How Email Encryption, Archiving Serve the Security Needs of Healthcare Organizations

person using laptop next to stethoscope

Malicious actors have a history of using email to target healthcare organizations and 2019 was no exception. Indeed, nefarious individuals made headlines in numerous security incidents throughout 2019 that began with a successful email attack. They then leveraged those initial attacks to steal patient data or deploy ransomware.

Challenges of Defending Against a Healthcare Data Breach

These and other security events highlight the ongoing challenges that healthcare organizations face in terms of strengthening their email security. In a 2019 survey, for instance, the Healthcare Information and Management Systems Society (HIMSS) found that 74% of healthcare organizations had experienced a significant digital security incident in the past 12 months. Email served as the initial point of contact for 59% of those incidents.

Along a similar vein, researchers conducted 95 phishing simulations to evaluate healthcare organizations’ preparedness against malicious email campaigns. Those exercises sent out a total of 2,971,945 emails, with 422,062 (14.2 percent) of them clicked by employees. Even more than that, researchers learned that the average click rate for those organizations ranged from 7.4% to 30.7%, reported Reuters, producing a median frequency of 16.7%.

Why Healthcare Organizations Should Be Concerned

Healthcare organizations should be concerned by these shortcomings in their email security posture. Digital attackers can exploit weak email security practices to infect employees’ workstations with malware. They can then leverage that initial infection to move laterally through the network with the ultimate goal of stealing sensitive information including stored patient data.

Once targeted and infected, healthcare organizations face a costly road to recovery. IBM and the Ponemon Institute's annual "Cost of a Data Breach" report determined in 2019 that the average data breach cost for a healthcare organization eclipsed all other sectors at $6.45 million per incident. Additionally, healthcare organizations paid an average of $429 to recover each breached record—much higher than the average of $150. 

The costs might not end there, either. Healthcare organizations must also  comply with HIPAA by implementing proper measures designed to protect patient’s protected health information (PHI). Those who fall short in their compliance obligations could face additional penalties ranging from $100 to $50,000 per violation (or per record) involving a data breach.

The Need for Proper Email Security Measures

Unfortunately, the threats confronting healthcare organizations continue to evolve and grow in sophistication. As reported by the HIPAA Journal, Maze ransomware infected 231 workstations owned and operated by New Jersey-based Medical Diagnostic Laboratories in early December 2019. When the 100 BTC ransom was refused, Maze’s operators published 9.5GB of the organization’s research data that was stolen prior to running its encryption routine. It took this step in the hopes of restarting negotiations with Medical Diagnostic Laboratories as well as in the hope of securing a second 100 BTC ransom for permanently destroying the stolen data.

Healthcare organizations should take action now against such threats by investing in a two-pronged email security strategy. First, they should consider using an email encryption solution driven by policy filters to automatically encrypt messages and attachments that contain sensitive information. That capability should also allow healthcare organizations to quarantine a sensitive email, at which point employees, mangers and IT personnel can review it for potential policy violations.

Second, they should protect themselves by investing in a solution that can automatically archive all digital communications. This solution should be capable of classifying these emails so as to streamline organizations’ assessment, investigation and management efforts to thwart potential threats before they bloom into security incidents.