It is no secret that data breaches can be expensive. According to Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview (the “Ponemon Study”), the healthcare industry lays claim to the highest average cost of a data breach across all industries globally. In fact, in 2017 the healthcare industry beat out the global average by over $200 with a cost of $380 per lost or stolen record. The number one source of data breach in the US is someone perpetuating a malicious or criminal attack; the second is human error. Unfortunately, organizations may unknowingly increase their risk of experiencing one or both of these types of breach through their use of email. This article discusses how you can lower your risk through email encryption, thereby saving your healthcare practice or organization from an expensive data breach.
What is Email Encryption and why is it important?
Email encryption protects information, like patient data, transmitted via email from malicious attacks. Under HIPAA’s Technical Safeguards (45 C.F.R. § 164.312), implementing a mechanism to encrypt and decrypt electronic protected health information (PHI) is an addressable control. Thus, email encryption can help your organization protect against the most common form of data breach and better comply with HIPAA standards.
Email is a critical tool for your organization, but it poses risks.
Healthcare organizations electronically send and receive information for various reasons on a daily basis, and most rely on email as the most efficient way of doing so. However, your organization probably relies on user-based encryption, where the sender decides which emails should be encrypted. In this case, the sender generates an encryption key or password that is separately transmitted (by telephone or otherwise) to the intended recipient, and the recipient is required to enter the encryption key in order to access the encrypted message or file. While this can be a safe way to send and receive information, it slows the process down tremendously and opens transactions up to human error (e.g., the person transmitting the information forgets to encrypt the message and the information is sent in an unsecure manner). In an emergency healthcare situation where time is of the essence, the process of separately generating, transmitting, and entering an encryption key can create delay at a time when every second is vital.
Additionally, HIPAA obligates covered entities to provide PHI to patients in the form in which they request it. Patients often request PHI to be sent via email because it is usually the quickest way for them to receive it (versus traveling to their doctor’s office to obtain a paper copy or waiting for documents to arrive via postal service). If your organization does not have fully encrypted email, you could be forced to send PHI in an unsecure manner, increasing the risk that the information is accessed by someone other than the intended recipient.
A simple solution: Zero-Step Email Encryption
Most popular email providers do not automatically encrypt emails, so to protect yourself from these concerns and to properly comply with HIPAA standards, you probably need to implement your own encryption mechanism.
Zero-step email encryption automatically encrypts every email you send or receive, so all of your emails are protected against malicious attacks without the need to log in to a portal or otherwise flag the email for encryption. Since all email messages are automatically encrypted, rather than just those flagged by the user for encryption, the risks of human error associated with user-based encryption are eliminated. This is a safe and efficient way to make sure the information you transmit is protected and to reduce your risk of experiencing a breach.
At Nixon Law Group, we use Paubox, a HIPAA-complaint, zero-step email encryption service to ensure that our email transmissions to and from our clients are secure. To learn more about how your organization can lower its breach risk through use of email encryption, please contact one of our attorneys.