Is a Potential Email Breach Among Your Biggest HIPAA Vulnerabilities?

If you knew several of your neighbors were victims of theft, from homes or cars in your neighborhood, you’d likely take initiative to safeguard your property before you become the next target. When it comes to the security of your healthcare practice, the alarm bells are ringing. Security experts and agencies are warning the healthcare industry that their data, their patients, and their practices are at risk.

Perhaps more importantly, they’re also letting healthcare leaders, practice managers, and those in private practice know that there are ways to mitigate security risks and protect patients and their data. However, despite email breaches being a significant threat, email security is often overlooked when it comes to practice security protocols.

Quick Links

• HIPAA Compliance and Email
• What is an Email Breach?
• Top Email Vulnerabilities
• How to Protect Your Practice from Email Breaches and Ensure HIPAA Compliance

HIPAA Compliance and Email

HIPAA regulations were designed to keep patients’ protected health information (PHI) safe and confidential. An argument can be made that, in August of 1996, when HIPAA became law, it was in direct response to the arrival and inevitable proliferation of electronic communications. It was critical to protect patients’ electronic PHI (ePHI) when being stored and transmitted. From there, we’ve seen updates in 2009 which outlined the rules regarding breach notification and the 2013 Omnibus Rule which amended the original law to better define “business associates” for the purposes of privacy. Another update is expected in the near future.

However, for the time being, the rules regarding HIPAA compliance specific to email aren’t always immediately clear, so let’s quickly key in on the basics. The HIPAA regulations governing email and other electronic communications revolve around the assurance of both security and privacy when it comes to ePHI and electronic health records (EHR) sent via electronic mail.

Among the first requirements is that, to be compliant, messages must be encrypted. More specifically, whether in the body of the email or included in attachments, anywhere there is PHI there must be encryption.  This includes patient-initiated emails and emails shared within a healthcare organization.. 

The 2013 Omnibus Rule expanded the definition of a “business associate,” which is any organization or third party that creates, receives, maintains or transmits PHI with or on behalf of your practice. The Omnibus Rule requires that you have Business Associate Agreements (BAA) with each of these entities clearly specifying each party's responsibilities when it comes to PHI.

There are 5 Technical Safeguards required for HIPAA-Compliant email:

1. Access Controls. Access to PHI must be restricted to authorized individuals only.
2. Audit Controls. Email history and transmissions must be monitored and an audible trail maintained. 
3. Integrity Controls. Practices must employ policies and procedures to ensure ePHI is not improperly destroyed or altered.
4. Authentication. Security measures must verify an individual’s identity prior to granting them access to electronic protected health information.
5. Transmission Security. As noted above, transmitted PHI must be encrypted.

Because email is one of the most frequent ways hackers gain access to patient data or business-critical credentials, email security must be a top priority for every medical and dental practice.

What is an Email Breach?

An email breach is a serious security incident where a single email, email account, or email system has been “impermissibly used or disclosed.” In other words: someone who shouldn’t have access to your email does, and they might be hijacking your data. In the case of healthcare providers and their email systems and accounts, a breach might allow bad actors to access information without the email account owner ever knowing. That information may include either ePHI, EHRs, or even credentialing information providing access to other systems and applications.

In fact, in healthcare, the email security statistics are sobering. For example, 80% of healthcare organizations have reported cyberattacks or incidents in the last year. And, 34% of reported data breaches included authorized access or disclosure of sensitive data.

Email breaches and attacks, including phishing, create risks that include exposing important data related to your practice and/or the personal records and information regarding employees. These leaks can also jeopardize your overall practice and digital security. In fact, 88% of healthcare workers open phishing emails and they’ve seen an increase of 75% over the last few years, perhaps due largely to their success in helping bad actors get what they want.

And, perhaps even more important, 91% of all cyberattacks begin with an email and the healthcare industry has seen a 279% spike in email-based attacks. In short, getting a handle on your email security and protocols is vital.

Top Email Vulnerabilities

As many of us can attest, the first part of solving a problem is identifying not just the problem but its cause. When it comes to email security, that means understanding the risk and the vulnerabilities inherent to most common email platforms. So, let’s take a closer look at some of the kinds of email breaches that put healthcare practices at risk.

