By Robert McDermott; President/CEO, iCoreExchange

Security experts are ringing alarm bells warning the healthcare industry that their data, their patients, and their practices are at risk.

Email is one of the most frequent ways hackers gain access to patient data or business-critical credentials. But because many practices are struggling with staffing, security procedures, protocols, and policies are often taking a backseat to other concerns.

Hackers and bad actors are aware of vulnerabilities and have increased efforts to access data and networks through email. The risk is too significant for practices to continue putting off security measures.

Email security must be a top priority for every dental practice.

Top Reasons Email Breaches Occur

An email breach is a serious security incident where a single email, email account, or email system has been “impermissibly used or disclosed.” In other words, someone who shouldn’t have access to your email does; and your data might be hijacked.

Here are a few top reasons breaches occur—and tips on how to avoid a breach at your office.

  • Human error and poor training. 61% of healthcare security breaches involve human error. Many of these could have been prevented with proper and complete security training for staff. You must educate your employees on security issues—on what not to do as well as what they must do for HIPAA compliance. Both are important when it comes to protecting patient data.
  • Phishing attacks are prevalent. Phishing attempts replicate the look and feel of emails from known vendors or partners (e.g. Amazon or a bank) so that recipients who are unaware, untrained, or simply overwhelmed by email volume are vulnerable to making mistakes. Phishing attacks can open the door for more dangerous ransomware attacks, locking access to your network or data until a ransom is paid.
  • Lack of encryption or appropriate security. If your email service doesn’t provide encryption, stop using it right now. If you’re not sure your email service is 100% HIPAA compliant (beyond just encryption), then it probably isn’t.

What’s Required?

The rules regarding HIPAA compliance specific to email aren’t always clear. Let’s key in on the basics.

The HIPAA regulations governing email and other electronic communications revolve around the assurance of both security and privacy when it comes to ePHI and electronic health records (EHR) sent via electronic mail.

Among the first requirements is: messages must be encrypted. Anywhere there is PHI, there must be encryption—whether PHI is in the body of the email or in attachments. This includes patient-initiated emails and emails shared within a healthcare organization.

There are 5 technical safeguards required for HIPAA-compliant email.

  1. Access Controls: Access to PHI must be restricted to authorized individuals only.
  2. Audit Controls: Email history and transmissions must be monitored and an auditable trail maintained.
  3. Integrity Controls: Practices must employ policies and procedures to ensure ePHI is not improperly destroyed or altered.
  4. Authentication: Security measures must verify an individual’s identity prior to granting them access to electronic protected health information.
  5. Transmission Security: As noted above, transmitted PHI must be encrypted.

What can you do to improve your email security?

Security experts are letting dental leaders, practice managers, and those in private practice know there are ways to mitigate security risks and protect patients and their data.

1. Create, update, or enhance your security protocols and policies to include email security.

2. Train your staff in all security risks and concerns—especially in recognizing suspicious emails and the proper actions to take.

3. Employ vendor risk-management strategies such as Business Associate Agreements (BAA) with your vendors and partners.

4. Monitor email for security risks and actively monitor your networks for breaches or attacks.

5. Ensure all applications and hardware are up to date regarding security patches.

6. Regularly audit email communications to look for potential risks or vulnerabilities.

7. Consider a full HIPAA risk assessment that includes email.

8. Employ a secure, HIPAA compliant, email solution that protects your email with end-to-end encryption and safeguards storage.

Regardless of size, medical offices and dental practices must take sufficient steps to safeguard what could be an open window into their practices.

iCoreExchange provides encrypted HIPAA email that protects your patient data and practice while creating a simpler workflow for your staff.