PCI DSS 4.0 - Are You Ready? Get a Discount on a Readiness Assessment - Learn More
Author Picture

Updated on December 8, 2022 by Mike Mariano

The email security problem in the healthcare industry has always been a large issue. In recent years, especially during the COVID-19 pandemic, this has led to a dramatic increase in security breaches in the healthcare industry. For example, in 2020 during the peak of the pandemic, the healthcare industry saw an overwhelming 55.1% increase in security breaches. These breaches resulted in ransomware attacks and the theft of patient medical records and personal information on a level not seen before.  

One of the main sources of these types of security breaches was a lack of email security and phishing and ransomware protections across the entire healthcare industry.   

So, how big of a problem are ransomware and data theft in the healthcare industry and how do cybercriminals expose vulnerabilities in email security to implement attacks? Also, how can healthcare organizations better secure email to protect themselves from ransomware attacks and data breaches? 

These are the kind of questions that cybersecurity professionals are currently analyzing to address this incredibly large and complex problem that the healthcare industry is currently facing. Let’s take a look at a few of these questions and see what is currently being done to find solutions to these monumental challenges. 

How big of a problem is email security in the healthcare industry? 

We already mentioned that the healthcare industry saw a 55.1% increase in 2020 in the number of security breaches that were reported. The number of reported security breaches continues to rise in 2021 and 2022. For example, in 2021, it is estimated that a total of 66% of all healthcare organizations in the United States experienced some type of security breach.  

The healthcare industry is a prime target for cyber-attacks for two main reasons. First, medical records contain extremely sensitive information, that when harvested, can be sold on the black market for much more than any other type of data out there.  

Second, the healthcare industry pays ransoms at a much higher rate than any other industry out there. It is estimated that the healthcare industry pays ransoms at a rate of more than 60% of the time compared to the cross-industry average of 46%. Not only do healthcare organizations pay ransoms more frequently, they often pay more with the average ransom reaching $10.1 million between March 2021 to March 2022.  

Related article: Why Healthcare Security Is a Must.

Why is email the number one attack vector for healthcare organizations? 

Email is used to communicate protected health information by approximately 80% of all healthcare organizations in the United States. Because of this dependence on email, cybercriminals have identified healthcare email systems as an often under-protected gateway to accessing extremely sensitive information and deploying phishing and ransomware attacks.  

How can healthcare organizations secure email and prevent attacks data breaches? 

Now that the problem of email security and the security breaches that have and continue to occur because of weak email security has been identified, it is important to address the situation. There are a number of solutions that large organizations in the healthcare industry have been implementing to better secure email.  

Here is a breakdown of a few of these solutions that seem to be making the biggest impact.  

  1. Email encryption: Basic email encryption is when the content of emails and any attached files are scrambled to prevent anyone other than the intended recipient from viewing the content. Intercepted emails that are encrypted are pretty much impossible to decipher. There are two main types of email encryption. There is Transport Layer Security which is encryption to protect emails in transit, and end-to-end encryption which requires recipients to authenticate themselves to properly view the email.  
  2. Secure email gateways: A secure email gateway works to filter out spam and potentially malicious emails before ever hitting the inbox. Secure email gateways scan every email and use a blacklist of known malicious IP addresses and domains to block emails sent from these sources. Additionally, these secure email gateways can utilize antivirus software to scan files for signatures of known malware.  
  3. Multi-factor authentication: Multi-factor authentication is critical to prevent stolen or compromised passwords from being used by bad actors to access accounts and impersonate users within an organization. Often, credentials can be compromised in a phishing attack or by using brute force hacking tactics. Multi-factor authentication creates an additional layer of security by requiring an additional form of authentication.  
  4. DNS filtering: DNS filtering can provide time-of-click protection that can prevent users from opening up malicious links in emails and downloading certain file types as attachments.  
  5. Automated awareness testing: Specialized platforms like KnowBe4 help to make regular cybersecurity testing of employees an automatic part of your company’s operations. These automated testing procedures can be set up just once a year and programmed to enroll employees into remediation training. 
  6. Analyze and inspect all inbound and outbound emails: By analyzing and inspecting all inbound and outbound email traffic, an organization can scan all inbound emails for malware and all outbound emails to identify emails that may contain sensitive health information being sent to unauthorized recipients.  

