactively. For health care providers, HIPAA requires that covered entities perform a “risk analysis” to identify risks and security vulnerabilities and implement security measures that are sufficient to reduce such risks and vulnerabilities. Lack of an up-to-date risk analysis recently resulted in a fine of $400,000 against a health care provider (see April 25, 2017 article). Further, the assessment or analysis will assist with the development and implementation of a Security Incident Response Plan that is designed to ensure expedient and appropriate responses to cyber-attacks and to mitigate damage whenever possible.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and…

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.