In 2020, when hackers began intensely targeting healthcare, providers accounted for 79 percent of all breaches in the healthcare field, according to Fortified Health Security. "Today, more and more of those breaches are because of protected health information in email," says Brian Driskill, president of Jackson Thornton Technologies.
Email has become a forgotten source of risk. Healthcare has traditionally focused their security assessments and protection protocols on the bulk location for protected health information (PHI), their electronic medical records. But email can not only serve as a path to that cache of PHI, it can also be an unsecured carrier of it. "If somebody gets in your email account, and there is even one email with protected health information, it is a breach," Driskill says.
At one clinic, the staff would email the daily patient schedule to various departments in the office without a thought of that list being PHI. "If a patient is named in an email that can be identified as going to that practice, it is a breach," Driskill says. "Just having the signature of that practice on an email to you is enough."
Practices risk violating the PHI regulations even when the billing department emails the front desk a list of patients coming in that week with a balance due. "They think they're sending that information within the practice, but if someone outside gets into that email account, it is a breach," Driskill says.
Safeguards lie beyond utilizing complex passwords. But that's a start. Implementation of multifactored authorization, which requires the additional step of inputting a code sent by phone or fob, adds a more robust protection layer. "If you just did those two things, you've gone a long way," Driskill says. "Multifactored authorization would have stopped the breaches I've seen."
Because users tend to present the greatest email vulnerability, practices should hold quarterly mock trainings that can be as simple as sending staff a video on what not to fall for in emails, followed by a test. At Driskill's firm, staff must participate or lose network privileges.
"Ask yourself if each person needs an email account," Driskill says. Considering EHR systems tend to allow for internal messaging, many positions, especially clinical ones, may not require access to email. "If you do limit email, be really careful those people don't start using their personal email account on the network," he says.
Banning the use of or access to personal emails on the network avoids trouble when the staffer leaves the practice, since they had access to patient information and can still continue to receive privileged email. "We see that with doctors on their laptop," Driskill says. "Prohibiting personal emails needs to become written policy. Then if it causes a breach, you can prove the staff member violated policy, and you have at least protected your organization to some extent."
Practice policies should also delineate what content and types of emails should be encrypted along with how long emails are to be stored on the system. "I suggest that practices shouldn't store emails more than a year," Driskill says. "That way, if a hacker gets in, you've only exposed one year of information instead of ten."
If the organization uses Microsoft 365, it can add layers of data loss protection by upgrading the license level or with the new extensive Microsoft Purview solution, which combines Microsoft 365 compliance with the former Azure Purview. The tool identifies, monitors, and automatically protects data according to guidelines input by the practice. Then, for example, when someone attempts to share medical information in an email, the tool can pop up an alert, present options, and even block the action.
Smaller practices tend to underestimate the importance of written policies for governing email and protecting their business. "People tend to follow policy, but if you don't have it, they don't know what they should and shouldn't be doing," Driskill says. "If you don't state what is accepted and tell your employees this is our policy, it's the wild west."
If a breach occurs, written policies serve as the guidebook, which should include an incident response policy. "Just knowing what you're going to do, who you're going to call for forensics, and how to even determine whether a breach occurred should be part of your policies," Driskill says. The cyber insurance company may be the first call to make, as coverage may include forensics and guidance on handling compliance protocol correctly.
"Defending against a breach relies on written policies you put in place per HIPAA guidelines," Driskill says. "The people who haven't dealt with the risk will have the bigger problems."