Paubox blog: HIPAA compliant email made easy

Today's essential email security to avoid healthcare breaches

Written by Kapua Iao | June 24, 2022

Secure email communication is critical and must be a top priority. Since email is the most accessed threat vector, organizations must utilize solid email controls and a HIPAA compliant email provider. If not, the chance of a breach, a HIPAA violation, and exposed protected health information (PHI) is high. This is especially true as breaches against healthcare organizations have increased in number and intensity.

Read on and learn about essential healthcare email security tips to face rampant breaches and what solutions to put in place.

SEE ALSO: HIPAA Breach Report for May 2022

Healthcare providers have a legal obligation to always protect patients and their PHI, especially when sending or receiving emails. To do this, covered entities and their business associates need to understand about the importance of secure email.

 

Recent healthcare email breaches: a quick roundup

The 2022 Healthcare Cyber Trend Research Report released some grim statistics about healthcare data breaches in 2021:
  • There were over 521 major hacking/IT breaches
  • This represents a 25.24% increase from 2020
  • The number of impacted individuals is 43,096,956
  • Email breaches alone affected 141 of the 521 organizations that experienced a breach

 

Healthcare organizations have already reported numerous breaches on the Office for Civil Rights (OCR) Breach Notification Portal for 2022. In May alone, 19 providers and business associates reported email breaches impacted 186,171 individuals. Two breaches deserve more attention.

 

Alameda Health System's email breach

In June 2020, Alameda Health System discovered that a threat actor gained remote access to an employee’s email account on April 8, 2020. It is important to note that under the HIPAA Breach Notification Rule, healthcare organizations should report all breaches that impact more than 500 people to OCR within 60 days of discovery (or directly after an investigation). The account contained PHI including names, driver’s licenses, Social Security numbers, and health insurance information. 90,000 individuals were impacted. There is no information yet connecting this breach to the one reported in September 2020 by Alameda, affecting 2,691 people.

 

Allaire Healthcare Services breach through email

In November 2021, Allaire Health Services (Allaire Healthcare Group) noticed suspicious activity in an employee’s email account. The company secured the email promptly and began to investigate the incident. The healthcare organization confirmed unauthorized access between November 10 and November 24. PHI exposed may include names, Social Security numbers, and medical history. The breach affected 13,148 individuals.

 

June 2022 healthcare breaches

So far, four organizations reported email breaches to OCR in June, impacting 96,662 individuals in total.
Name Date reported Date of breach Impacted individuals
Bayshore Brightwaters Rescue Ambulance, Inc. June 10, 2022 unknown 500
Central Florida Inpatient Medicine June 7, 2022 August/September 2021 19,625 (affected individuals reported as 197,733)
Bergen’s Promise, Inc. (business associate) June 7, 2022 unknown 6,948
Kaiser Foundation Health Plan of Washington June 3, 2022 April 2022 69,589

 

SEE ALSO: Was Kaiser Permanente’s email data breach avoidable?

Not much is known about these breaches at this time.

 

Why secure email concerns all healthcare providers

Email security is an increasing concern for healthcare organizations and their patients. Especially as email cyberattacks become more frequent, targeted, and sophisticated. Verizon’s 2021 Data Breach Investigations Report states that phishing and cloud-based email attacks are the most common social engineering techniques utilized.

In fact, social engineering and email attacks go hand in hand as threat actors utilize the weakest link of any organization: employees. The wrong mouse click can be disastrous, at best shutting a system down temporarily. Or at worst, exposing PHI and creating an even greater problem for everyone involved, possibly leading to a HIPAA violation and/or fines, extensive downtime, astronomical recovery costs, angry patients, and lawsuits.

The 2021 IBM and Ponemon Institute breach report included some shocking numbers. The average cost of a data breach in 2021 was $4.24 million, a 10% rise from 2019. Driven by the increase in ransomware attacks, the researchers expect global costs to peak at $6 trillion annually. Unfortunately, it looks like the above statistics will be even higher for 2022. Isn’t it better to avoid these issues and protect yourself and your patients?

 

Today's essential healthcare email security tips to face rampant breaches

Email is convenient, especially in healthcare. Ensuring security can be accomplished with HIPAA compliant email. HIPAA and email work well together if an organization has the appropriate safeguards in place to protect PHI. In fact, the HIPAA Security Rule lays out what safeguards to implement to protect patient data. The Security Rule specifies reasonable and appropriate administrative, physical, and technical safeguards. For example, covered entities must implement procedures on use, disclosure, and access t0 PHI. Any policy should include contingency plans in case a breach does occur, as well as the proper method for removal and/or disposal of PHI. The specific mix of email security protocols will depend on the needs and capabilities of each organization. Therefore, HIPAA safeguards are discussed in terms of addressable versus required.

It is up to each organization to understand and correctly implement cybersecurity measures to ensure HIPAA compliance, such as:

  • Email gateways
  • Multi-factor authentication
  • Data loss prevention (DLP)
  • Email encryption (in transit and at rest)
  • Inbound email filters
  • Employee training

 

And of course, utilizing a HIPAA compliant email provider like Paubox.

 

Paubox Email Suite—the best way to send HIPAA compliant email

First, Paubox signs a business associate agreement (BAA) with every customer. A BAA ensures that a vendor understands HIPAA and PHI protection. This means that PHI, whether sent or received, remains safeguarded. Paubox Email Suite's patented technology encrypts every sent email to ensure a conversation remains between the sender and receiver.

Furthermore, Paubox Email Suite Plus’s inbound email security includes patented proactive features that stop malicious emails from reaching an inbox. Zero Trust Email keeps malware and phishing emails from even being delivered, while ExecProtect blocks display name spoofing attacks.

Third, Paubox Email Suite Premium comes with email DLP, which eliminates the risk of user error and an accidental HIPAA violation.

Finally, Paubox Email Suite enables secure email to be sent and received from your existing email platform (e.g., Microsoft 365 or Google Workspace). There is no need for extra passwords, portals, or logins to communicate through email safely. That means easy-to-use secure email is within reach. No other HIPAA compliant email solution addresses the risks around HIPAA compliance and provides iron-clad security like Paubox. 

Use Paubox Email Suite to ensure that you only communicate through secure email and continue to provide proper patient care.

 

Try Paubox Email Suite Plus for FREE today.