1. Prevent Successful Attacks with Email Threat Protection
One of the easiest ways to prevent phishing, ransomware and malware attacks is to stop them from getting in front of end users in the first place. Email protection tools, especially those updated on a regular basis based on real-time threat analysis, are designed to analyze incoming emails and quarantine suspicious messages, flag risky URLs and isolate attachments. These steps keep threats out of inboxes while making sure that legitimate, business-critical messages get through quickly.
2. Automate Email Encryption to Protect Patient Data
Though HIPAA doesn’t explicitly require the encryption of protected health information, it does provide “safe harbor” in the event of a breach of PHI that has been encrypted at rest or in transit. Encrypting email automatically — using content filters based on predefined policies and requiring no action on the part of the end user — removes the extra steps often associated with sending encrypted email while ensuring compliance with corporate policies and federal regulations.
3. Use Data Loss Prevention Tools
Typically deployed in conjunction with email encryption, data loss prevention tools look for sensitive information within outgoing email messages to ensure that unencrypted PHI isn’t accidentally sent. In addition, organizations can create data loss prevention filters to prohibit users from sending patient data to personal email accounts, or to prevent users with a given role from sending patient or financial data to external email addresses.
4. Implement Electronic Communication Archiving
Likewise, while HIPAA doesn’t require the use of archiving technology, it does require health systems and other covered entities to maintain electronic communications for at least six years. Organizations have primarily focused on email communication, but today’s patients talk to health systems and their providers in many other ways, from social media to chatbots and videoconferencing. A communication archiving strategy that encompasses each of these data sources ensures regulatory compliance while providing access to records in a single, secure location.
5. Improve Security with Multifactor Authentication
Multifactor authentication, which requires users to enter a second piece of information to access a clinical application, helps to combat phishing attacks that target username and password combinations. However, increasingly sophisticated attacks now target the SMS codes or authenticator apps that commonly deliver authentication codes. Hardware tokens, such as those based on the FIDO2/WebAuthn standard, are more resistant to phishing attempts, and the authentication code also arrives faster than codes texted to a smartphone.
6. Leverage Secure File Sharing
Data size limits and other file-sharing restrictions on corporate email accounts can steer healthcare professionals to more convenient but less secure means of sharing files. A secure file-sharing tool available as an email add-on or through a web portal enables sharing of medical images and patient records in familiar clinical workflows, while features such as electronic signatures and viewing rights management help ensure that files only go to the right recipients.
7. Conduct Security Awareness Training
Employee training programs should cover appropriate use of all technology applications that use PHI, from email to electronic health record systems. Data loss prevention tools, for example, can help email users see what types of messages are flagged and why, or they can highlight which confidential information has been encrypted. In addition, cybersecurity training should cover social engineering, as this will help employees identify the warning signs of a phishing email designed to make them take action — typically out of urgency or fear — to unknowingly provide PHI to an attacker.
Brought to you by: