How HIPAA Compliant Email Can Help Protect Your Practice from Phishing

Your patients are your priority. Often that means spending your days focused on their care, not necessarily on how your email can impact that care. But, if you’re in the healthcare industry, you’ve no doubt heard or read about the devastating impact of phishing attacks. Much like any threat, the best defense you have is to understand the threat, and what tools exist to help you mitigate it. When it comes to phishing, that means being aware of exactly how spear phishing can target your practice, your staff, and your patient data. It also means knowing what tools can best help you with that defense.

Quick Links

• What is a Phishing Attack?
• Why are Phishing Attacks So Dangerous?
• What is HIPAA Compliant Email?
• How Can HIPAA Compliant Email Help Keep You and Your Practice Safe?

What is a Phishing Attack?

A phishing attack’s primary purpose is to lure an individual into revealing information, such as login credentials or other sensitive information, that will allow the attacker access to your network or system.

Traditionally, phishing attacks occur via email, text, or electronic communication. However, what makes them so insidious is that the attacker has typically done their homework. They have enough information about your vendors, your partners, and other important relationships to imitate them via email. This practice is referred to as a spear phishing attack.

Spear Phishing Attacks 

Those spear phishing fakes, on the surface, look pretty convincing from matching logos, color schemes, and more. They prey on your established relationship, and trust, as well as your willingness to follow a link. However, these fakes are often easy to spot as they follow a pretty standard pattern.

More specifically, these emails often suggest there is a problem with your account, from payment or confirmation to suspicious activity, and that problem requires you to take immediate action. In fact, the action needs to be so immediate that the sender typically includes a link for you to login to your account and enter information.

Once you click on the link, instead of visiting the site of your trusted relationship, you’re also working with a fake site that’s collecting the data you’re entering to either steal data or attack your larger network. For example, you may receive a notice from your firewall software provider and logging in on that fake site now enables the attacker to disable your firewall, giving them the access they need.

Thankfully, the sites and the emails are usually also easy to spot if you know what to look for. Often, these emails and sites include errors and lack the personalization you may receive from a trusted vendor or partner. Sometimes, they present issues that don’t exist (or aren’t possible), make offers you know the vendor would never make, or even suggest there are relationships or agreements you don’t have. 

Why are Phishing Attacks So Dangerous?

One thing that makes phishing attacks so dangerous is that, as noted above, they often prey on existing relationships, your busy or hectic schedule, the volume of emails you receive, and your need to continue to provide the vital services they often pretend to be.

However, there’s more to it than that. In fact, another part of what makes them dangerous is that they’re pretty incessant. You’ve likely gotten them in your own email inbox. In fact, there are nearly 3.4 billion spam emails sent every day and Google blocks around 100 million of those. And, it’s perhaps an even greater threat to healthcare.

In 2021, one survey revealed that more than half of all healthcare organizations that suffered a cyber attack can trace it back to a phishing attack. Think we’ve improved? In 2022, phishing attack losses increased by 77%, with nearly 50 million Americans impacted by a phishing attack.

In addition to leaking sensitive patient data which may erode trust and break HIPAA laws (which adds to potential problems), recovering from a phishing attack can be remarkably expensive ranging from several hundred thousand dollars to closer to a million. Again, those costs are the costs of addressing the leak or attack, it doesn’t account for other damages including reputational damage which may have much more significant financial consequences in the long term.

In short, one seemingly innocent email, and an employee’s desire to rectify a problem can bring your entire practice to a halt, especially if the goal was to install ransomware. Briefly, ransomware can hold your practice, and patient data, hostage to the hackers who often attempt to extract a “ransom” to return the keys to your organization.

What is HIPAA Compliant Email?

While some phishing attacks do occur over the phone (called voice phishing), a large majority of spear phishing attacks come via email. Unfortunately, some practices assume that if their email provider is HIPAA compliant it means their email is safe. If it isn’t, what is HIPAA compliant email?

The short version is that the HIPAA regulations that govern how email and other electronic communications are handled isn’t a simple clear cut rule or list of protocols. Instead, it’s the assurance of both security and privacy when it comes to protected health information (PHI) and electronic health records (EHR) sent via electronic mail. PHI should absolutely never be sent through a personal email nor through internet-based providers like Yahoo, AOL, or Hotmail unless you’ve confirmed your regular email is in full compliance with all of the regulations (listed below) which require encryption in addition to the following regulations. 

It’s important to understand the nuances that come with compliant encryption. Either the body of the email or attachments, where there is PHI, there must be encryption. Patient-initiated emails do not share this requirement, nor do emails shared within a healthcare organization. Additionally, Business Associate Agreements (BAA) while not required, should always be implemented with every vendor, but be aware they only cover data held on a server by the business associate.

HIPAA Compliant email requires:

• Access Control. Restrict PHI access to authorized individuals
• Audit Control. Maintain and monitor an auditable trail of email history and transmissions 
• Integrity Controls. Implement policies and procedures to ensure ePHI is not improperly destroyed or altered
• Transmission Security. As noted above, transmitted PHI must be encrypted
• Authentication. Provide security measures that verify an individual’s identity prior to granting them access to electronic protected health information 

Because email is one of the most frequent ways that bad actors gain access to patient data or business critical credentials, keeping your email secure should be a top priority for every medical and dental practice.

How Can HIPAA Compliant Email Help Keep You and Your Practice Safe?

So HIPAA compliant email can help keep your patient data safe, but is it enough to protect your practice? Not likely. Even if your email is HIPAA compliant, it won’t always stop spam from getting through and that’s where phishing attacks can still be a problem. Without the added protection from spam, you’re still at risk.

So, what if you had a HIPAA compliant email that didn’t limit file sharing, that acted as a referral network, connecting you with other providers and prevented spam from getting through? With those challenges in mind, iCoreConnect created iCoreExchange, an industry leading, HIPAA compliant email solution that provides the protection and flexibility your practice needs.

You’ll only receive email from providers and patients. No unsolicited emails means no iCoreExchange email has ever been hacked, phished, or held for ransom. It’s secure for both practice and patients and we’re ready to show you how. Book a demo with our team today and get protection and peace of mind.