Email Security Stats You Need to Know

We’ve all had mornings when we open our email and the sheer number of new messages is overwhelming. So, we move through them quickly, hoping to identify those that are important or urgent, in an effort at digital triage. From our frequent contact with the medium to the speed with which we sometimes move through emails, we may not realize we’re creating risk. It’s these very normal and very common behaviors that hackers count on. It’s what makes email vulnerable and it’s what makes email a high value target.

It’s also why you should be paying close attention to your email security and finding ways to limit your risk.
Quick Links

• Email Security Stats You Need to Know
• Why is Email a Target for Cyberattacks?
• Types of Email Cyberattacks
• Types of Email Security
• How to Improve Your Email Security

Email Security Stats You Need to Know

Let’s begin with the sobering stats. Education starts with understanding the threat and understanding how the security measures you employ can help protect you, your patients, and your practice.

Here are general stats regarding the volume of data breaches and cyber attacks in healthcare:

• Healthcare and finance remain the two most targeted industries for cyberattacks
• Despite that threat, healthcare organizations allocate approximately 6% of their budgets towards cybersecurity
• In the first half of 2022, there were 327 healthcare data breaches impacting 19,992,810 individuals
• The largest healthcare data breach of 2023, thus far, impacted more than 4.2 million people
• There is a 75.6% chance of a breach of at least five million records in the next year

Now, let’s take a look at some of the attack methods we discussed:

• 59% of healthcare professionals identify email as the most vulnerable point of entry
• 88% of healthcare workers have opened a phishing email
• Phishing is a leading cause of healthcare attacks and breaches
• Breaches caused by phishing often take nearly 300 days to identify
• Despite the effectiveness of security training, only a third of healthcare organizations conduct phishing tests and a quarter provide no training to avoid phishing attacks
• In the last few years, healthcare email frauds have grown (by 493% in 2020) and continue to be a major threat
• Ransomware attacks against healthcare organizations have doubled in the last five years with smaller clinics and dental offices growing in value. Experts believe this may be underestimating the threat as well
• Nearly 2/3rds of breaches come from employee negligence rather than an outside threat

And, then let’s consider the costs:

• On average, healthcare data breaches cost an average of $408 per health record
• The cost of an average breach in healthcare is up to $10.1 million
• The “average cost” rarely includes the cost of security upgrades, remediation, regulatory fines, insurance hikes, lawsuits, and reputation

These stats demonstrate how essential not just cybersecurity but email security is for any healthcare organization. Similarly, the statistics suggest that a good number of the breaches and cyber attacks experienced by healthcare organizations are preventable. 

Why is Email a Target for Cyber Attacks?

Did you notice that the majority of attacks occur via email? It’s worth repeating that 59% of healthcare professionals identify email as the most vulnerable point of entry and a whopping 88% of healthcare workers have opened a phishing email.

If you’re following IT or cybersecurity news or groups on social media, it may come as no surprise to you that email is the number one target for cyber attacks. Or perhaps you’ve been on the receiving end of a phishing attack and, given the statistics, the odds are pretty good. But why is email such a popular attack method? Why do cybercriminals look for new and different ways to exploit email?

The short answer is that, for many, it’s the most vulnerable part of your tech stack. The more detailed answer includes factors as to why:

More people, more opportunity- Whether it’s the number of email accounts in your organization or the number of staff people checking a single administrative email account, more people increases the likelihood of human error.

Public email servers- Even with work emails, many people default to personal, less-secure, public email servers to send “just a quick email.” Reliance on those public email servers means security measures are likely not as stringent as they should be.

Email Volume- Patient emails. Partner emails. Provider emails. Vendor emails. That’s plenty right? Now add in newsletters, organizational updates, listservs, spam, solicitations, and more, and you’ve got a lot of email coming in. That volume means, sometimes, people are moving pretty quickly to get through it all. That volume, plus speed, means malicious emails can slip through, especially when they’re more advanced. Because you’re moving fast, it may also mean you are more prone to send patient emails with protected health information “just this once."

Hacker Savvy- Email threats are constantly evolving and growing more and more sophisticated. Hackers are getting better at spoofing and mimicking legitimate partners, vendors, and others with whom you have an established relationship. And, they are then able to intercept credentials or valuable information. Especially if you're sending emails with any patient names, date of birth, medical info, etc.--you're giving a hacker golden opportunities to disrupt or destroy a practice and/or patient.

