Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.
Alameda Health Systems in California recently reported a patient data breach that impacted the information of approximately 90,000 patients. This breach involved unauthorized access to the email accounts of staff members and enabled malicious hackers to use the email accounts to gain access to patient information.
Being aware of this situation is important because it highlights the fact that patient data systems such as EHR, Imaging Systems and Billing Systems are not the only areas you need to monitor and protect to ensure the security of your patient data. You must also consider the type of security you have in place for your office’s email system.
How to Secure your Business Email System
If you are using a free email system for yourself and your staff.
Free email systems typically have less security and are more vulnerable to intrusion than paid services. For example, if you are using a Yahoo email address you are at much higher risk than you should be. Yahoo is not HIPAA compliant. The encryption is not adequate, and Yahoo will not sign a Business Associate Agreement.
If you are using an email address provided by your internet provider.
It may not have the security you need to properly protect your inbox.
If you are using a paid email service.
You may not have all the tools enabled that you need to be properly HIPAA compliant. You want to ensure you have the following features enabled for your email. Please note some of these are technical features that may require your email provider to enable for you.
- Flag emails that come from outside your practice such as an external email address
- Prescreen emails to identify potential spam and phishing emails
- Implement a Sender Policy Framework
- Implement DomainKeys Identified Mail
- Implement Domain Based Message Authentication Reporting and Conformance (DMARC)
- Require Multi-factor Authentication when accessing email from a computer that is not inside your organization
- What type of encryption is implemented on the email?
- Do you have a signed Business Associate Agreement with your email provider?
You may have none, a few or all these features already in place. A Business Associate Agreement and encryption are both an absolute must. Other security measures are recommended and the more the better. If your email provider can provide more of the other features that is better.
We know that email security is vital to protecting patient records and it is your responsibility to do a good faith effort to ensure the security of the email system you use for your practice.
Please join TLD Systems for our free monthly webinar series on Cybersecurity.
The upcoming schedule is:
- July 6 – Password Security
- August 3 – Email Security
To register for our free webinar series, click here.