Top 8 Healthcare Cybersecurity Scares (+ How to Handle Them)
Once the lights are shut off, the doors locked, the exam rooms empty, and the hum of day to day silenced, you may think your practice is quiet and...
6 min read
Robert McDermott Dec 14, 2023 12:30:00 PM
If you knew several of your neighbors were victims of theft, from homes or cars in your neighborhood, you’d likely take initiative to safeguard your property before you become the next target. When it comes to the security of your healthcare practice, the alarm bells are ringing. Security experts and agencies are warning the healthcare industry that their data, their patients, and their practices are at risk.
Perhaps more importantly, they’re also letting healthcare leaders, practice managers, and those in private practice know that there are ways to mitigate security risks and protect patients and their data. However, despite email breaches being a significant threat, email security is often overlooked when it comes to practice security protocols.
Quick Links
HIPAA regulations were designed to keep patients’ protected health information (PHI) safe and confidential. An argument can be made that, in August of 1996, when HIPAA became law, it was in direct response to the arrival and inevitable proliferation of electronic communications. It was critical to protect patients’ electronic PHI (ePHI) when being stored and transmitted. From there, we’ve seen updates in 2009 which outlined the rules regarding breach notification and the 2013 Omnibus Rule which amended the original law to better define “business associates” for the purposes of privacy. Another update is expected in the near future.
However, for the time being, the rules regarding HIPAA compliance specific to email aren’t always immediately clear, so let’s quickly key in on the basics. The HIPAA regulations governing email and other electronic communications revolve around the assurance of both security and privacy when it comes to ePHI and electronic health records (EHR) sent via electronic mail.
Among the first requirements is that, to be compliant, messages must be encrypted. More specifically, whether in the body of the email or included in attachments, anywhere there is PHI there must be encryption. This includes patient-initiated emails and emails shared within a healthcare organization..
The 2013 Omnibus Rule expanded the definition of a “business associate,” which is any organization or third party that creates, receives, maintains or transmits PHI with or on behalf of your practice. The Omnibus Rule requires that you have Business Associate Agreements (BAA) with each of these entities clearly specifying each party's responsibilities when it comes to PHI.
There are 5 Technical Safeguards required for HIPAA-Compliant email:
Because email is one of the most frequent ways hackers gain access to patient data or business-critical credentials, email security must be a top priority for every medical and dental practice.
An email breach is a serious security incident where a single email, email account, or email system has been “impermissibly used or disclosed.” In other words: someone who shouldn’t have access to your email does, and they might be hijacking your data. In the case of healthcare providers and their email systems and accounts, a breach might allow bad actors to access information without the email account owner ever knowing. That information may include either ePHI, EHRs, or even credentialing information providing access to other systems and applications.
In fact, in healthcare, the email security statistics are sobering. For example, 80% of healthcare organizations have reported cyberattacks or incidents in the last year. And, 34% of reported data breaches included authorized access or disclosure of sensitive data.
Email breaches and attacks, including phishing, create risks that include exposing important data related to your practice and/or the personal records and information regarding employees. These leaks can also jeopardize your overall practice and digital security. In fact, 88% of healthcare workers open phishing emails and they’ve seen an increase of 75% over the last few years, perhaps due largely to their success in helping bad actors get what they want.
And, perhaps even more important, 91% of all cyberattacks begin with an email and the healthcare industry has seen a 279% spike in email-based attacks. In short, getting a handle on your email security and protocols is vital.
As many of us can attest, the first part of solving a problem is identifying not just the problem but its cause. When it comes to email security, that means understanding the risk and the vulnerabilities inherent to most common email platforms. So, let’s take a closer look at some of the kinds of email breaches that put healthcare practices at risk.
Because many practices are struggling with staffing, security procedures, protocols, and policies often take a backseat to more pressing needs and concerns. However, they can’t. The risk is too significant. So what can you do to improve your email security?
While HIPAA security risks and compliance are likely at the forefront of your practice security concerns, mitigating email vulnerabilities and risks should be part of any comprehensive security plan. So, what concrete steps can you take to ensure your email security is as strict and stringent as any other security measures you’d take to protect your practice and patients?
1. Create, update, or enhance your security protocols and policies to include email security.
While email security is a vital component of practice and patient data security, it’s often overlooked. Regardless of the reasons, hackers and bad actors are aware of the vulnerabilities and have increased efforts to access data and networks through email. In response, medical offices and dental practices, regardless of their size, must take sufficient steps to safeguard what could be an open window into your practice.
If you need help understanding your practice’s vulnerabilities or are looking for a secure HIPAA compliant email solution to further bolster your security posture, book a demo today. iCoreConnect specializes in understanding the unique challenges and needs of the healthcare industry and our team is ready to help you protect one of your most valuable assets: patient data.
Once the lights are shut off, the doors locked, the exam rooms empty, and the hum of day to day silenced, you may think your practice is quiet and...
Technology is great when it performs as intended, but what about when it doesn’t deliver? Or worse, what happens when it leaves us exposed to...
Healthcare payments are changing, not just for patients but for practices as well. With the rise of high-deductible health plans (HDHPs)...
Myths exist for a reason and they often have remarkable staying power. Often, they’re designed to explain the ordinary and build our confidence and...
For many practices, email is a major security vulnerability. Unfortunately, cybercriminals are more aware of the opportunities to attack than...
Most healthcare practices wouldn’t dream of forgoing malpractice insurance. It’s a necessity to keep a practice safe. And yet, many practices take a...