Just three months ago, IT departments at companies across the world were focused on configuring networks, as well as installing equipment and software to make telecommuting work as efficient and safe (from a cybersecurity perspective) as possible. Now, as we enter the beginning phases of “return to work,” the focus must shift 180 degrees in the opposite direction: configuring systems back to the on-site network and mitigating cybersecurity risks not at home, but in the office.

Perhaps nowhere is this more important than the health-care sector. The pandemic has made hospitals particularly vulnerable to cyber-attacks, perhaps more so than any other organizations. This is unsurprising, given the massive influx of patients due to the pandemic, and the fact that hospital staff, now more than ever, are focused on saving lives — not IT. Hospitals, of course, store a cache of financial and other personal records which represent a treasure trove to cybercriminals. Indeed, electronic health records can be a cash-cow to hackers – not just because they contain payment information, but also because with these records in hand, cybercriminals can file fraudulent health insurance claims and obtain prescription medications which they can sell on the black market. Interpol has warned of a “significant increase” in cyberattacks targeting hospitals around the world, and issued a “purple notice” alerting police in 194 countries about a heightened ransomware threat. The US Department of Homeland Security has issued similar warnings. Recently, it has been reported that more than 80% of medical practices have been the victims of cyberattacks, over half of which reported patient safety concerns from the hacks, while 20% of which had their business interrupted for more than five hours as a result of the hack.

In addition to the health care sector, cybercriminals have also set their eyes on government agencies involved in efforts to abate the pandemic. For instance, this past May, the U.S. Health and Human Services Department suffered a cyber-attack on its computer system. Companies conducting research towards curing COVID-19 have also been hit hard. The US Department of Justice just issued a press release announcing the indictment of suspected hackers in a massive cybersecurity attack that began ten years ago, which recently evolved to target companies that have been researching COVID-19. According to the Department of Justice in a press release on July 21:

Targeted industries included, among others, high tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; defense. In at least one instance, the hackers sought to extort cryptocurrency from a victim entity, by threatening to release the victim’s stolen source code on the Internet. More recently, the defendants probed for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments.

There is no question that the pandemic has ushered in what is undoubtedly the most dangerous cybersecurity landscape the world has ever known. Every organization should be cybersecurity conscious and implement measures to decrease vulnerability to cyber-attack, especially now as the workforce starts to gradually transition from “remote” back brick-and-mortar. Discussed below are some simple, cost-efficient cybersecurity practices that every organization should consider implementing immediately as we enter this transition phase.

Employee Training and Awareness
Employee training in cybersecurity awareness, including the basics of how to recognize a phishing attempt, should be implemented on an emergency basis. All employees in the organization should be given a short time period to complete such training, which can be conducted online in an efficient and cost-effective manner. Such training certainly should not encompass advanced IT know-how. Rather, it should merely cover the “basics” of cyber-risk. For instance, there is simply no excuse, in today’s world, for an employee’s lack of awareness as to the basics of what a phishing scam looks like, or failure to be hyper-vigilant when encountering clickbait, opening emails or links received from unknown senders, etc.

Patches/Updates
All applicable software patches and updates should be immediately installed on any devices that are used to access the organization’s networks. This especially includes anti-virus and anti-malware software. IT personnel should remind staff to turn on automated updates and should audit devices to ensure this has been done.

USBs and other Storage Devices
While remote working, many employees undoubtedly relied extensively on USBs and other removable personal storage devices. As is well-documented, these devices pose an increased vulnerability to network security breaches. Therefore, a directive should immediately be issued to employees to refrain from using these devices on company computers upon returning to work.

Multi-factor Authentication
A layer of security beyond “username” and “password” should be implemented. Multi-factor authentication considers two or more authentication factors, making it harder for attackers to bypass the additional layers of security. There is no excuse for not implementing multi-factor authentication when accessing strictly confidential information, such as patient medical records.

Anticipated Cybersecurity Legal Challenges During the “return to Work” Transition

Immediately upon the “return to work” transition, companies across the United States will almost certainly have to grapple with the issue of what measures to put in place towards mitigating the spread of COVID-19 in the workplace. To that end, most companies are considering the imposition of various new workplace requirements such as temperature sensors, employee logs, and records, employee questionnaires to be completed each day. However, it cannot be stressed enough that such measures inevitably involve data collection and processing, and thus fall within the purview of data privacy laws, not to mention health privacy laws such as The Standards for Privacy of Individually Identifiable Health Information (the “HIPAA Privacy Rule”). Moreover, because an employer’s collection of such data generally constitutes protected “personal identifying data” as defined across a broad spectrum of cybersecurity legislation, these measures expose companies to significant legal liability in the event a cyber-attack occurs involving the compromise of such data.

The California Consumer Privacy Protection Act (“CCPA”) is the most prominent consumer privacy statute in the US to date. Any health-related information an organization collects on its employees is considered “personal identifying information” subject to the strictures of the CCPA. The CCPA requires employers to provide their employees with a privacy notice, at the time it takes temperatures, distributes health-related questionnaires or gathers any other health-related information, containing the following information:

• The business or commercial purpose of collecting the information;
• The categories and sources of the information being collected;
• The identification of any third parties with whom the business shares the information being collected

Moreover, under the CPPA, employers who check employees’ temperatures and other health-related data should determine whether or not they intend to use the data for a purpose unrelated to the employees’ job functions. Doing so can be considered a “sale” of the data under the CCPA and render the employer subject to other requirements under the statute, including providing the employees with the option to access, delete, or opt-out of the collection of the data. A business may be subject to the CCPA, even if it is not located in California. Before businesses collect health-related data on their employees, at a minimum they should consult with counsel to determine whether they are covered by the CCPA.

Given the above, as we embark on the back-to-work transition, businesses should avoid the temptation to reflexively adopt temperature checks, health-related questionnaires, and other similar measures, even if that poses additional delay in re-opening. Instead, they should consult legal counsel in conjunction with IT personnel in crafting appropriate safeguards that are compliant and risk-averse to the fullest extent possible from a data privacy and cybersecurity perspective. Although doing so may take more time in the short run, it may mean the difference between a smooth “return to work” transition versus stepping on a data privacy and cybersecurity landmine.

Scott Watnik is a member of the litigation department at Wilk Auslander LLP in New York City and serves as co-chair of the Firm’s Cybersecurity practice. He has represented clients in numerous securities, shareholder, antitrust, breach of contract, employment, and civil RICO litigations in federal and state courts across the country. Scott has also represented individuals in connection with high-stakes trust and estates, and intellectual property disputes. Scott’s client base is diverse, spanning the fields of manufacturing, retail, investing, and insurance. Scott can be contacted by email at swatnik@wilkauslander.com or by phone at +1 646-375-7658.

Suggested citation: Scott Watnik, Returning to Work During a Global Pandemic: Cyber Risks After Lockdown, JURIST -Professional Commentary, July 31, 2020, https://www.jurist.org/commentary/2020/07/scott-watnik-cybersecurity-pandemic-reopening/.

This article was prepared for publication by Tim Zubizarreta, JURIST’s Managing Editor. Please direct any questions or comments to him at commentary@jurist.org