Preventing Email Data Breaches In Healthcare
By Brad Spannbauer, j2 Cloud Connect
You don’t have to be a cybersecurity expert to know that data breaches are an all too common occurrence in healthcare. According to the 2018 Data Breach Investigations Report by Verizon, healthcare suffered more breaches than any other industry in 2017, accounting for almost a quarter of all breaches investigated during that period. Consequently, Personally Identifiable Information (PII) and Protected Health Information (PHI) were the most common types of data compromised overall, more so than banking and payment card details.
The report also revealed that healthcare was the only industry to experience a greater number of insider threats than external. Whether caused by human error, employee misuse, or malicious intent, the healthcare industry is its own worst enemy when it comes to data breaches, and is nearly seven times more likely to experience a casual error or mishap than any other industry.
From an external standpoint, one of the biggest threats facing healthcare today is ransomware, which accounted for 85 percent of all malware-related breaches last year. Ransomware is evidently a growing problem, and history has shown the repercussions can be incredibly costly.
In January 2018, Indiana-based Hancock Health paid a $55,000 ransom fee to recover patient files that had been encrypted by attackers using a strain of malware known as SamSam, and were given just seven days to pay it. They decided to pay the next day and had access restored two days after the attack began. In the meantime, the hospital was operating and treating patients without access to online medical records which forced them to revert to pen and paper, all during a heavy flu season. Not an ideal situation for healthcare providers or their patients!
Financial loss aside, the intangible impacts of a ransomware attack - namely the reputational damage - can be just as severe and long lasting. Under the HITECH Act, The U.S. Department of Health and Human Services (HHS) is required to keep a public record of all PHI breaches affecting 500 or more individuals. The Breach Portal, or “wall of shame”, as it is most commonly known within the industry, can be found on the HHS website, and at time of writing features more than 400 healthcare data breach victims. Of the incidents listed, around a quarter of the breaches can be linked to email as the primary cause.
Eliminating Email As An Entry Point
The first step in preventing email-related data breaches is identifying and securing all potential vulnerabilities and entry points. However, doing this while maintaining operational consistency within a busy organization can be easier said than done. A recent survey of healthcare providers revealed that email was by far considered the most likely source of a data breach, yet remains a widely used communication channel amongst organizations. In fact, 9 out of 10 respondents said email was critical to their organization.
This considered, healthcare organizations need to be proactive when it comes to improving email security standards, and implement policies and procedures that are designed to tackle all potential security and privacy threats head-on, such as:
- Phishing - Phishing is a technique that preys on the naivety of its victims. By acting as a legitimate entity, attackers attempt to trick users into handing over information such as account passwords, as a way of gaining access to sensitive data. To the untrained eye, phishing scams can be incredibly difficult to spot, meaning organizations must educate their staff to err on the side of caution when opening or responding to emails - even those that look totally legitimate—such as never click on links in emails and never reveal passwords on line.
As an example, in 2016, Washington University School of Medicine saw the PHI of over 80,000 patients’ compromised following an attack on several of its employees. An investigation into the breach revealed attackers used phishing techniques to fool users into revealing login details to staff email accounts, which granted them free access to sensitive patient information including medical diagnosis, names, date of birth, medical record numbers and Social Security numbers.
- Ransomware - Often initiated through phishing techniques, most ransomware attacks start with what looks like a legitimate email from a trustworthy source, asking the recipient to click on a link or open an attached file. Once a malicious link has been clicked or file opened, the attacker typically takes control of a network and block access to critical data until a sum of money is paid by the victim. According to reports, about 93 percent of all phishing emails involve ransomware.
- User error - The fact that healthcare was the only industry to experience a greater number of insider data breaches than external in 2017 suggests that organizations need to be doing more to educate staff around responsible email usage. Misaddressed emails and faxes and weak passwords, for example, are both avoidable mistakes but represent significant risks if not addressed.
Fighting these risks is not easy but when it comes to email security, prevention is better than cure. Healthcare providers should ensure that security policies and procedures not only exist, but are continually communicated to all staff. These policies and procedures should be updated to reflect new and emerging threats, as well as informing staff about what to do in the event of an attempted attack.
At an operation level, staff should be encouraged to use common sense and follow best security practices when accessing email across any device, including using strong passwords and multi-factor authentication (such as password and fingerprint), not leaving devices unattended, and never sharing login details with colleagues.
Another solution is to eliminate email entirely, but given widespread reliance on email as a communication channel, this isn’t always possible. Therefore finding an alternative means of communication that possesses many similar traits as email, but with added security benefits can make transitioning significantly easier. An enterprise cloud fax solution, for example, allows employees to send and receive faxes by email, but within a secure environment that ensures information remains protected throughout the entirety of its life cycle.
Unfortunately there’s no simple cure for cybercrime, and as attackers become more sophisticated in their methods, organizations must become more advanced in their defense strategies. Email is an inherently high-risk channel for regulated industries such as healthcare, but with the right tools, policies, and procedures in place, and through constantly educating staff, organizations stand a much better chance of preventing would-be attacks.
About The Author
A 20 year industry veteran, Brad Spannbauer currently oversees product strategy and planning, and provides direction and market leadership for j2 Cloud Connect's worldwide business as their Senior Director of Product Management. His focus in the Healthcare and Legal verticals led to Brad's involvement with the j2 Cloud Services™ compliance team, where he leads the team as the company's HIPAA Privacy & Compliance Officer. Visit eFax Corporate® To find out more about Secure Cloud Fax & Compliance Solutions