Cybersecurity best practices for email communications

Top tips and HIPAA implications.

Email is one of the top threat vectors for cyberattacks in healthcare, so security needs to be top of mind. Not only do data breaches create problems for healthcare organizations if a network is compromised, but they can also lead to trouble with the federal government.

Here are some of the top email cybersecurity tips for healthcare professionals. But first, let’s see how HIPAA plays in.

Understanding HIPAA and how it relates to cybersecurity

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that protects patient rights and privacy. The HIPAA Privacy Rule establishes protected health information (PHI) security and compliance requirements, and the HIPAA Security Rule defines the standards for protecting PHI in electronic form (ePHI).

Violating HIPAA can lead to significant fines and other costs. Some of the most common HIPAA violations include unauthorized access to or disclosure of PHI via successful email phishing attacks.

Email encryption

Even if you don’t get breached, not having the appropriate safeguards in place can also violate HIPAA if you send an email in plain text. Encrypting email prevents hackers from intercepting messages. It makes sure that the only eyes reading your correspondence belong to your intended recipient.

The Department of Health and Human Services (HHS) has left some HIPAA security requirements vague to allow organizations to choose safeguards that are best suited to their needs.

According to HIPAA, the email encryption requirement is “addressable,” which means it only needs to be implemented if a risk assessment determines that it is needed for managing PHI risk. If PHI is transmitted electronically (like in an email), then it should be encrypted “whenever deemed appropriate.”

If covered entities determine that encryption is not the best course of action, they need to document their reasoning and implement an equivalent safeguard to protect PHI. However, there isn’t an alternative that is as effective as encryption, which means email encryption is de facto required.

Many email providers automatically encrypt their messages via Transport Layer Security (TLS) protocol. But not every email service supports encryption. Around 10% of email is transmitted in plain text, meaning it can be read by anyone.

Therefore, to send HIPAA compliant email, you must look into a comprehensive email encryption solution that secures all outgoing messages both at rest and in transit.

Continual employee training

The easier to use your email security systems, the better—people are prone to making mistakes. In fact, human error is the cause of 95% of data breaches, which is why continuous employee cybersecurity training is important.

Cybercriminals target healthcare providers with malicious emails containing malware. All it takes is one employee clicking on a link or opening an attachment for ransomware to infect your system.

Training should cover topics such as:

  • Cybersecurity policies and procedures
  • How to safely use electronic devices
  • How to recognize and block malicious emails

Hackers are often changing their methods, so employees need to be consistently updated on the latest security issues and how to prevent them. You can also test your team’s preparedness by sending a fake phishing email and seeing who clicks on it to make sure everyone is staying vigilant.

However, no matter how well trained your employees are, you can’t guarantee someone won’t make a mistake, which is why you need to employ robust inbound email security measures.

Inbound email security

While you don’t need inbound email security to be HIPAA compliant, it certainly helps prevent data breaches. After all, healthcare providers are a big target for cybercrime due to the wealth of valuable data they store, vulnerable attack surfaces, and lax cybersecurity that is rampant within the field.

Cybercriminals rely on poor inbound email security and human error to infiltrate your system. They can lock you out of your network and affect your ability to treat patients or demand a ransom for the safe return of stolen data.

The HHS Office of Civil Rights (OCR) may conduct an investigation after a breach, which could lead to heavy fines and a corrective action plan if it finds you at fault.

Ultimately, it’s less expensive to implement inbound email security than to become a victim of a cybercrime.

Conclusion

The most significant security risk isn’t related to your IT system; it’s your employees who are prone to human error and falling victim to email scams. That’s why staff training is so crucial to preventing cyberattacks.

But no matter how much training you conduct, human error is unavoidable, which is why having robust inbound email security is a must for healthcare as well.

Even if your email supports encryption, your email will be delivered in plain text if your recipient doesn’t which is a HIPAA violation in and of itself. Be sure to add an additional layer of security before sharing ePHI via email with patients.