Is a Potential Email Breach Among Your Biggest HIPAA Vulnerabilities?

A five-step plan for minimizing risk.

Robert McDermott

IF YOU KNEW several of your neighbors were victims of theft, from homes or cars in your neighborhood, you’d likely take initiative to safeguard your property before you become the next target. When it comes to the security of your practice, the alarm bells are ringing. Security experts and agencies are warning the healthcare industry that their data, their patients and their practices are at risk.

Perhaps more importantly, they’re also letting healthcare leaders, practice managers and those in private practice know that there are ways to mitigate security risks and protect patients and their data. However, despite breaches being a significant threat, email security is often overlooked when it comes to practice security protocols.

However, for the time being, the rules regarding HIPAA compliance specific to email aren’t always immediately clear, so let’s quickly key in on the basics.

There are five technical safeguards required for HIPAA-compliant email:

1. Access Controls. Access to PHI must be restricted to authorized individuals only

2. Audit Controls. Email history and transmissions must be monitored and an auditable trail maintained

3. Integrity Controls. Practices must employ policies and procedures to ensure ePHI is not improperly destroyed or altered

4. Authentication. Security measures must verify an individual’s identity prior to granting them access to electronic-protected health information

5. Transmission Security. Transmitted PHI must be encrypted

What is an Email Breach?

An email breach is a serious security incident, where a single email, email account or email system has been “impermissibly used or disclosed.” In other words, someone who shouldn’t have access to your email does, and they might be hijacking your data. Here are a few top factors for breaches:

1. Human error and poor training. 61% of healthcare security breaches involve human error, much of which could be prevented with proper and complete security training for your staff.

2. Phishing attacks are prevalent. Phishing attempts replicate the look and feel of emails from known vendors or partners (e.g., Amazon or your bank) so that recipients who are unaware, untrained or simply overwhelmed by email volume may be vulnerable to making mistakes.

3. Lack of encryption or appropriate security. If you aren’t sure your email service is 100% HIPAA compliant (beyond just encryption), then it probably isn’t.

So what can you do to improve your email security?

1. Create, update or enhance your security protocols and policies to include email security.

2. Train your staff in all security risks and concerns, especially in recognizing suspicious emails and the proper actions to take.

3. Employ vendor risk management strategies, such as Business Associate Agreements (BAA).

4. Consider a full HIPAA risk assessment that includes email.

5. Employ a secure, HIPAA-compliant, email solution that protects your email with end-to-end encryption and safeguards storage.

While email security is a vital component of practice and patient data security, it’s often overlooked. Regardless of the reasons, hackers and bad actors are aware of the vulnerabilities and have increased efforts to access data and networks through email. In response, dental practices, regardless of their size, must take sufficient steps to safeguard what could be an open window into their practice. z

Mr. McDermott is president and CEO of iCoreConnect, a NYSDA-endorsed partner. Book a demo today to see how iCoreExchange encrypted HIPAA email can protect your patient data and your practice, while creating a simpler workflow for your staff. Or call (888) 810-7706 to talk with an iCoreConnect sales rep about iCoreExchange.

Book a demo link: HERE