Stop Emailing PHI

In the first quarter of 2019, 78 breaches were reported to the Department of Health and Human Services (DHHS). Of those, 49 were considered “Hacking/IT Incidents.” Alarmingly, of those 49 incidents, nearly half (43%) involved disclosures of PHI via email compromise.

The headlines from 2018 were bad enough on the topic:

• “UnityPoint warns 1.4 million patients their information might have been breached by email hackers”
• “Email Hack on Vermont Provider Breaches 32,000 Patient Records”
• “HealthEquity Email Hack Breaches Data of 190K Patients”
• “24,000 Patient Records Breached in EyeSouth Partners Email Hack”
• “Aspire Health hacked by phishing scheme, lost ‘protected health information’”

However, 2019 had barely begun when another wave of healthcare-related email hacks threatened patient privacy:

• “326,000 Patients Impacted in UConn Health Phishing Attack”
• “Month-Long Email Hack on Ohio Dental Insurer Impacts Patient Data”
• “Valley Hope Association Email Hack Breaches Patient Data”
• “Vermont hospital email hack exposes info of more than 72,000”
• “23,300 Patients Affected by Critical Care, Pulmonary & Sleep Associates Email Hack”

Since when did healthcare professionals decide that communicating patient information by email was secure or even acceptable? Examine a few causes of the breaches:

• “an employee was duped by a phishing attempt”
• “hackers used ‘phishing’ techniques to break into the company’s email system”
• “an unauthorized user had accessed an employee email account”
• “hackers exploited an email configuration error to bypass the multi-factor and device authentication through a ‘sophisticated method.’”
• “an individual gained unauthorized access to an employee email account”
• “a phishing attack gained access to the internal email system”

One of the best ways to avoid breaches of PHI by email is…you guessed it, don’t allow PHI to find its way into email at all. Ever. While easier said than done, an up-to-date, accurate data inventory that also documents the safeguards and controls in place to protect PHI can provide the visibility necessary to prevent these insecure flows of PHI.

The data inventory should be comprised of the following information:

• Data owner: An accountable owner of the data is critical to maintaining, securing, and ultimately destroying or archiving the data successfully.
• Classification of the data: Data should be classified by sensitivity. The most sensitive data should be the most protected. Hint: PHI should never be stored or transmitted in an unsecured email account.
• Location of the data system: Understanding the system location in which your data resides allows you to align data privacy requirements, physical security, redundancy, and environmental considerations. (Ex: A server farm located under a helipad – yes this happens.)
• Source of the data: Knowing where the data originates allows you to determine data flows, consents, and possible third-party dependencies.
• Purpose and use of the data: Without an understanding of the purpose and use of the data, it is impossible to comply with minimum necessary principles.
• Storage location: If data is stored separately from the data system, the location of that storage is paramount to securing that data.
• Retention policy: Understanding the length of time that data should be kept allows you to comply with consent provisions, minimum necessary principles, and in some cases, regulatory requirements.
• Safeguards in place to protect the data: Data should be safeguarded according to its classification. Documenting the safeguards in place for each set of data allows you to determine whether the safeguards are sufficient and up to date.

Phishing attacks remain a significant threat to the security of PHI. Healthcare professionals should avoid storing or transmitting data in locations and systems that are easy to penetrate and compromise. Email systems are often configured insecurely, and easily penetrated by unsuspecting humans who fail to recognize a phishing attack.

Stop emailing patient data!