Apr 13 2022

7 Email Security Strategies to Keep Patient Data Safe from Evolving Cyberattacks

Data breaches are at an all-time high, and healthcare organizations can’t afford to let patient data fall into the wrong hands. These tools and strategies can help.

The number of data breaches reported to the U.S. Department of Health and Human Services hit an all-time high in 2021, with 679 incidents reported according to Critical Insight’s “2021 Healthcare Data Breach Report.” These breaches affected 45 million Americans, which was also an all-time high.

It’s no secret that medical records are valuable to cyberattackers. As Advisory Board points out, the combination of a patient’s name, address, financial information and social security number is enough to take out a loan or set up a line of credit. That’s far more than an attacker can do with an SSN or credit card number alone.

Research from the Healthcare Information and Management Systems Society found that phishing and ransomware are the most significant security threats for healthcare organizations.

DISCOVER: Explore how Zix Corp. helps healthcare organizations maintain HIPAA compliance.

Email-based cyberattacks have a clear and significant financial impact: Research from IBM shows that healthcare organizations spend about $9.2 million to mitigate a data breach, which is more than any other industry. Increasingly, though, the impact is also clinical. According to the Ponemon Institute, the majority of hospitals hit by ransomware report delayed care, a longer length of stay for patients and an increase in patients being sent to other facilities.

With resources scarce to prevent cyberattacks — and the consequences dire when an incident occurs — it’s critical for healthcare organizations to take a focused approach to cybersecurity. These seven email security tools and strategies will protect patient data from cyberattacks without restricting its movement throughout an organization and compromising patient care.

Click the banner below for more HealthTech content on cybersecurity and protecting patient data.

1. Prevent Successful Attacks with Email Threat Protection

One of the easiest ways to prevent phishing, ransomware and malware attacks is to stop them from getting in front of end users in the first place. Email protection tools, especially those updated on a regular basis based on real-time threat analysis, are designed to analyze incoming emails and quarantine suspicious messages, flag risky URLs and isolate attachments. These steps keep threats out of inboxes while making sure that legitimate, business-critical messages get through quickly.

2. Automate Email Encryption to Protect Patient Data

Though HIPAA doesn’t explicitly require the encryption of protected health information, it does provide “safe harbor” in the event of a breach of PHI that has been encrypted at rest or in transit. Encrypting email automatically — using content filters based on predefined policies and requiring no action on the part of the end user — removes the extra steps often associated with sending encrypted email while ensuring compliance with corporate policies and federal regulations.

RELATED: Learn 8 ways to create a strong security culture in healthcare.

3. Use Data Loss Prevention Tools

Typically deployed in conjunction with email encryption, data loss prevention tools look for sensitive information within outgoing email messages to ensure that unencrypted PHI isn’t accidentally sent. In addition, organizations can create data loss prevention filters to prohibit users from sending patient data to personal email accounts, or to prevent users with a given role from sending patient or financial data to external email addresses.

4. Implement Electronic Communication Archiving

Likewise, while HIPAA doesn’t require the use of archiving technology, it does require health systems and other covered entities to maintain electronic communications for at least six years. Organizations have primarily focused on email communication, but today’s patients talk to health systems and their providers in many other ways, from social media to chatbots and videoconferencing. A communication archiving strategy that encompasses each of these data sources ensures regulatory compliance while providing access to records in a single, secure location.

5. Improve Security with Multifactor Authentication

Multifactor authentication, which requires users to enter a second piece of information to access a clinical application, helps to combat phishing attacks that target username and password combinations. However, increasingly sophisticated attacks now target the SMS codes or authenticator apps that commonly deliver authentication codes. Hardware tokens, such as those based on the FIDO2/WebAuthn standard, are more resistant to phishing attempts, and the authentication code also arrives faster than codes texted to a smartphone.

LEARN MORE: How healthcare organizations can keep active on email security.

6. Leverage Secure File Sharing

Data size limits and other file-sharing restrictions on corporate email accounts can steer healthcare professionals to more convenient but less secure means of sharing files. A secure file-sharing tool available as an email add-on or through a web portal enables sharing of medical images and patient records in familiar clinical workflows, while features such as electronic signatures and viewing rights management help ensure that files only go to the right recipients.  

7. Conduct Security Awareness Training

Employee training programs should cover appropriate use of all technology applications that use PHI, from email to electronic health record systems. Data loss prevention tools, for example, can help email users see what types of messages are flagged and why, or they can highlight which confidential information has been encrypted. In addition, cybersecurity training should cover social engineering, as this will help employees identify the warning signs of a phishing email designed to make them take action — typically out of urgency or fear — to unknowingly provide PHI to an attacker.

Brought to you by:

SDI Productions/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT