Healthcare Cybersecurity

HIPAA Compliant Email Providers

Posted by HIPAA Journal

HIPAA-covered entities must ensure protected health information (PHI) transmitted by email is secured to prevent unauthorized individuals from intercepting messages, and many choose to use HIPAA compliant email providers to ensure appropriate controls are applied to ensure the confidentiality, integrity, and availability of PHI.

There are many HIPAA compliant email providers to choose from that provide end-to-end encryption for messages. Some of the solutions require software to be hosted on your own infrastructure; others take care of everything. Changing email provider does not necessarily mean you have to change your email addresses. Many services allow you to keep your existing email addresses and send messages as you normally would from your desktop.

All HIPAA compliant email providers must ensure their solution incorporates all of the safeguards required by the HIPAA Security Rule. The solutions need to have access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be secured in transit 164.312(e)(1).

Provided that an email service provider incorporates all of those controls, the service can be considered HIPAA-compliant. However, it is also necessary for an email service provider to enter into a contract with a HIPAA-covered entity in the form of a business associate agreement. Only then can the email service be used.

HIPAA-covered entities should bear in mind that HIPAA-compliant email is not the responsibility of the service provider. The service provider must only ensure appropriate safeguards are incorporated. It is the responsibility of the covered entity to ensure the solution is configured correctly, that staff are trained on the use of email and are made aware of the allowable uses and disclosures of PHI.

An email service alone will not satisfy all HIPAA requirements for email. Staff should also receive training on security awareness and be made aware of the threats that can arrive in inboxes. Technologies should also be implemented to reduce the risk of email-based attacks such as phishing. Some email service providers, but not all, scan inbound messages and block spam, malware and phishing emails.

Is Encryption for Email Mandatory?

That is a question asked by many healthcare organizations. While HIPAA compliant email providers encrypt all emails in transit, encryption is not mandatory. The HIPAA Security Rule only requires organizations to assess the need for encryption. A HIPAA-covered entity does not need to encrypt emails, if an alternative and equivalent control is used in its place.

One such control is the use of a secure email server located behind a firewall. In such cases, provided a risk assessment has been conducted and the reasons for not encrypting emails has been documented, encryption would not be required on all internal emails. Encryption would also not be necessary when sending emails to patients who have authorized a covered entity to communicate with them via email.

However, since most healthcare organizations need to submit payment claims via email, contact other healthcare organizations and refer patients, it is necessary to send emails outside the protection of the firewall. In such cases, encryption is necessary.

There are considerable risks sending sensitive information via email. Email is not a secure way of sending data. Emails must be created on one machine, be sent to an outbound email server, traverse the Internet, arrive at the recipient’s email server, before being delivered to the recipient’s device. Copies of emails can be on at least four different machines, and messages can easily be intercepted in transit.

The Department of Health and Human Services has already issued fines to covered entities that have used email services that are not HIPAA compliant. Phoenix Cardiac Surgery paid a $100,000 penalty for using insecure Internet-based email.

List of HIPAA Compliant Email Providers

Our list of HIPAA compliant email providers has been compiled to save you time in your search for a suitable email service provider. The list of HIPAA compliant email providers is not exhaustive. There are many other service providers that offer email services for healthcare organizations that meet the requirements of HIPAA. However, the list below is a good starting point.

All of the following providers offer a HIPAA-compliant email service and are willing to sign a business associate agreement.

  • Hushmail for Healthcare
  • VM Racks
  • NeoCertified
  • Paubox
  • Virtru
  • Atlantic
  • LuxSci
  • Apsida Mail
  • Protected Trust
  • MaxMD
  • EmailPros
  • MD OfficeMail
  • Delivery Trust from Identillect Technologies

The post HIPAA Compliant Email Providers appeared first on HIPAA Journal.

New Malware Detections at Record High: Healthcare Most Targeted Industry

Posted by HIPAA Journal

Throughout 2017, the volume of new malware samples detected by McAfee Labs has been steadily rising each quarter, reaching a record high in Q3 when 57.6 million new malware samples were detected. On average, in Q3 a new malware sample was detected every quarter of a second.

In the United States, the healthcare industry continues to be the most targeted vertical, which along with the public sector accounted for more than 40% of total security incidents in Q3. In Q3, account hijacking was the main attack vector, followed by leaks, malware, DDoS, and other targeted attacks.

There were similar findings from the recent HIMSS Analytics/Mimecast survey which showed email related phishing attacks were the greatest cause of concern among healthcare IT professionals, with email the leading attack vector.

In Q3, globally there were 263 publicly disclosed security breaches – a 15% increase from last quarter – with more than 60% of those breaches occurring in the Americas. Malware attacks increased 10% since last quarter bringing the total new malware samples in the past four quarters to 781 million – a 27% increase in the space of a year.

Ransomware continues to be a favored moneymaker for cybercriminals, with the number of new ransomware samples increasing by 36% in Q3 – 14% more than the previous quarter. In total, 12.2 million samples of ransomware were detected – a 44% increase over the past four quarters.  One notable ransomware variant was Lukitus – a new form of Locky ransomware that appeared in Q3. The campaign detected by McAfee involved an astonishing 23 million spam emails in the first 24 hours alone.

While not the biggest threat in Q3, fileless malware threats are still a major cause for concern. Script-based malware – written in VBS, JavaScript, PowerShell or PHP – has been steadily increasing over the past two years. The malware is easy to obfuscate and difficult to detect, and is increasingly being used in malware campaigns, with some campaigns consisting entirely of script-based malware.

McAfee reports that while there was a 36% fall in JavaScript malware since Q2, the level is still higher than at any point in 2016 and Q3 saw a 119% increase in PowerShell malware.

“Although many cyberattacks continue to rely on the exploitation of basic security vulnerabilities, exposures, and user behaviors, fileless threats leverage the utility of our own system capabilities,” said Vincent Weafer, Vice President for McAfee Labs. “By leveraging trusted applications or gaining access to native system operating tools such as PowerShell or JavaScript, attackers have made the development leap forward to take control of computers without downloading any executable files, at least in the initial stages of the attack.”

There was also a notable rise in mobile malware, with 21.1 million samples detected – 10% higher than Q2, the increase was largely due to a major rise in Android screen-locking ransomware variants. Macro malware increased by 8% in Q3, while Mac malware saw an increase of 7%. Web-based threats also increased significantly in Q3.

While malware continues to be a major threat, the Carbon Black’s 2017 Threat Report indicates 52% of attacks are non-malware related. Non-malware attacks are now increasing at a rate of 6.8% per month.

The financial services, healthcare providers, and retail stores were the verticals most affected by malware-related cyberattacks in 2017 according to Carbon Black. The main threats are the Kryptik Trojan, Strictor ransomware, the Nemucod downloader, the Emotet banking Trojan, and the Skeeyah Trojan. Carbon Black reports a 328% increase in attacks on endpoints in 2017 alone.

While the healthcare industry has had its fair share of ransomware attacks, it is well down the list of industries targeted with ransomware, coming in 9th out of 10 industries with just 4.6% of the total. The leading targets being tech firms, government organizations/NPOs and legal firms.

Ransomware will continue to be the dominant form of cybercrime in 2018, according to the report. Carbon Black estimates revenues from ransomware will rise to $5 billion by the end of the year, compared to just $24 million in 2015.

The post New Malware Detections at Record High: Healthcare Most Targeted Industry appeared first on HIPAA Journal.

Study Reveals Cybersecurity in Healthcare is Not Being Taken Seriously Enough

Posted by HIPAA Journal

A recent survey by Black Book Research indicates the healthcare industry is not doing enough to tackle the threat of cyberattacks, and that cybersecurity is still not being taken seriously enough.

The survey was conducted on 323 strategic decision makers at U.S. healthcare firms in Q4, 2017. Even though the threat of cyberattacks is greater than ever, and the healthcare industry will remain the number one target for cybercriminals in 2018, only 11% of healthcare organizations plan to appoint a cybersecurity officer in 2018 to take charge of security. Currently 84% of provider organizations do not have a dedicated leader for cybersecurity.

Payer organizations are taking cybersecurity more seriously. 31% have appointed a manager for their cybersecurity programs and 44% said they would make an appointment next year. Overall, 15% of all surveyed organizations said they have a chief information security office in charge of cybersecurity.

