Protecting Patient Privacy by Identifying Threats to Cybersecurity

eHealth Technologies blog: Michael A. Sciortino, Esq., Chief General Counsel and Chief Privacy Officer

A main focus for our security team at eHealth Technologies is cybersecurity. Malware and ransomware are among the biggest threats that face healthcare organizations across the country. Not only are we responsible for the security of our own corporate assets, but we are also responsible for protecting the patient data and health information that is integral to our work in retrieving and organizing medical records and images.

October is National Cybersecurity Awareness Month (“NCSAM”). The United States Department of Homeland Security started NCSAM in October 2004. Now in its 16th year, we embrace the awareness that NCSAM has generated in protecting health information. About three years ago it was evident to our security team that almost all cyberattacks were originating from the Internet. Today, cybercriminals are looking to hack through edge defenses beyond the perimeter, with a shift in focus toward the end user. Identifying and protecting against various types of cyberattacks is critical to protecting patient privacy.

As many healthcare organizations have experienced, phishing and spear-phishing campaigns are on the rise. Nearly every healthcare organization is a target as one medical record can contain at least 18 identifiers of a patient’s personally identifiable and protected health information.

An estimated 92 percent of successful malware and ransomware infections are caused by email phishing scams. Cybercriminals often focus on social media and professional networking sites as the starting point to gather information to use on a spear-phishing attack. Details of a victim’s employment including the corporate hierarchy structure are easily identifiable. In this type of scenario, a person is targeted by receiving an email that looks like it came from another employee, such as a supervisor. The content of the email may ask for the victim to enter their login credentials into a fake site, or to review an attached file that is filled with malicious code.

By the time a victim realizes they have been phished is often too late. Network drives and local files are often encrypted by the cybercriminal and a ransom note is then left seeking payment typically in the form of bitcoin. Ensuring employees are well trained to spot suspicious emails and identify the traits of phishing emails is extremely valuable to protecting patient privacy.

With the level of cyberattacks on the rise, our Privacy and Security Team at eHealth Technologies considers employee training mission critical. Through continuous training efforts our employees are given tools to identify potential attacks and to report them immediately. While October is National Cybersecurity Awareness Month, we extend NCSAM through the other months of the year as well. We are all part of the same team-one that is constantly training to mitigate risks of cyberattacks on our corporate assets.  Together, we will protect patient privacy.