The US Department of Health and Human Services recently released an expansive set of recommendations titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP) to help health care providers reduce cybersecurity threats. It offers guidance on using vetted security practices to avoid potential breaches.
Email is among the areas addressed in the HICP recommendations. Though most physicians likely will not be setting up and monitoring their practice’s email, there are a handful of safety protocols they can discuss or implement with their service provider or IT department.
One option is to avoid free email systems. Jay Hodes, President of Colington Consulting, based in Burke, Virginia, said he receives inquiries from physicians on Gmail and other public email accounts regularly, especially from small providers. “They are somewhat frugal, and they want to look for something that won’t cost them a lot,” Hodes said.
One option is to use email services specializing in the health care industry. Whether practices use those or not, they should consider encrypting email, particularly messages sent to recipients outside the office. This is what is called an addressable implementation specification when it comes to HIPAA, but it is a best practice. “If it moves, encrypt it,” said Chris Apgar, CEO and President of Apgar & Associates, based in Tigard, Oregon. Also, the federal Office for Civil Rights is enforcing the use of encryption as if it is required.
Programs can also tag or scan emails to reduce the potential for human error. Email systems can alert recipients when a message is coming from an external party so they know to be cautious. A tool can also be used to scan through emails for information that looks like PHI and flag the sender to make sure they want to send it. But Apgar cautions that some of these programs have the potential for making communication cumbersome.
“If they aren’t set up properly, they will light up everything and people will have difficulty sending out any emails,” Apgar said. “Then they figure out workarounds like using their personal email accounts. You have to think about who the users are and, as much as is feasible, make it easy for them to do the right thing.”
Multifactor authentication (like using a password and security token or finger scan) is another option that can be set up for email users in a system. This makes it more difficult for hackers to get in, but again, is often used inconsistently, said Jen Stone, a security analyst with SecurityMetrics, of Orem, Utah. “Staff members who work on the front desk, for example, might be required to adhere to these measures, while senior management and doctors have a simple password that hasn’t changed in years,” Stone said. “This is a huge vulnerability because doctors often have access to more protected health information and the ability to modify that information.”
Another layer of security is to have an IT department ensure that antivirus software is installed and updated regularly and manage security settings to block or warn users of potentially malicious websites.
Teach the warning signs
Educating the staff is something thing all providers must do to mitigate breaches by email. Human error is unavoidable, but if a practice does its best to train staff, the federal Office for Civil Rights is much more likely to be understanding if PHI is leaked. “After a breach, there’s nothing worse than someone saying, ‘No one told me I couldn’t click on the link,’” Hodes said.
Aside from creating awareness of protecting health information, training should focus heavily on avoiding falling victim to phishing scams. Apgar recommends creating a list of file types that people should not open, such as those that end in .vbs or .exe. Both are files that can install applications like malware onto a computer.
Staff should also be warned not to open links in emails from unknown senders or something in a message does not look right. Sometimes an email message may look like it is from a legitimate sender, but the logo is slightly different or the email address does not match the sender’s name.
The HICP recommendations suggest putting in place an anti-phishing campaign, that includes education as well as simulation tools to test the staff. These are not as much “gotcha” practices as they are opportunities for learning and to see where everyone stands with their phishing knowledge. Phishing emails can be sent out by the IT staff or a third-party vendor. The sender can then track how many people open the email or click on the links provided in the message. The campaigns can start with obvious emails and move up to those that are more targeted and difficult to detect.
Apgar said there are some cybersecurity programs, such as PhishOn, PhishMe, and Gophish, which not only catch people in the act of clicking on suspicious emails, but provide education on how to avoid clicking on such emails again. For instance, a program might provide information on giveaways that should provide a tipoff that an email was a phishing scam.