The survey also revealed that cybersecurity best practices are not being widely adopted in the healthcare industry. Even though HIPAA calls for regular risk assessments to be conducted, 54% of respondents said risk assessments were not conducted regularly at their organization, while 39% said they do not carry out firewall penetration tests.

Further, while there have been increases in budgets, it would appear that cybersecurity is a low priority. 89% of respondents said that in 2018, budgeted IT funds were primarily being directed to business functions with provable business cases. Only a small percentage of those budgets are being allocated to cybersecurity.

In order for cybersecurity goals to be met, there needs to be C-Suite involvement, yet 92% of respondents said that cybersecurity and data breaches were not major talking points in board meetings. “Cybersecurity has to be a top-down strategic initiative as it’s far too difficult for IT security teams to achieve their goals without the board leading the charge,” said Doug Brown, Managing Partner of Black Book.

With two weeks left in December, there have been 331 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. The total for 2016 was 327 breaches, having increased from 270 breaches in 2015. At the current rate, the milestone of 350 breaches for the year may even be reached. There is also no indication that the year on year increases in data breaches will not continue in 2018.

“The critical role of medical facilities, combined with poor security practices and lack of resources, make them vulnerable to financially and politically motivated attacks,” said Brown.

Unless more is done to ensure cybersecurity goals are met, next year is likely to be yet another record-breaking year for healthcare data breaches.

The post Study Reveals Cybersecurity in Healthcare is Not Being Taken Seriously Enough appeared first on HIPAA Journal.

More than 1,000 Lexmark Printers Open to Attack Due to Misconfiguration

Posted by HIPAA Journal

Researchers at NewSky Security have discovered more than a thousand Lexmark printers have been misconfigured by users and are accessible over the Internet. Many of the printers are used businesses, universities, and even the U.S. Government, yet they can be accessed via the Internet without the need for a password.

The lack of security means unauthorized individuals can connect to the printers, which in some cases are connected to sensitive networks. Attacking those printers requires no skill and is a quick and easy process. Any individual can remotely access and take full control of the device. It would be possible for anyone to set a password for the printer, add a backdoor and capture print jobs. NewSky Security says the lack of an administrator password is gross negligence by users.

The researchers identified the misconfigured Lexmark printers by performing a search on the search engine Shodan. Of the 1,475 unique IPs found, 1,123 printers had no security at all and only 24% redirected the researchers to a login page. The researchers explained, “an attacker can take control of these poorly configured devices without any impressive hacking skills.”

One of the unsecured printers was being used by the Lafayette Consolidated Government, with the majority belonging to universities. NewSky is currently reaching out to organizations affected to alert them to the problem.

The researchers explained that they have focused on printer security because it is still largely neglected by end users.

This is not the first time printer misconfigurations have been discovered by the researchers. Similar misconfigurations were identified on Brother printers in October, which saw administrative panels accessible over ports 80 and 443.

It is possible that many other brands of Internet-enabled printers are similarly exposed. Organizations that have purchased Internet-enabled printers should ensure that the devices are configured correctly, that they are isolated from the public Internet, that default passwords are changed, and strong admin passwords set on the devices. Open ports should be closed and unnecessary services stopped.

The post More than 1,000 Lexmark Printers Open to Attack Due to Misconfiguration appeared first on HIPAA Journal.

AHIMA Issues Guidance to Help Healthcare Organizations Develop an Effective Cybersecurity Plan

Posted by HIPAA Journal

The American Health Management Association (AHIMA) has published guidance to help healthcare organizations develop a comprehensive and effective cybersecurity plan.

In the guidance, AHIMA explains that healthcare organizations must develop, implement and maintain an organization-wide framework for managing information through its entire lifecycle, from its creation to its safe and secure disposal – Termed information governance (IG).

As the Protenus/Databreaches.net monthly healthcare data breach reports show, healthcare data breaches are now occurring at a rate of more than one a day. With the threat of attack greater than ever before, it is essential that healthcare organizations develop an IG program.

Kathy Downing, Vice President, Information Governance, Informatics, Privacy and Security at AHIMA, explains that IG is now critical in an environment where cyberattacks are being experienced by healthcare organizations every day.