Weak Security- If you’re getting a lot of spam or unsolicited emails, it may be an indicator that your email security is just not strong enough. Unfortunately, when it comes to IT security and ensuring what’s patched and updated has been taken care of, email often slips through the cracks. If you’re not monitoring your email security, and no one else is either, assume potentially dangerous security vulnerabilities exist.

Any one of these concerns on its own should be troubling, but when they’re stacked they amplify the risk and it becomes much easier to see why email is like leaving a window wide open or the door unlocked– it’s the digital equivalent of “no sign of forced entry.”

Types of Email Cyberattacks

As we mentioned, these days, email attacks are getting better and better. The sheer volume of emails makes what would normally be perceived as low threat; simply not true.

Spam- Most spam is innocuous. But, like a bill that gets stuck between pieces of junk mail, one sneaky, dangerous piece of spam can slip through pretty easily. However, some spam contains malicious links or dangerous attachments that can infect computers or entire networks with malware.

Phishing/Spear phishing- Phishing attacks aim to gather information, such as credit cards, personally identifiable information, or login credentials, by convincing the user to willingly hand them over typically via an online form, link or even a phone call. Spear phishing, much like the name implies, is far more specific, and far more sophisticated. In that case, hackers mimic, often very convincingly, businesses or people with which you have a relationship or account and prey upon your trust to hand over information and credentials.

Business email compromise (BEC)- Much like phishing and spear phishing, BEC relies heavily upon the existence of trusted relationships. In this case, however, the hackers have compromised an email account, typically belonging to a key decision maker. The individual is then able to make requests of others for information or assets.

Ransomware- Once hackers have the credentials they need, or you have clicked on a non-secure link and downloaded malware, they’ll install software that locks down your system, blocking access to your network or your files. To release your files or restore access, you’ll be asked to pay the hackers and, if you fail to do so by the deadline they set, you may permanently lose access.

Identity theft- Unfortunately, we’re all likely aware of what identity theft is these days. But malicious actors can use that information to access more data or change account information on vital software or services giving them free access.

Because email still remains a major security liability for businesses and organizations, the threat will continue to evolve. That means that email security methods will need to evolve and improve as well.

Types of Email Security

Now let’s talk about how to be proactive to prevent the above from being something you experience. Some of the attack methods rely on human error, and that makes combating them more difficult. However, with the right email security mechanisms in place, you can certainly decrease the threat.

Encryption- One of the biggest risks to email, and the data contained within, is when it’s in transit between inboxes. Encryption essentially scrambles the information and any files until it reaches the intended recipient. This is especially important in healthcare as HIPAA compliance requires encryption, however, not all encryption is the same. Some email solutions only encrypt in transit which means your data and emails are still vulnerable in storage. And, it’s important to note that encryption alone does not meet all federal HIPAA rules for electronic transmission of PHI.

Spam Filters- Obviously, one of the best solutions to preventing spam and phishing attempts is to never receive them in the first place. A powerful spam filter that reroutes potentially dangerous emails to a different folder or inbox can isolate it and either remove the risk or make staff more aware. An even better solution is using an email service that prevents unknown senders from initiating communication with you unless you reach out first.

Antivirus Software- Because spam filters can’t catch it all, antivirus software can help identify dangerous emails, scanning them for threats, and prevent their delivery.

Obviously, as with most security plans, layering your defenses is the best move, but the first, and most important, part of your defense is educating yourself and your staff on the threat, potential vulnerabilities, and security measures they can and should employ beyond what’s in place.

How to Improve Your Email Security

Obviously, the first step to improving email security at your medical office or dental practice is employing multiple security strategies, including those noted above such as encryption, antivirus software, and spam filters.

Then, there’s HIPAA compliance. HIPAA requires that you control access to all email, including verifying recipients. Further, you must ensure encrypted transmissions, with no alterations of data, and create an auditable trail that is backed up for at least 5 years. Those requirements and the aforementioned security methods are baseline. And yet, your average email application can’t meet those standards. Still, what if you could do more?

With iCoreConnect’s iCoreExchange, you can. iCoreExchange is a HIPAA compliant email solution for medical and dental practices. It’s designed with more than compliance in mind. At iCoreConnect we understand how important the security of your data, your patients, and your practice is and the role that software solutions play in your security. In fact, it’s so secure that no iCoreExchange email has ever been hacked, phished, or held for ransom. That’s a pretty good record and a level of care and service you, your patients and your practice deserve.

If you’re ready to take email security seriously and help mitigate your risk, get in touch with the iCoreConnect team to book a demo today.