Healthcare Organizations Are Falling Behind in Email Security

By Ron Samson Jr

Scenic Bluffs notifies patients of security breach

By County Line | Posted April 27th, 2018 |

Editor’s note: Scenic Bluffs Community Health Centers prepared the following press release on its security breach in late February.

Cyber attackers gained limited unauthorized access to one staff email account within the Scenic Bluffs Community Health Centers system and may have obtained some information relating to patients.

“SAN FRANCISCO – As many as 80 million customers of the nation’s second-largest health insurance company, Anthem Inc., have had their account information stolen, the company said in a statement.” – USA Today – February 4, 2015

“In Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?, security researchers from Penn, Dartmouth and USC conducted an excellent piece of ethnographic research on health workers, shadowing them as they moved through their work environments, blithely ignoring, circumventing and sabotaging the information security measures imposed by their IT departments, because in so doing, they were saving lives.” – BoingBoing – June 28, 2016

In the three article quotes above, we can see the problem in the healthcare industry that leads to huge breaches in security.

  • Scenic Bluffs was hacked via an employee’s email account. This is the number one way that attackers gain access to a healthcare system.
  • The Anthem breach was massive. They even got the CEO’s information. Interestingly, they didn’t try to steal medical data. The attackers stole names, addresses, birth dates, and social security numbers. They wanted the information that allows them to steal money and money is the goal.
  • The research at Penn, Dartmouth, and USC shows that the real problem in healthcare is not technology; it’s staff that seek to actively circumvent the security put in place.

Cyber threats

Cyberattacks are meant for steal personal health information (PHI) which can be worth over $200 on the black market and to steal money via ransomware.

Ransomware – In a healthcare facility, ransomware is even more devastating than with a regular firm. Not only are those files protected by HIPAA, which carries high penalties for unsecured data, but a hospital can’t even provide medical care without the patients’ charts. The entire business can grind to a halt.

Malware – Malware comes in many forms. Things like spyware, Trojan horses, and worms are all executable files that can damage files, steal information, and wreak havoc. Most of these threats arrive via email and are activated by someone’s activity, such as clicking a link or downloading a file.

Phishing – In a phishing attack, someone in a company will receive an email that requests restricted information, like a password or someone’s file. The entire scheme relies on someone inside the company being scammed into believing that they are sending information to someone who should have it.

Other threats include insider breaches, increased use of cloud technology,and  internet-enabled devices.

Challenges

Limited Spending  – One of the biggest challenges that healthcare enterprises have is that there has been traditionally low spending on cyber security. The federal government spends 16% of its IT budget on cyber security, whereas healthcare companies often spend as little as 12%. This, according to Symantec, is the reason that healthcare businesses are notoriously susceptible to breaches.

High Demand for PHI on black market – PHI is a hot commodity on the black market. According to the FBI, a social security number is only worth $1, but the electronic health records (EHR) are worth $50. All of this information allows criminals to steal a customer’s credit, fraudulently charge medical care, order prescriptions, and much more. They are also harder to discover. It often requires that the patient is vigilant, as well as that the enterprise is watchful.

BYOD (Bring your own device) Policies – As a cost-saving measure and to provide convenience for their staff, 81% of healthcare companies have a bring your own device (BYOD) policy. Nearly half of those companies are not doing anything special to secure those devices. These are a simple gateway into the company’s secure data. In one case in Los Angeles, two unsecured laptops that were stolen had the information of about 700,000 patients on it. These policies represent a significant risk in the security of PHI.

Negligence by employees– Behind active attacks, the next most significant risk is negligence. Opening an email with a malicious attachment or sending PHI to someone who isn’t supposed to have it. The counter to this problem is nothing more than good training. Teaching employees to spot risks and to know how to deal with them is at the heart of successfully maintaining PHI security and avoiding mistakes that lead to the loss of thousands of patients’ health records.

Best Practices to Secure PHI and Avoid Security Breaches

There are some simple, but vital, ways to avoid security breaches.

  1. Train usersAs the examples above and any survey of healthcare breaches show, the biggest problem inside of the healthcare industry is humans. The problems are often out of inattention or intentional avoidance of policies. Most people simply don’t understand the dangers of releasing some on this information. Users need to be trained to understand that what seems like an inconvenience is really there to protect them and their patients. With multiple federal and state laws that cover employee behavior, they are putting themselves in jeopardy by not keeping tight control over personal health information (PHI). More than that, often, as in the Anthem breach, it’s not as much about the medical data as all of the personal data that we have on our medical records. Our name, address, telephone number, email address, and even our Social Security number are all on our medical files. This information will allow an attacker to sell or use that data to access our credit lines and funds.
  2. URL Defense – Emails that contain URLs, particularly ones that are easily clickable, can be scanned to ensure that they don’t lead to malicious sites. The Data Security Manager can even create a list of accepted URLs that will restrict links in emails only to those sites that are approved and pertain to work.
  3. Attachment defense – A favorite of attackers is to place an attachment onto a document that looks legitimate, but that contains malware. A complete email defense system will ‘sandbox’, or temporarily quarantine emails with attachments, and will take the time to scan the attachments for malware and other malicious programs. After the document has been scanned, it’s released to the recipient.
  4. Data Loss Prevention – A simple house rule that clearly states that no PHI can ever be sent by email. This is a great place to start, but one of the ways to ensure that it doesn’t happen is to have your email defense system scan outgoing emails for things like Social Security number, patient numbers, etc. This will flag the email and bring it to the attention of the Data Security Manager. Not only will this keep the data from going out but helps to create a teachable moment for the DSM.
  5. Encryption – Essential for HIPAA compliance and security as a whole, encrypting emails greatly reduces the risk that data within emails will be compromised. Confidential data like social security numbers should not be sent via email but such as information on procedures, X-rays, CT-scans are often sent as attachments.
  6. Email disclaimer – An email disclaimer that is on the bottom of every company email can help to define the role of the recipient. This example form the University of Miami is typical of the type of disclaimer that organizations should use: “The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.” This is a legal disclaimer that shows that the organization recognizes that sensitive data might be being passed and that the recipient has a responsibility to report and destroy the message.

Clearnetwork can help. Our advanced email security has all the features that healthcare organizations need to stay ahead of threats. We offer end to end encryption, data loss prevention, URL and attachment defense, archiving, zero hour threat detection and more. Our support team also responds in minutes and will even provide support to end users. Check out our service here, give us a call at 800-463-7920 x3 or email us at sales@clearnetwork.com

Conclusion

At the heart of maintaining patient privacy is email security. As the single biggest gap in the protection system, it’s an area that requires extra attention and training. None of the solutions is complex or difficult, but each one requires that your team works hard to keep up the highest standards.