Downing cites the June 2017 report from the Healthcare Industry Cybersecurity Taskforce (HCIC), which states “Information governance includes not just IT and security stakeholders, but also information stakeholders, clinical and nonclinical leaders.” HCIC explained, “Governance of information shifts the focus from technology to people, processes, and the policies that generate, use, and manage the data and information required for care.”

To help healthcare organizations, develop, implement, and maintain an effective IG program, AHIMA has developed its step by step guide, which includes 17 actions healthcare organizations can take to complete a cybersecurity plan.

The AHIMA IG Adoption Model™ addresses people, processes, and technology and has been based on ten competency areas, including privacy and security, enterprise information management, IT and data governance, legal and regulatory requirement, and security awareness and adherence.

By developing and maintaining a cybersecurity plan, healthcare organizations can improve their defenses against cyberattacks and prevent costly data breaches.

The 17 steps to develop a complete cybersecurity plan are:

  1. Conduct a comprehensive, organization-wide risk analysis of all applications and systems
  2. Recognize health record retention as a cybersecurity issue
  3. Patch all vulnerable systems and keep software/operating systems up to date
  4. Deploy advanced endpoint detection systems in addition to standard antivirus/antimalware tools
  5. Encrypt data on workstations, smartphones, tables and portable media
  6. Improve access management and identity controls
  7. Use web filters to block bad traffic
  8. Implement mobile device management
  9. Develop an incident response plan
  10. Monitor audit logs for signs of possible attacks
  11. Implement intrusion detection systems
  12. Evaluate business associates
  13. Use a third-party firm to conduct penetration tests
  14. Improve anti-phishing controls and conduct phishing simulation exercises
  15. Prepare a ‘State of the Union’ type presentation for an organization’s leaders on cybersecurity
  16. Adopt and ally a ‘Defense in Depth’ strategy
  17. Detect and prevent intrusions

Developing and implementing a cybersecurity plan is only the start. The threat landscape is constantly changing, and healthcare organizations’ IT infrastructures, hardware and software frequently change. It is therefore important to revisit and revise the cybersecurity plan, as appropriate, at least every quarter to ensure it remains comprehensive and effective.

The AHIMA guidance is available for download here.

The post AHIMA Issues Guidance to Help Healthcare Organizations Develop an Effective Cybersecurity Plan appeared first on HIPAA Journal.

Is Hotmail HIPAA Compliant?

Posted by HIPAA Journal

Many healthcare organizations are unsure whether Hotmail is HIPAA compliant and whether sending protected health information via a Hotmail account can be considered a HIPAA compliant method of communication. In this post we answer the question is Hotmail HIPAA compliant, and whether the webmail service can be used to send PHI.

Hotmail is a free webmail service from Microsoft that has been around since 1996. Hotmail has now been replaced with Outlook.com. In this post we will determine if Hotmail is HIPAA-complaint, but the same will apply to Outlook.com. For the purposes of this article, Hotmail and Outlook.com will be considered one and the same.

HIPAA, Email and Encryption

There is a common misconception that all email is HIPAA compliant. In order for any email service to be HIPAA compliant, it must incorporate security controls to prevent unauthorized individuals from gaining access to accounts and for any information sent via the email service to be secured to prevent messages from being intercepted. There must be access controls, integrity controls, and transmission security controls in place – See 45 CFR § 164.312(a), 45 CFR § 164.312(c)(1), and 45 CFR § 164.312(e)(1).

All email accounts are secured with a password, but not all email accounts securely send messages. If messages are not encrypted in transit, they could easily be intercepted and read by unauthorized individuals.

In order to be HIPAA-compliant, email messages should be encrypted in transit if they are sent outside the protection of an organization’s firewall. Encryption is not required if messages are sent internally and the messages are sent via a secure internal email server that sits behind a firewall.

Is Hotmail HIPAA Compliant?

Since Hotmail is a webmail service, it lies outside the protection of a firewall. In order to be HIPAA compliant, Hotmail would need to incorporate security controls to prevent messages from being intercepted. Hotmail uses HTTPS, so any information transferred between the browser and the Hotmail site is encrypted, and messages are also secured in transit.

However, while Microsoft says it does not scan the content of messages and will not sell that information to third-parties such as advertisers, Microsoft does have access to messages. Further, in order for an email service such as Hotmail to be HIPAA compliant, it would be necessary to first obtain a HIPAA-compliant business associate agreement with the email service provider.

