Recorded February 24, 2021
Tips to Improve Email Security for Your Healthcare Practice
Today, using only a password to protect your email is not enough. Hackers are getting smarter, and your practice could be one click away from an email data breach. Adopt these five tips to secure your practice.
In 2019, ninety-four percent of malware was delivered via email. Sixty-three percent of confirmed data breaches involve leaked or stolen passwords. Sixty-four percent of organizations have experienced increased phishing attacks in the last year.
These are just a few instances of threats arising from emails that might have financial and reputational implications counting into millions of dollars for your organization. What is most surprising is the sheer volume of dangerous content and email. The ramp-up in the market was significant and notable once COVID-19 became a global hot button that anyone could capitalize on. Secondarily, the complete lack of education on the employee side.
Another important point to note is that many people think their email is safe just because they have to log in with the password. Today, using only a password to protect your email is not enough. It would be best if you had multifactor authentication. There are a lot of breaches that have resulted in a compromised password. Hackers are hacking people’s inboxes by clicking the forgot password button and accessing information within an encrypted portal. Nowadays, viewing a password alone as security for email is a little bit like viewing a cable lock on the front door of your house as security. You put a cable lock thinking no one can walk in and push the door, but the whole purpose is so easily defeated with hand tools. Similarly, with the computation power available today, a password without multifactor authentication is defeated with time.
With digital transformation in healthcare, remote monitoring and virtual care models are bound to use multiple communication channels. This shift in fundamentals of the business is changing the way patients are going to be cared for. They will no longer need to come to the clinic. This change increases the vulnerability and different endpoints from a security standpoint.
In this webinar, Paddy Padmanabhan, Dave Ledoux of Nizhoni Health, and Greg Hoffman of Paubox discussed email security for healthcare practices and shared valuables tips to keep your emails and online presence safe.
- Maintain HIPAA compliance when sending or receiving email: Understand what qualifies as protected health information (PHI). Anything that can identify a patient and is used during their care is a PHI. For example, medical record number, unique identifying number, an invoice with billing information, appointment reminders, and blood test results. A simple name, phone number, email address, birth date, Social Security number, even a picture of a patient could qualify as PHI. So be sure that you and your staff are both aware of what it is and when you are handling it.
- Change human behavior by making people aware of how they could be exposed to phishing attacks: Ninety-one percent of phishing attacks are incredibly easy to do. They come from a fake Gmail, AOL, or Yahoo! email address. You cannot blacklist these domains—no links or attachments, no way to flag them. It is just one human tricking another using their fake authority. They change the display name to match someone of importance within your organization, maybe your CEO or CFO, and they say we need money to be sent to us, sensitive data, direct deposits to be redirected. Another type of phishing attack is using a spoofed domain, where a support guy can ask you to update your version of Microsoft or Windows, thus gaining access to your sensitive data.
- Minimize human error: Humans are our most significant attack source, but this is also a non-issue if we can put in place a smart system and reduce the human element to as small an attack surface as possible. My system should act as a barrier against all problems ninety-five percent of the time. After all, all spoofing and phishing attacks take advantage of human anxieties. Another important consideration here is that these kinds of vulnerabilities are not restricted to corporate entities alone, but also involve the business associates. Often, the business associates are the ones who are the points of vulnerability for health systems in the back door entrance. Therefore, it pays to ensure that both host and vendor meet the same requirements for online security and are HITRUST CSF certified.
- Maintain compliance with security: Use an email hosting provider who is willing to sign a business associate agreement to secure the data using HIPAA compliant methods. You must be sure that when you are transmitting data, it is encrypted.
- Instilling a healthy security behavior of your employees: Socialize internally and organize training sessions to inform employees of things to be wary of like, a free Amazon gift card, a bank reaching out to inform there is a problem with their account or card and asking for sensitive data, or any fellow employee or internal department reaching out to ask you for social security number. These are the ways of a fraudster and not how a bank, a retailer, or an organization would approach you.
For queries, write to email@example.com
CEO @Damo Consulting
Paddy Padmanabhan is the author of the best-selling book Healthcare Digital Transformation – How Consumerism, Technology and Pandemic are Accelerating the Future. He is the founder and CEO of Damo Consulting, a digital transformation advisory firm that works with healthcare enterprises and digital health companies. He is the host of The Big Unlock, a podcast focusing on healthcare digital transformation. He is also the author of the book The Big Unlock – Harnessing data and Growing Digital Health Businesses in a Value-based Care Era.
CIO @Nizhoni Health
Dave Ledoux is the CIO of Nizhoni Health. Dave ensures that the most innovative methods and industry-leading tools are leveraged across the company’s clinical and operations teams to create high-performing processes and teams.
Account Executive @Paubox
Greg Hoffman is a Senior Enterprise Account Executive at Paubox primarily focused on building and maintaining customer relationships. Greg helps customers solve email security issues while navigating their internal policies and procedures.