Electronic Health Reporter

By Idan Udi Edry, CEO, Trustifi.

Physician-staffing firm, EmCare, became the latest of several victims within the healthcare industry of an email phishing scam, as an unidentified hacker recently gained access to the accounts of multiple EmCare employees. The fallout was devastating: 60,000 people–more than half of which were patients–saw their personal information, such as names, birthdates, private clinical data and even Social Security numbers become compromised.

Company officials at EmCare have declined to provide specifics on when they first became aware of the email breach but offered that their focus going forward will be centered on “… providing impacted individuals information about the incident and guidance on how they can protect themselves.”

An alarming trend

The recent EmCare email breach is not an isolated incident within the healthcare industry. In fact, healthcare has become the most vulnerable industry for such incidents as the number of email data breaches in the last two years has witnessed a bigger increase in healthcare than in any other industry.

A recent article published on ModernHealthcare.com shows that the number of reported healthcare email breaches doubled between 2016 and 2017. While the number of incidents plateaued in 2018, the number of individual healthcare records that were exposed doubled from last year.

So why have healthcare providers become such a popular target among phishing hackers? While the financial industry is obviously “where the money’s at,” financial institutions have made it very easy for their customers to cancel and replace a stolen credit card. But you can’t just cancel and replace your social security number or other private information, and nowhere is such data more readily available to hackers than in healthcare records.

The problem

When you purchase a car, no one asks you if you’re going to get car insurance. It’s assumed that you will because it’s of vital importance. Yet for some reason, the same logic doesn’t apply to email security. Even for healthcare providers whose databases contain private information that if compromised, could place their patients in dire circumstances.

As evidenced by the alarming recent spike in healthcare email breaches, merely training your employees on email security simply doesn’t suffice — it’s like closing your front door without locking it.

With hacking methods only getting more sophisticated, you must “lock the door” and protect your patients’ and employees’ critically sensitive information by arming your company’s email servers with top-level security.

The solution

Luckily, there are several effective measures healthcare providers can take to protect their patients and themselves from email breaches:

Encrypt your emails

Encryption is the process by which written digital content is converted into code that only authorized users can retrieve and convert back into text.

Email encryption serves as a valuable tool in protecting documents that are confidential or sensitive in nature, as maneuvering around encryption is a virtually impossible task for even the cleverest hackers.

You should also invest in an email encryption service that offers two-way encryption, which is the capacity to encrypt any email the intended recipient may send back to you, even if the recipient isn’t signed up for the same service as you. That way, emails will enter your inbox as securely as when they were sent out.

Add an extra layer of security

Computer passwords are now an outdated form of security and are extremely easy for hackers to obtain, yet so many people continue to rely solely on passwords for email security.

Protecting your emails with a login password is fine, but when patients’ sensitive information is at stake, it should be considered the first step. You should fortify your email security with an extra line of defense in the form of multi-factor authentication, which is the process by which a one-time code is sent directly via text message to the intended recipients.

This ensures that only people who have access to the mobile device to which the code is texted can gain access to any email you send.

Hassle-free is key

The problem with most email encryption services nowadays is that they’re so complicated and cumbersome to utilize, especially for the person receiving the encrypted email, so it’s not even worth the effort to try. If your encryption service is a hassle for your staff to use or they know the recipient won’t be able to decrypt and open easily, they simply won’t bother.

That’s why it’s essential both from a security and an efficiency standpoint to invest in an encryption service that’s hassle-free.

Train your staff

Even with hassle-free email encryption in place, it’s crucial to train your staff so that they know how to use it. After all, one mistake in using an encryption service can result in the next massive email breach.

In fact, multiple studies reveal that human error is seven times more likely to result in an email breach in the healthcare industry as compared to other industries.

Email breaches of healthcare providers are nothing short of disastrous. And not only for the patients and employees whose private personal information becomes compromised, but also for the companies themselves as healthcare email breaches cost millions of dollars to resolve.

According to a recent article published by The HIPAA Journal, healthcare data breaches cost $408 per individual record–the highest mark of any industry (financial services data breaches came in second place at $206 per record).

With healthcare providers being targeted by hackers at an all-time high, now is the time  for healthcare providers to invest in a high-quality, hassle-free email encryption service.