• The use of a public email server. The temptation to use public servers is easy to understand. They’re simple, free, familiar, and accessible. And, when you’re on the move, trying to meet patient care and communication needs, defaulting to personal, less-secure, public email servers to send “just a quick email” is a habit many of us need to break. Reliance on public email servers means security measures are not as strong as they should be (or, in the case of HIPAA, have to be) and can leave you, your patient data, and your practice open to attack.
• Human error and poor training. Lack of knowledge around the use of public email servers is, in part, an issue of training. Without proper security training, practice staff may be unaware of how to keep themselves and the practice safe. It only takes one person on your team opening one malicious email and clicking one villainous link to put your practice data at risk. In fact, 61% of healthcare security breaches involve human error, many of which could be prevented with proper and complete security training for your staff. This means educating employees on security issues and what not to do as well as what they must do for HIPAA compliance, and the importance of both when it comes to protecting patient data.

• Phishing attacks are prevalent. With the aforementioned 88% of healthcare staff opening phishing emails, it’s clear to see why phishing attacks are a huge risk. Phishing attempts replicate the look and feel of emails from known vendors or partners (e.g. Amazon or your bank) so that recipients who are unaware, untrained, or simply overwhelmed by email volume may be vulnerable to making mistakes. Further, phishing attempts have grown more sophisticated and fake emails are more convincing than ever.  And critically, phishing attacks can open the door for more dangerous ransomware attacks, locking access to your network or data until a ransom is paid. 

• Lack of clear protocols and policies. Much like training, many healthcare practices assume that security knowledge and protocols are standard and established despite not being formalized. This is especially true when it comes to email because of its ubiquity and usage. However, standard email usage at home is very different and the threats for a healthcare practice are far greater and more significant and, as a result, many users may be unaware of what to look for and how to respond. This also includes business associates with whom you may share information (which is why BAAs are essential). Remember: policies and procedures must include everyone who comes in contact with your patients’ PHI.

• Unsecure networks, Wifi, and work from home policies. While working on the move and from home are great advantages of modern technology and a flexible workplace, of reported breaches in 2023, 47 were due to unsecure networks. This can include users accessing emails via unsecure home or public networks which unwittingly allow access to hackers and bad actors intercepting data shared over these networks.

• Shared inboxes and sloppy usage. Shared emails can be a time saver and simplify collaboration and communication in a busy office. However, that same level of activity may mean unfinished tasks. That means emails may get left in draft form, especially with autosave features leaving data visible to unintended audiences. Similarly, autofill features can result in erroneous emails sent to the wrong recipients which can also expose patient data. 
• Lack of encryption or appropriate security. First of all, if your email service doesn’t provide encryption, stop using it right now. And, if you aren’t sure your email service is 100% HIPAA compliant, then it probably isn’t. That’s because achieving HIPAA compliance takes incredible attention to detail and involves multiple security parameters. There are email services out there that will tell you they’re “encrypted” and therefore your data is “safe,” but remember that encryption (at a minimum of 128-bits) is just one of many requirements. 

Because many practices are struggling with staffing, security procedures, protocols, and policies often take a backseat to more pressing needs and concerns. However, they can’t. The risk is too significant. So what can you do to improve your email security?

How to Protect Your Practice from Email Breaches and Ensure HIPAA Compliance

While HIPAA security risks and compliance are likely at the forefront of your practice security concerns, mitigating email vulnerabilities and risks should be part of any comprehensive security plan. So, what concrete steps can you take to ensure your email security is as strict and stringent as any other security measures you’d take to protect your practice and patients?

1. Create, update, or enhance your security protocols and policies to include email security.

While email security is a vital component of practice and patient data security, it’s often overlooked. Regardless of the reasons, hackers and bad actors are aware of the vulnerabilities and have increased efforts to access data and networks through email. In response, medical offices and dental practices, regardless of their size, must take sufficient steps to safeguard what could be an open window into your practice.

If you need help understanding your practice’s vulnerabilities or are looking for a secure HIPAA compliant email solution to further bolster your security posture, book a demo today. iCoreConnect specializes in understanding the unique challenges and needs of the healthcare industry and our team is ready to help you protect one of your most valuable assets: patient data.