We have advised our clients for years to only transmit protected health information (PHI) if it is encrypted. We have also recommended encryption for the data at rest. With the rise of hacking, this is never more important. There are many problems that can arise from compromised email accounts.
It only takes one employee’s email account to get hacked, then the hacker can view what the user has stored, who they communicate with, and who they do not speak with directly. Let’s review each one:
- Contents of email. Of course, you do not want an unknown person reading your emails, but it is even worse if your email account contains PHI. The hacker can take that information, sell it, or even target your patients to gain more information.
- The hacker can also see who you are communicating with and now they can target your co-workers into giving them information by impersonating you.
- They also know who you only communicate with via email. This sets the stage for phone conversations since you do not know what this person sounds like. The hacker can request wire transfers, employee lists, patient lists, the amount of information that they are willing to request is only limited by their imagination.
These attacks may be targeted for financial gain, identity theft, or medical insurance theft. Regardless of the hackers’ motives, they all can be devastating to a practice. Just last year an Orlando practice had 4 email accounts compromised and over 447K patients were affected. When considering the methods to secure email accounts, you must also consider which devices are used to access email. This furthers the security requirements. A thorough risk analysis will uncover potential vulnerabilities and give you the opportunity to avoid a data breach.
That brings me to the next topic… if you don’t need to store it, DO NOT. If you can move the needed documentation to a secure server or your EHR, then do. If there isn’t a “need” to store patient information (or any sensitive information) in email, then remove it. This also applies to “old” patient records in databases or software. There is a reason behind medical record retention requirements, and when it is safe to dispose of medical records, then do! This too reduces your liability!
To find out more about how our automated HIPAA compliance platform can help your organization click here:
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”