Patients expect their healthcare providers to meet compliance regulations and keep their valuable information safe. Though, if you are HIPAA compliant, it doesn’t necessarily mean your data is secure. This article discusses the details of proper email security when it comes to HIPAA compliance.

Ensuring high quality patient care is the top priority for healthcare providers. As a result, hospitals and private practices aim to optimize the patient experience by operating as efficiently as possible.

That said, as it relates to email exchanges, organizations might unknowingly sacrifice another element of the patient experience: security. Although healthcare providers might be sending HIPAA compliant emails, they cannot fully eradicate factors outside their control. However, by recognizing the gap between HIPAA compliance and complete email security, along with protecting themselves from security threats, healthcare organizations can identify potential issues and implement strategies to keep protected health information (PHI) safe.

HIPAA Compliance Does Not Equal Security

While healthcare companies should strive to achieve total HIPAA compliance, the reality is that compliance does not equal security. Threats that undermine data security and jeopardize PHI, such as human error and cybercriminal activity, exist both inside and outside the organization regardless of best efforts by providers. A data breach can lead to a HIPAA violation with a fine of up to $1.5M if an investigation finds that the healthcare provider was negligent in following HIPAA guidelines.

With email being a top threat vector year after year, breaches can happen, even if an organization is doing its best to be HIPAA compliant. That’s because HIPAA regulations outline what must be done but not the “how.” Too often this leaves it open-ended on what would be considered “reasonable” when it comes to creating safeguards for PHI, especially technical safeguards, when it comes to email. That can create gaps for many organizations that do not have dedicated resources to ensure PHI is secured, especially as data becomes more digital and cloud based. More robust security frameworks like HITRUST CSF, ISO and SOC2 provide better guidance for creating a strong security posture.

In reality, HIPAA compliance is less about making sure data breaches never happen; but more about reducing the risk of a breach occurring.

Having the proper policies and practices in place minimizes risk and allows covered entities to react appropriately should there be an incident. Healthcare organizations that meet HIPAA compliance requirements, like limiting the number of staff members with access to PHI and encrypting their email, greatly reduce the risk of a HIPAA violation.

Providers must vigilantly keep abreast of potential threats since the landscape is constantly changing and preventing HIPAA violations relies heavily on proper security measures. Organizations that establish and maintain proper safeguards to combat email security breaches ensure the long-term health of their practices, avoid HIPAA fines and earn their patients’ trust.

Human Error Contributes to Healthcare Breaches

A sure-fire way to lose patient trust is by falling victim to a threat through human error.  Sending unencrypted email, accidentally sharing PHI with an unintended recipient or falling for a phishing email are all avoidable mistakes. While organizations traditionally focus on eliminating external threats, human error can be just as dangerous. Healthcare professionals try to prevent unauthorized access to PHI. Still, the fast-paced and high-stress nature of the industry cultivates an environment that leaves organizations exposed to email or network security breaches, even from the inside.

In an attempt to reduce human error, the HIPAA Privacy Rule requires healthcare organizations to adequately train employees and maintain strict policies to secure patient information. While unique to each healthcare organization, these policies often focus on mobile device usage, credential sharing and the ability to recognize and block malicious emails. Despite proper organizational training and policies, breaches caused by human error can — and will — still occur. In fact, human error accounted for nearly 30% of healthcare breaches in 2020 alone.

Cybercriminals Pose a Growing Existential Threat

In contrast, cybercriminals represent external threats to patient data. The Covid-19 pandemic provided an ideal situation for hackers to steal patients’ electronic health records and then demand ransoms for their safe return. Crowded hospitals have stretched healthcare employees thin. They have been required to adapt to new and unfamiliar technology, or they might have started relying on email more than ever before to maintain patient care. Without an easy-to-use HIPAA compliant email solution that protects inboxes from malicious messages, this can lead to successful phishing attacks and malware infections. Unfortunately, successful attacks are a daily occurrence.

A rise in remote work has created additional risks as improperly secured remote networks can enable cybercriminals to steal patient information swiftly and secretly. Ransomware, in particular, has become an existential threat as victims end up needing to spend money to recover PHI, pay fines and repair their damaged reputations. A recent IBM study found that the average breach costs an organization $$4.24 million. Despite the need to keep bad actors at bay, organizations often fail to establish a watertight security defense because of the constantly changing security landscape. In email specifically, not properly securing inbound and outbound messages opens the door for cybercriminals to steal valuable patient information. And as technology advances further, so will their techniques.

Strategies to Enhance Security

Healthcare professionals have to do all they can to prevent cybercriminals from stealing patient data. Yet securing your systems from internal and external threats can feel like a never-ending battle. When one weakness is resolved, another one arises.

However, there is a lot that covered entities can do to mitigate risk. A resilient cybersecurity strategy requires a broad approach that encompasses several elements, including:

  • Timely and continuous training to ensure your staff has the proper knowledge to avoid human error
  • Updating policies to ensure your organization is keeping up with the industry standard
  • Adopting new technologies to remove the human element wherever possible
  • Securing both inbound and outbound email to avoid sending unencrypted PHI and to prevent successful email hacks
  • Employing secure password policies to keep bad actors at bay
  • Patching and updating networks to cover new security holes as they occur
  • Increasing cloud network security so employees can safely work remotely

A vital part of your email security strategy is email encryption. It must be part of your healthcare cybersecurity game plan. Under HIPAA, encryption is an “addressable” way to secure email rather than being required. However, since there is no other effective method to secure email besides encryption, it is de facto a requirement. If you consider a security breach a significant issue (as you should), email encryption — especially when emails include PHI — is a must.

Partnering with a HITRUST CSF certified email security provider is one of the safest ways to protect PHI since it demonstrates a company’s commitment to healthcare data security. An email security platform should enable blanket encryption both in transit and at rest. Encryption won’t seal off every opportunity for a data breach, but it will prevent unauthorized users from accessing information shared via email, including PHI. The best inbound email security solutions will avoid the risk of human error by blocking malicious messages from even entering the inbox, being proactive versus reactive like most spam filtering solutions

Without maintaining HIPAA compliance and implementing effective strategies to combat threats to PHI, healthcare organizations cannot protect patient data. Healthcare providers must do their part to provide optimized patient experiences while simultaneously creating an environment that secures PHI in the process.


This post, Healthcare Organizations Remain at Risk Despite Proper HIPAA Compliance, was first shared by the MedCity News on October 1, 2021.