The health industry is taking some great strides forward to catch up with the rest of the business world in the use of technology. From moving data to the cloud to even just using data, it’s a big shift for the industry. However, this is also creating some area for concern.
As healthcare gets more digital, hackers are targeting health providers, seeing them as soft targets without much experience or investment in cybersecurity as other organizations.
One of the biggest ways hackers have obtained protected health information (PHI) this year is by hacking the email of health providers. As we’ve already seen in 2015, hacks can result in large HIPAA fines and a loss in public trust for any health provider.
How does email get hacked?
The most common way email gets hacked are through phishing schemes. Phishing is the most widely used technique because it’s simple, affordable, and attacks the weakest link in any security system – people.
Phishing is usually done by sending out an email that looks legitimate and sends the recipient to a fake website and has them enter credentials to “verify” information, which is then stolen. The emails may also ask a recipient to download something that looks legitimate but ends up being malicious malware.
The Anthem breach is suspected to have originated through the use of a phishing scheme.
2. Man in the Middle Attack (MITM)
A MITM attack is when a hacker secretly relays communication between two parties who believe they are communicating directly. When emails are sent between two parties, unless BOTH parties use encryption the message is open and can be read by anyone who intercepts it.
A quick way to know if an email is particularly vulnerable to MITM is if you receive an email from someone and it is in cleartext. Any emails sent to and received from mailboxes that only send cleartext emails should be considered as security liabilities.
3. Password Guessing
Good old guessing is another way a hacker can gain access to email. This can be especially dangerous with how much personal information is put online through social media, making it easier for a hacker to find date of birth, cellphone numbers or names of family members which are often used as passwords and security questions.
How to protect your email from hackers
Now that you know some of the common threats against email security, here are three steps you can take to protect your practice and realize the benefits of having HIPAA compliant email.
1. Have a plan
You can’t protect anything without a good plan in place. This can range from annually auditing your email security, to policies and procedures if a breach does happen. For smaller practices without resources for IT, the FCC has developed a Cyber Planner to help you put a plan in place.
Your plan should also include training employees on how to recognize fraudulent emails and how to handle them. This can include common rules such as:
- Following good password practices
- Do not open suspicious links in emails or social media posts
- Ensure antivirus and anti-spy software is updated
2. Protect email with encryption
As we established earlier, email can provide a huge benefit for your practice, but those emails can contain sensitive information that can include PHI. Improperly securing PHI in transit and delivery could lead to a costly HIPAA violation.
Unfortunately, email isn’t protected in transit unless it is encrypted. Thankfully there are now vendors who can provide email encryption which range in costs and methods and can work with the dominant business email clients like Microsoft Outlook, Office 365 and Google Apps.
Some encryption vendors like Paubox also include inbound protection against phishing attacks at costs even small practices can afford. Be sure the vendor you choose signs a Business Associate Agreement.
3. Don’t Wait
The best thing any health provider can do is take action right away. It doesn’t have to be expensive or complex to be secure, some of the best security can come from educating employees and encrypting emails that contain sensitive information.
You can start protecting your email today with Paubox Encrypted Email, seamless end-to-end encryption without the hassle of extra steps or portals for you or the recipients of your email.
Paubox works from any device and is HIPAA compliant. Even better, it comes with robust SPAM and phishing protection. Get your free 14-day trial started today.