For many health care organizations, email systems are treated as a standard communication tool rather than a secure area to keep sensitive patient records. This assumption may become more costly as demonstrated by the data breach of the FYZICAL Therapy & Balance Centers. Hackers whom accessed the non-public portion of a company's email through emails also gained access to private and protected health information (PHI) of patients. Once the safeguards around employees' email accounts are compromised, the emails can easily be forwarded to identity-related criminal activity.

Value of Email for Healthcare

In addition to scheduling appointments, emails can contain a wide range of important documents and records pertaining to patients, including; patient intake forms, insurance information; Billing and Payment records; Clinical Notes; and; Scanned ID Cards for Patients. As compared to some of the more traditional methods of maintaining records and information (databases), in many cases emails do not have established and recognized retention and encryption policies. Additionally, emails rarely are monitored in real time.

The difference between how criminals view records leveraging the established database architecture vs email accounts is very significant. Once a cybercriminal has compromised an email account, they have gained all of the prior emails, possibly going back to the beginning of the account. In many cases, these email communications will contain a vast amount of Personal Identifying Information (PII) including Social Security Numbers, Date of Birth, Bank Account Number, and Health Insurance Policy Number—all of which are valuable on the black market.

Turning email breaches into identity theft

Email breaches differ from ransomware attacks or shutdowns. Breaches happen more quietly and over time and are more challenging to find. Attackers can perform a surgical extraction of information without an alarm going off.

For patients, a breach's risk is long-term. Personal identifiers like Social Security numbers, medical records, and so on cannot be replaced like credit card numbers. Therefore, once healthcare data has been compromised, the chances are that healthcare data based on identity theft will arise from fraudulent loans, tax filings, and medical benefits usage months or years later.

Patients should not confuse the lack of immediate harm with a lack of risk. Since email-based breaches routinely take time to detect, individuals may have a shorter window for applying protections.

Regulatory and Legal Issues for Healthcare Email Breaches

From a compliance standpoint, healthcare email breaches are extremely problematic under HIPAA and state privacy laws.  Protected Health Information (PHI) does not lose its protected status because it happens to sit in an email inbox rather than a central database of some kind.

According to HIPAA and other state laws, organizations must put in place administrative, technical and physical safeguards to protect all systems that contain sensitive information.  All organizations must use reasonable access control measures, have adequate monitoring of their email environment and also use multiple authentication methods for all email systems.  Inadequate access control, monitoring or multiple authentications may be viewed as evidence by regulators and the courts that organizations are not complying with reasonable security practices.

In recent years, there has been increased litigation against organizations resulting from a data breach within that organization; a number of these cases have focused on the organization's actions toward protecting email systems that are known to contain sensitive information.

Patients frequently question their medical information's full impact.

With email breaches, one of the biggest problem areas is the lack of transparency regarding what occurred. The organizations involved may not be able to determine exactly what emails had been accessed or downloaded as attachments right away. Usually when notifying patients about email breaches, it would appear that the organizations express the possibility of patient information being compromised versus confirming misuse of patient information.

The uncertainty created by this situation continues to leave patients in a spot where they may be told to keep an eye on their credit reports or enroll into a service to monitor their identity, but with the unknowns of exactly what happened to their information, it is difficult for them to be able to evaluate their personal risks.

Beyond the email breach issues is the larger security lesson for all healthcare organizations.

Email breaches are a reflection of poor governance, not just a technical issue caused by the failure of technical security systems. By treating email communications as low-risk, organizations are ignoring the reality of how modern health care actually operates.

Health care organizations use email as a rapid means for accessing and (hopefully) safely transmitting sensitive information. This means that organizations should place more stringent access controls, establish strict retention policies, train employees and continuously monitor emails so that e-mail inboxes do not turn out to be an easy and accessible way for patient harm to be committed.

Future Implications

FYZICAL Therapy & Balance Centers is just one example of the continuing increase of data breaches within the healthcare industry. The constant evolution of attack methods predicts that Email will continue to be one of the main entry point for cybercriminals in the future so as a healthcare organisation it is important that your Email Security System is in place.

Patients must be educated and aware of this information. For healthcare organisations the message is simple: Securing patient information means securing every location where it exists, including the inbox.