Safeguard PHI and build HIPAA compliance with email encryption
How email encryption can help you safeguard healthcare Information and build a HIPAA compliance program.
Healthcare institutions are faced with a daunting problem: safeguarding sensitive healthcare and personal information in internal and external email communications. By default, the content of email is unprotected. As an email message travels from sender to recipient, it passes through servers and across networks that may provide attackers with opportunities to eavesdrop or even to access the content of the email. This could potentially expose protected health information (PHI), personally identifiable information (PII), intellectual property and other sensitive information in the body of the email message and the attached files. And data breaches involving personal health information can result in heavy penalties under the Health Insurance Portability and Accountability Act (HIPAA) guidelines.
Email could be the most vulnerable IT system in an organization
Until very recently, there was a widespread misperception that email communications were private and secure, but that is definitely not the case. Front-page incidents where the contents of entire email stores—thousands and thousands of messages—were accessed and published, such as the Sony Pictures breach and the incident during the 2016 Presidential campaign have finally brought an end to this misperception. These high-profile breaches have also brought to the forefront an awareness of the staggering costs that can be incurred by the impacted organizations as a result of such email breaches.
Healthcare institutions face so many potential threats against their systems, networks and data that it’s easy to overlook threats against email as well. But the fact is that healthcare records are significant targets for attackers because they typically contain all the information thieves need to perpetrate identity theft, including fraudulently opening lines of credit and filing phony tax refund requests with the Internal Revenue Service. Additionally, thieves can also use the information from medical records to purloin prescription drugs for consumption or resale, or even obtain medical care or surgery under a false name, leaving the real person who owns the account to pay for the fraudulent charges incurred. The Ponemon 2016 Cost of Data Breach report found that the average cost per stolen record in the healthcare industry is approximately $355. Compare that to the estimated $6.00 or less for purchase of stolen credit and debit card information, and it is clear that healthcare information is highly valuable and likely to be targeted by attackers who are motivated by profit. It is also clear that, when multiplied by the tens or hundreds of thousands of records usually involved in a breach, an incident could result in considerable expense to the impacted institution.
On a smaller scale, each of your institution’s emails is individually at risk of unauthorized access. An attacker may want to access the contents of email in order to sell the sensitive information they contain, such as healthcare records; to commit identity theft by misusing personal information; or to gain access to confidential or proprietary information about your institution. The latter could be used in many ways, from planning targeted attacks against the Human Resources department to stealing or even altering research data. These threats can come from both external attackers and insiders, so emails could be at risk even if they never leave your institution’s networks.
Leveraging email encryption to protect your PHI and meet HIPAA compliance
All email encryption technologies are designed to prevent attackers from viewing the contents of emails while in transit. The details of this vary can significantly from product to product, but the fundamental principle is the same. The sender, or a server near the sender, uses a cryptographic key to encrypt the content of the email. The encrypted email is then routed to the recipient, or a server near the recipient, that uses a second cryptographic key to decrypt the content, enabling the recipient to view the email message. Anyone monitoring the networks over which the encrypted email is carried is unable to decrypt it and view the original contents.
Email encryption solutions have become widely used for many reasons, including:
- Preventing costly and damaging data breaches by protecting sensitive data in transit.
- Enabling institutions to use cloud-based email and collaboration services by providing a way of protecting those emails.
- Supporting compliance with a variety of security and privacy legislation and regulations, such as HIPAA and HITECH.
Choosing the Best Email Encryption Solution
It’s important to carefully evaluate potential email encryption solutions for your healthcare institution before selecting one. Putting the wrong solution in place can significantly increase your IT staffing costs for both administration and technical support. It can also frustrate and impede your users, who are likely to circumvent a cumbersome or time-consuming solution and, in doing so, actually make a serious security problem even worse.
To assist you in evaluating potential solutions, here are six differentiators you should be sure to consider when conducting your evaluation of potential email encryption products:
- Emails should be protected all the way from sender to recipient.
- Emails sent from cloud-based services should also be protected.
- Email encryption and decryption should be easy for both senders and recipients to use.
- Cloud solutions should offer privacy protection without storing either the email messages or the keys.
- Key management should be worry-free for on-premise solutions.
- Product should cover all most important customer use cases.
HPE SecureMail is an award-winning solution for protecting sensitive data sent via email within your organization and to outside recipients. A large number of healthcare and life-sciences organizations leverage HPE SecureMail in their Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) compliance programs.
Download our new white paper Safeguarding Healthcare Information and Leveraging HPE SecureMail in Your HIPAA Compliance Program if you are interested in learning more about how to choose the best email encryption solution for your use case.