Microsoft does offer business associate agreements for Office 365, but Office 365 does not include Hotmail or Outlook.com email accounts, which are free consumer email services. Microsoft does not offer any business associate agreements for its free consumer services.

Therefore, the answer to the question is Hotmail HIPAA compliant is no. Without a signed business associate agreement, Hotmail email accounts should not be used. The same applies to Gmail accounts and most other free consumer email services.

Can You Send PHI to a Patient’s Hotmail Account?

If your email system is secure and HIPAA-compliant, is it possible to send PHI to patients if they have a Hotmail account?

HIPAA does permit healthcare organizations to send PHI to patients via email, regardless of the email service provider the patient uses. However, it is not permitted to send emails to patients without first obtaining their consent to do so. When obtaining consent, you should communicate to patients that the sending of PHI via email is not secure and that their information could potentially be intercepted and viewed by individuals who are unauthorized to view that information.

If patients are informed of the risks, and confirm that they accept those risks, PHI can be sent via email, even if they have a Hotmail or Outlook.com email account. Covered entities should document that consent has been obtained and patients have opted in to receive information via email, including how you authenticated their identity.

The post Is Hotmail HIPAA Compliant? appeared first on HIPAA Journal.

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Posted by HIPAA Journal

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules.

The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities.

Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed.

The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations, little has changed since the first phase of compliance audits were conducted in 2011/2012. Noncompliance with HIPAA is still widespread.

A few years ago, the risk of the discovery of a HIPAA violation was relatively low. Even when HIPAA violations were discovered, OCR rarely issued financial penalties. Similarly, even though the HITECH Act permits state attorneys general to issue fines for HIPAA violations, relatively few have exercised that right.

Today, the risk of HIPAA violations being discovered is significantly higher. Patients are now much more knowledgeable about their rights under HIPAA, and OCR has made it easy for them to file complaints about suspected HIPAA violations. HIPAA complaints are investigated by OCR.

The rise in cyberattacks on healthcare organizations mean data breaches are now far more likely to occur. A recent study by HIMSS Analytics/Mimecast showed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, while an Accenture/AMA report showed 83% of physicians have experienced a cyberattack.

OCR investigates all breaches of more than 500 records to determine whether HIPAA Rules are being followed. When a breach occurs, organizations’ HIPAA compliance programs will be scrutinized.

OCR has also stepped up enforcement of HIPAA Rules and financial penalties are far more common. Since January 1, 2016, there have been 20 settlements reached between OCR and HIPAA covered entities and their business associates, and two civil monetary penalties issued.

OCR has yet to state whether financial penalties will be pursued as a result of the HIPAA audits, but OCR is not expected to turn a blind eye to major HIPAA failures. Multiple violations of HIPAA Rules could well see financial penalties pursued.

The higher likelihood of a data breach occurring or a complaint being filed means noncompliance with HIPAA is likely to be discovered. But what are the costs of noncompliance with HIPAA? What are the incentives for ensuring all HIPAA Rules are followed?

The Cost of Noncompliance with HIPAA

The high cost of HIPAA noncompliance has been summarized in the infographic below:

 

The Cost of Noncompliance with HIPAA

The post Noncompliance with HIPAA Costs Healthcare Organizations Dearly appeared first on HIPAA Journal.

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Posted by HIPAA Journal

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture.

The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently.

83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare.

48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium to large practices were twice as likely to experience those types of cyberattacks than those at small practices.

When cyberattacks occur, they can result in considerable downtime. 64% of physicians said they experienced up to 4 hours of downtime following an attack, while 29% of physicians at medium-sized practices experienced downtime of up to one day.

Given the frequency of cyberattacks and the difficulty physician practices have at preventing those attacks, it is not surprising that the threat of attack is a major cause of concern. 55% of physicians were very or extremely worried about further cyberattacks at their practice. 74% said they were most concerned that future attacks would disrupt clinical practices and the same percentage were concerned that cyberattacks would result in breaches of patients’ protected health information. 53% were concerned that cyberattacks would have an impact on patient safety.