Internal Training is the Best Prevention for Healthcare Data Breaches 

It is critical that all of an organization’s employees are educated on how to recognize and avoid phishing attacks and what to do in the event that they maybe click on something that compromises their account and/or device. Additionally, an IT team could test employees by sending their own phishing emails to identify who may be at risk of allowing a phishing attack and then follow up with that specific employee with some additional training. 

I don’t think there’s a way to really prevent this type of attack. You can avoid the bait by verifying the senders of emails and the server that they are being sent from, but it’s very difficult for an automated system to weed those emails out. So, everyone from your CEO to entry-level employees need to recognize the red flags.  

The best thing company can really do is very frequent employee training. For us, for example, training happens monthly and, because of that, we have very few instances of employees making mistakes with phishing type of emails. Th clicking ratio on the test emails that we send out has gone way down.  

The other important aspect to keep in mind is awareness. It’s about trying to keep employees on their toes rather than doing training once a year. This helps address the fact that attack techniques are changing all the time and everyone can use a reminder of the red flags that they need to be aware of. The more frequently employees are trained on the subject, and made aware of the issue, the better they will react when a threat presents itself in real life.  

What are the most secure email platforms? 

There are a number of email platforms that boast some of the best protections and most advanced security features to protect all data being transmitted. Here is a list of the top 5 most secure email providers. 

  • ProtonMail 
  • Startmail 
  • Tutanota 
  • Zoho Mail 
  • Thexyz 

How do HIPAA regulations impact email security? 

Yes, there are many ways that HIPAA regulations impact email security. HIPAA clearly dictates that any email message that contains ePHI and that is sent outside of a protected internal email network should be encrypted. The type of encryption that is recommended by HIPAA is Transport Layer Security. TLS encryption is encryption used to protect emails in transit. That means if for any reason an email is intercepted, the intercepted email will be unreadable.  

Although it is TLS encryption is all that is strongly recommended, many healthcare organizations are starting to change over to email platforms that provide end-to-end encryption coupled with multifactor authentication. 

Related article: Most Important HIPAA Regulations Regarding File Sharing.

Get a Quote Try our Compliance Checker

About The Author

Author Picture

Mike Mariano

Michael is the Chief Information Security Officer at IS Partners as well as the leader of the penetration testing practice for AWA International. Michael has 15+ years’ experience in internal IT operations with 7 years of being involved in various levels of IT auditing with experience with PCI DSS, SOC 2, HITRUST CSF, Risk Assessments and experience working with Security Frameworks (such as ISO and NIST). Michael has worked with/at companies from 10 to 50,000 employees in size. Prior to joining IS Partners, Michael worked as the IT Operations Manager at AVASEK an MSP IS Security firm where he managed a team of six technicians to service 1500 client endpoints as well as the firm's Cloud Hosting Solution. while at AVASEK, Michael also performed gap assessments against HIPPA and NIST Security Frameworks and was a member of the incident response team. Michael’s specialties are IT Security and IT Management. He is experienced in performing security Risk Assessments, enforcing security policies, handling confidential information, deploying and administering network and application security systems, administrating SaaS products, Active Directory (AD), firewalls, routers, and VPN. Michael is HITRUST CCSFP and AWS CP Certified and has maintained various CompTIA Certifications over his career. He is currently working to achieve his GIAC GWAP and OSCP Certification in 2020.
clip

More about Healthcare Compliance from I.S. Partners

Best Compliance Standards for Financial Service Providers  Best Compliance Standards for Financial Service Providers 
Best Compliance Standards for Financial Service Providers 
Ultimate Guide to Developing Compliance Policies & Procedures  Ultimate Guide to Developing Compliance Policies & Procedures 
Ultimate Guide to Developing Compliance Policies & Procedures 
How Do Internal Audits Work? How Do Internal Audits Work?
How Do Internal Audits Work?
HITRUST v11: Path to Certification Is Now 45% Faster  HITRUST v11: Path to Certification Is Now 45% Faster 
HITRUST v11: Path to Certification Is Now 45% Faster 

Get Hassle-free Pricing in 3 Easy Steps

1
Request a quote using the form below
2
Allow us to create a customized plan
3
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the form below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 642-2230 or book a meeting with one of our experts.

Great companies think alike!

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal