Alameda Health Systems in California recently reported a patient data breach that impacted the information of approximately 90,000 patients. This breach involved unauthorized access to the email accounts of staff members. This enabled the hackers to use the email accounts to gain access to the patient information.
Being aware of this situation is very important because it highlights that patient data systems such as EHR, Imaging Systems and Billing Systems are not the only areas we need to monitor and protect to ensure the security of our patient data. It is time for you to think about what type of security you have in place in the email system for your office. Options to consider when securing your email systems include:
Are you using a FREE email system for yourself and your staff? Free email systems typically have less security and are more vulnerable to intrusion than paid services. For example, if you are using a Yahoo email address you are at much higher risk than you should be. Yahoo is not HIPAA compliant; the encryption is not adequate, and Yahoo will not sign a Business Associate Agreement.. If you are using the email address provided to you by your internet provider that also may not have the security you need to properly protect your inbox.
If you are using a paid email service, you may not have all of the tools turned on that you need to be properly HIPAA compliant. You want to know you have the following features turned on for your email: (please note some of these are technical but it is NOT you who turns these things on it is your email provider so you just ask them if these features are in place
- Flag emails that came from outside your practice as from an external email address
- Prescreen emails to identify potential spam and phishing emails
- Implement a Sender Policy Framework
- Implement DomainKeys Identified Mail
- Implement Domain Based Message Authentication Reporting and Conformance
- Require Multi Factor Authentication when accessing email from a computer that is not inside your organization
- What type of encryption is implemented on the email?
- Do you have a signed Business Associate Agreement with your email provider?
You may have none, some of all of these in place. A Business Associate Agreement and encryption are both an absolute must. Other security measures are recommended and the more the better. If your email provider can provide more of the other features that is better.
We know that email security is vital to protecting patient records and it is your responsibility to do a good faith effort to ensure the security of they email system you use for your practice.
Please join TLD Systems for our free monthly webinar series on Cybersecurity. The upcoming schedule is:
July 6, Password Security
August 3, Email Security
To register for our free webinar series, click here
Read Comments