By Robert McDermott; President/CEO, iCoreConnect

If you’re following IT or cybersecurity news, it will be no surprise to you that email is the number one target for cyber attacks. On top of that, healthcare and finance remain the two most targeted industries.

Here’s how healthcare has been affected in the last few years:

  • Ransomware attacks against healthcare organizations have doubled in the last five years with smaller clinics and dental offices growing in value. Experts believe this may be underestimating the threat.
  • Healthcare email frauds grew by 493% in 2020 and continues to be a major threat.
  • More than 4.2 million people were impacted in the largest healthcare data breach of 2023.

How do most breaches happen?

Nearly two-thirds of breaches come from employee negligence rather than an outside threat. 59% of healthcare professionals identify email as the most vulnerable point of entry.

Here’s an alarming trio of facts:

  • 88% of healthcare workers have opened a phishing email.
  • Phishing is a leading cause of healthcare attacks and breaches.
  • It often takes nearly 300 days to identify a breach caused by phishing.

What does a breach cost?

Healthcare organizations are allocating a paltry amount—approximately 6% of their budgets—towards cybersecurity; yet:

  • The cost of an average breach in healthcare is up to $10.1 million.
  • The average cost of per health record is $408.

The “average cost” rarely includes the cost of security upgrades, remediation, regulatory fines, insurance hikes, lawsuits, and loss of reputation.

How are cyber attackers slipping in through email?

The short answer is that for many, email is the most vulnerable part of the tech stack. Here’s why.

  • Weak Security: If you’re getting a lot of spam or unsolicited emails, it may be an indicator that your email security is not strong enough.
  • Hacker Savvy: Hackers are getting better at spoofing and mimicking legitimate partners, vendors, and others with whom you have an established relationship. If you’re sending emails with patient names, date of birth, medical info, etc., you’re giving a hacker opportunities to disrupt or destroy a practice and/or patient.
  • More people, More opportunity: Whether it’s the number of email accounts in your organization or people checking a single administrative account, more people increases the likelihood of human error.
  • Volume: Because of the volume of email, malicious emails can slip through—especially when they’re from more savvy senders. Also, if you’re moving quickly through many emails, you may be more prone to send patient emails with protected health information “just this once.”
  • Public email servers: Reliance on public (non-secure) email servers means security measures are likely not as stringent as they should be.

What can you do to be prepared for phishing attempts?

Pay close attention to your email security and find ways to limit your risk. A layered defense is the best defense, and the most important layer is education.

Despite the effectiveness of security training, a quarter of healthcare organizations provide no training to avoid phishing attacks. Educate yourself and your staff to be wary of emails mimicking those of legitimate partners, vendors, and others; and of your potential vulnerabilities. (You can start by sharing this article with your staff.)

You could also conduct phishing tests, where you’d send emails to staff that are similar to phishing attempts to gain an idea of how they would respond to actual attempts.

You should also educate yourself on security measures your practice should employ beyond what’s in place. If you’re not familiar with the following means to protecting your inbox, begin arming your practice’s email communications with the following immediately:

  • Encryption: Email and its data is most vulnerable when it’s in transit between inboxes. This is why encryption—which essentially scrambles the information and any files until it reaches the intended recipient—is especially important in healthcare. HIPAA requires your email be encrypted. However, you need to know encryption alone does not meet all federal HIPAA rules for electronic transmission of PHI.
  • HIPAA Compliance and Security: HIPAA requires you control access to all email, including verifying recipients. Further, you must ensure encrypted transmissions with no alterations of data and create an auditable trail that is backed up for at least 5 years. Those requirements and the aforementioned security methods are your baseline. An average email application does not meet those standards
  • Spam Filters: One of the best solutions to prevent falling for spam and phishing attempts is to never receive them in the first place. Use an email service that prevents unknown senders from initiating communication with you unless you reach out first.
  • Antivirus Software: Antivirus software can help identify dangerous emails by scanning emails or threats and preventing their delivery.
iCoreExchange is encrypted HIPAA compliant email designed with more than compliance in mind. It’s so secure that no iCoreExchange email has ever been hacked, phished, or held for ransom. If you’re ready to take email security seriously and help mitigate your risk, book an iCoreExchange demo today.