It’s also why you should be paying close attention to your email security and finding ways to limit your risk.
Quick Links
Let’s begin with the sobering stats. Education starts with understanding the threat and understanding how the security measures you employ can help protect you, your patients, and your practice.
Here are general stats regarding the volume of data breaches and cyber attacks in healthcare:
Now, let’s take a look at some of the attack methods we discussed:
And, then let’s consider the costs:
These stats demonstrate how essential not just cybersecurity but email security is for any healthcare organization. Similarly, the statistics suggest that a good number of the breaches and cyber attacks experienced by healthcare organizations are preventable.
Did you notice that the majority of attacks occur via email? It’s worth repeating that 59% of healthcare professionals identify email as the most vulnerable point of entry and a whopping 88% of healthcare workers have opened a phishing email.
If you’re following IT or cybersecurity news or groups on social media, it may come as no surprise to you that email is the number one target for cyber attacks. Or perhaps you’ve been on the receiving end of a phishing attack and, given the statistics, the odds are pretty good. But why is email such a popular attack method? Why do cybercriminals look for new and different ways to exploit email?
The short answer is that, for many, it’s the most vulnerable part of your tech stack. The more detailed answer includes factors as to why:
More people, more opportunity- Whether it’s the number of email accounts in your organization or the number of staff people checking a single administrative email account, more people increases the likelihood of human error.
Public email servers- Even with work emails, many people default to personal, less-secure, public email servers to send “just a quick email.” Reliance on those public email servers means security measures are likely not as stringent as they should be.
Email Volume- Patient emails. Partner emails. Provider emails. Vendor emails. That’s plenty right? Now add in newsletters, organizational updates, listservs, spam, solicitations, and more, and you’ve got a lot of email coming in. That volume means, sometimes, people are moving pretty quickly to get through it all. That volume, plus speed, means malicious emails can slip through, especially when they’re more advanced. Because you’re moving fast, it may also mean you are more prone to send patient emails with protected health information “just this once."
Hacker Savvy- Email threats are constantly evolving and growing more and more sophisticated. Hackers are getting better at spoofing and mimicking legitimate partners, vendors, and others with whom you have an established relationship. And, they are then able to intercept credentials or valuable information. Especially if you're sending emails with any patient names, date of birth, medical info, etc.--you're giving a hacker golden opportunities to disrupt or destroy a practice and/or patient.
Weak Security- If you’re getting a lot of spam or unsolicited emails, it may be an indicator that your email security is just not strong enough. Unfortunately, when it comes to IT security and ensuring what’s patched and updated has been taken care of, email often slips through the cracks. If you’re not monitoring your email security, and no one else is either, assume potentially dangerous security vulnerabilities exist.
Any one of these concerns on its own should be troubling, but when they’re stacked they amplify the risk and it becomes much easier to see why email is like leaving a window wide open or the door unlocked– it’s the digital equivalent of “no sign of forced entry.”
As we mentioned, these days, email attacks are getting better and better. The sheer volume of emails makes what would normally be perceived as low threat; simply not true.
Spam- Most spam is innocuous. But, like a bill that gets stuck between pieces of junk mail, one sneaky, dangerous piece of spam can slip through pretty easily. However, some spam contains malicious links or dangerous attachments that can infect computers or entire networks with malware.
Phishing/Spear phishing- Phishing attacks aim to gather information, such as credit cards, personally identifiable information, or login credentials, by convincing the user to willingly hand them over typically via an online form, link or even a phone call. Spear phishing, much like the name implies, is far more specific, and far more sophisticated. In that case, hackers mimic, often very convincingly, businesses or people with which you have a relationship or account and prey upon your trust to hand over information and credentials.
Business email compromise (BEC)- Much like phishing and spear phishing, BEC relies heavily upon the existence of trusted relationships. In this case, however, the hackers have compromised an email account, typically belonging to a key decision maker. The individual is then able to make requests of others for information or assets.
Ransomware- Once hackers have the credentials they need, or you have clicked on a non-secure link and downloaded malware, they’ll install software that locks down your system, blocking access to your network or your files. To release your files or restore access, you’ll be asked to pay the hackers and, if you fail to do so by the deadline they set, you may permanently lose access.
Identity theft- Unfortunately, we’re all likely aware of what identity theft is these days. But malicious actors can use that information to access more data or change account information on vital software or services giving them free access.
Because email still remains a major security liability for businesses and organizations, the threat will continue to evolve. That means that email security methods will need to evolve and improve as well.
Now let’s talk about how to be proactive to prevent the above from being something you experience. Some of the attack methods rely on human error, and that makes combating them more difficult. However, with the right email security mechanisms in place, you can certainly decrease the threat.
Encryption- One of the biggest risks to email, and the data contained within, is when it’s in transit between inboxes. Encryption essentially scrambles the information and any files until it reaches the intended recipient. This is especially important in healthcare as HIPAA compliance requires encryption, however, not all encryption is the same. Some email solutions only encrypt in transit which means your data and emails are still vulnerable in storage. And, it’s important to note that encryption alone does not meet all federal HIPAA rules for electronic transmission of PHI.
Spam Filters- Obviously, one of the best solutions to preventing spam and phishing attempts is to never receive them in the first place. A powerful spam filter that reroutes potentially dangerous emails to a different folder or inbox can isolate it and either remove the risk or make staff more aware. An even better solution is using an email service that prevents unknown senders from initiating communication with you unless you reach out first.
Antivirus Software- Because spam filters can’t catch it all, antivirus software can help identify dangerous emails, scanning them for threats, and prevent their delivery.
Obviously, as with most security plans, layering your defenses is the best move, but the first, and most important, part of your defense is educating yourself and your staff on the threat, potential vulnerabilities, and security measures they can and should employ beyond what’s in place.
Obviously, the first step to improving email security at your medical office or dental practice is employing multiple security strategies, including those noted above such as encryption, antivirus software, and spam filters.
Then, there’s HIPAA compliance. HIPAA requires that you control access to all email, including verifying recipients. Further, you must ensure encrypted transmissions, with no alterations of data, and create an auditable trail that is backed up for at least 5 years. Those requirements and the aforementioned security methods are baseline. And yet, your average email application can’t meet those standards. Still, what if you could do more?
With iCoreConnect’s iCoreExchange, you can. iCoreExchange is a HIPAA compliant email solution for medical and dental practices. It’s designed with more than compliance in mind. At iCoreConnect we understand how important the security of your data, your patients, and your practice is and the role that software solutions play in your security. In fact, it’s so secure that no iCoreExchange email has ever been hacked, phished, or held for ransom. That’s a pretty good record and a level of care and service you, your patients and your practice deserve.
If you’re ready to take email security seriously and help mitigate your risk, get in touch with the iCoreConnect team to book a demo today.