Email encryption is an essential element of any layered approach to healthcare cybersecurity for two reasons. First, to ensure HIPAA compliance. And second to safeguard protected health information (PHI) from the constant threat of cyberattacks. If a data breach occurs, covered entities and their business associates must demonstrate their due diligence or face a HIPAA violation. RELATED: The complete guide to HIPAA compliance for busy professionals So how does email encryption fulfill both requirements?
What is encryption?
Encryption is a type of cryptography that encodes data in a complex, undecipherable manner. This coded data can only be unlocked with a specific key given to authorized parties.
Encryption does not prevent a data breach, but it does keep data from being accessed or used by cybercriminals who don't have the decryption key.
HIPAA, PHI, and encryption
HIPAA cybersecurity guidelines are generally found in the HIPAA Security Rule, which specifies “required” and “addressable” safeguards for protecting electronic PHI ( ePHI). Those deemed “addressable” only have to be implemented if a HIPAA risk assessment determines they are necessary.
Under HIPAA, encryption is addressable rather than required. But as there’s no appropriate alternative method to safeguard email, email encryption is effectively required. Without encryption, if a breach occurs, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights may determine that a healthcare provider violated HIPAA. And that may mean exorbitant fines along with a corrective action plan, which is what happened to Anthem in 2015 when unencrypted data was stolen. In the past six years, the company has paid a $16 million HIPAA fine and settled two lawsuits for $115 million and $40 million.
Healthcare and email encryption
Such headaches are avoidable if all emails are encrypted. So why do healthcare providers avoid blanket email encryption even though it is a valid (and strong) cybersecurity tactic? It could be because HHS labels encryption as addressable,” instead of "required," but anyone who understands HIPAA knows that “addressable” does not mean pointless.
The use of “addressable” safeguards allows organizations to select the best mix of cybersecurity for their particular needs. What works for a large hospital system would not work for a small, independent clinic. But no matter the size, all healthcare providers are susceptible to a cyberattack. Many other reasons float around as to why healthcare providers avoid email encryption. What it seems to boil down to is that businesses consider email encryption a hassle to set up, use and maintain. Moreover, organizations believe that email encryption requires complex login protocols and expensive upkeep. Others might choose to only encrypt the email addresses from team members that send messages containing PHI on a regular basis, and hope that there are no exceptions. In other words, many organizations decide to roll the dice and assume that their IT department protects them enough, or convince themselves that a breach would never happen to them.
Better safe (and secure) than sorry
The benefits of using blanket email encryption outweigh the costs. It costs less to prevent a breach than to fix one. What’s the point of nickel-and-diming the cost of email encryption if you could end up paying $16 million in fines, like Anthem? Organizations worldwide are facing what the U.S. government is calling a ransomware epidemic. Email is one of the biggest threat vectors for hackers to infiltrate a network, quite often through a successful email phishing attack. But by securing all outgoing email with zero-step email encryption and all incoming messages with strong inbound email security, your healthcare organization will firm up one of the most common entry points for hackers. Ultimately, if the risk is deemed significant (and it should be!), email encryption must be employed.
How Paubox can help
HIPAA compliant email is the fastest, easiest way to communicate with patients and other providers. Paubox Email Suite allows you to safely transmit ePHI via email because our patented software seamlessly encrypts all outgoing messages with blanket TLS 1.3 encryption, the encryption method endorsed by the NSA.
Our solution easily integrates with your existing email platform, such as Google Workspace or Microsoft 365. It requires no change in behavior to send encrypted email, and patients receive the messages directly in their inboxes, no password or patient portal required. As part of our commitment to inbound email security, we recently added Zero Trust Email for our Plus and Premium customers, which requires an extra layer of proof that an email is genuine before delivering it. In other words, Paubox provides the best protection out there for email communication because it combines strong encryption with other patented security approaches, such as ExecProtect which stops domain name spoofing emails in their tracks. Email encryption doesn't have to be a hassle. Rather, it’s a safe, secure method of protecting data that should be utilized by healthcare providers today.