Physicians are aware that HIPAA compliance is important for cybersecurity, but simply doing the minimum and ensuring HIPAA requirements are met is not sufficient to prevent attacks. 83% of physicians said a more holistic approach to prioritizing risks is required than simply complying with HIPAA.

Kaveh Safavi, head of Accenture’s global practice said “Physician practices should not rely on compliance alone to enhance their security profile. Keeping pace with the sophistication of cyberattacks demands that physicians strengthen their capabilities, build resilience and invest in new technologies to support a foundation of digital trust with patients.”

Interestingly, while 87% of physicians believed their practice was compliant with HIPAA Rules, two thirds of physicians still have basic questions about HIPAA, suggesting their compliance programs may not be quite as comprehensive as they believe.

While the sharing of ePHI can introduce new risks, 85% believed PHI sharing was important, and 2 in 3 physicians thought that more access to patient data could improve the care provided to patients.

“New research shows that most physicians think that securely exchanging electronic data is important to improve health care. More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data,” said AMA President David. O. Barbe.

The post AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack appeared first on HIPAA Journal.

Email Top Attack Vector in Healthcare Cyberattacks

Posted by HIPAA Journal

A recent study conducted by HIMSS Analytics for email security firm Mimecast has revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months.

Far from ransomware or malware attacks being occasional events, many of the healthcare organizations that participated in the survey have experienced more than a dozen malware or ransomware attacks in the past year.

While there are several possible ways that ransomware and malware can be installed, healthcare providers rated email as the number one attack vector.

When asked to rank attack vectors, Email was rated as the most likely source of a data breach by 37% of respondents, with the second most likely source of a data breach being ‘other portable devices’, ranked as the main threat by 10% of organizations.

59% of organizations ranked email first, second, or third as the most likely attack vector. In second place was laptops, which were ranked 1, 2, or 3 by 44% of organizations.

Given the frequency of email based attacks this year, it is no surprise that healthcare organizations believe email-related security attacks will continue to cause problems, and that they are likely to increase or significantly increase in the future.

A recent study conducted by Malwarebytes showed ransomware attacks are already 62% more prevalent that 2016, and have occurred at almost 2,000 times the rate in 2015. The 2017 Verizon Data Breach Report suggests 72% of all malware used to target the healthcare industry is ransomware.

Those findings were backed up by the HIMSS Analytics survey. Ransomware was seen as the most serious threat by 83% of respondents. Malware was rated second, followed by spear phishing attacks and Business Email Compromise (BEC) attacks.

The importance of securing email is clear. Email is used to communicate protected health information by approximately 80% of healthcare organization. Email is also rated as an essential communication tool and is considered critical by 93% of respondents, while 43% said email was mission critical and that their organization could not tolerate email downtime.

It is understandable given the frequency of email-based attacks and the importance of email in healthcare that organizations have a high level of concern about cybersecurity and their ability to repel email-based attacks.

Resilience to ransomware and malware attacks was rated as the top initiative for building a cyber resilience strategy, while training employees to be more security aware is the second highest priority over the following 12 months. Securing email was third.

David Hood, Cyber Resilience Strategist for Healthcare at Mimecast said, “This survey clearly demonstrates that email is a mission-critical application for healthcare providers and that cyberthreats are real and growing – surprisingly, even more so than the threats to Electronic Medical Records (EMRs), laptops and other portable electronic devices. It’s encouraging that protecting the organization and training employees are top initiatives for next year, but the survey suggests the industry has work to do.”

Mimecast provided five suggestions on how healthcare organizations can reduce the risk of email-based threats:

  1. Train employees on the risks associated with email and provide real-time reminders rather than relying on an annual training session.
  2. Analyze all inbound email attachments and scan for malware and malware downloaders
  3. Implement a web filtering solution to check URLs when a user clicks, not just at the point emails enter the organization.
  4. Inspect outbound emails and check that protected health information is not being sent to individuals unauthorized to receive it, and also to check emails to determine whether email accounts may have been compromised.
  5. Finally, it is essential that data backups are regularly performed to ensure that in the event of a ransomware attack, healthcare organizations do not face data loss and are not forced to pay ransoms.

The post Email Top Attack Vector in Healthcare Cyberattacks appeared first on HIPAA Journal.