Emailing sensitive medical records

HIPAA Compliant Email Encryption: A Guide For Healthcare Organizations - Expert Insights

In recent years, healthcare organizations have been put under pressure to ensure the security of their patients’ protected health information, or PHI. This includes medical histories, test results and mental health information, as well as demographic and insurance information. Due to the personal nature of this data, it’s crucial that it be kept confidential to protect the privacy of those whom it concerns. Because this data is so valuable, it’s a prime target for cybercriminals, who can sell PHI on the dark web, or attempt to jeopardize it as part of ransomware attacks. Not only can this compromise the financial security of affected patients, but it can also lead to delays in them receiving treatments due to a lack of medical records on file.

Unfortunately, this means that healthcare organizations are a lucrative target for cyber attackers, who are increasingly using brute force and social engineering methods to gain access to the email accounts of healthcare workers in order to steal sensitive information. Once they’ve gained access to an account, the attacker can then manipulate the organization and its stakeholders into sending them sensitive data. This is called business email compromise (BEC) and, according to IC3, is the most expensive form of cyberattack that organizations are currently facing.

Medical data is among the top five types of data most commonly compromised in a social engineering attack, and the healthcare industry consistently suffers the most in term of the cost of a data breach, with the average breach costing USD 7.13 million dollars.

As attackers find increasingly sophisticated ways to steal confidential information, healthcare organizations must be vigilant in deploying the correct preventative security measures to protect that data. Encryption is one such measure, which ensures that, even if a cybercriminal manages to gain access to email records containing sensitive information, they won’t be able to decipher the data within those records.

In this guide, we’ll explain how you can use encryption to secure PHI in line with HIPAA regulations. We’ll also outline some of the key features that you should look for in an encryption solution, so that you can be confident that you’re implementing the best solution to secure your patients’ data.

What Does HIPAA Say About Encryption?

The 1996 Health Insurance Portability and Accountability Act, more commonly known as HIPAA, requires all covered entities (health plans, healthcare clearinghouses and healthcare providers) in the United States to protect electronic PHI at rest, in storage and in transit. As a part of this, organizations complying with HIPAA regulations are strongly advised to encrypt any emails being sent externally, i.e. beyond their own firewall, such as exchanging medical information between a healthcare provider and insurance company.

If you fail to properly secure electronic PHI, you could find yourself facing a fine. HIPAA fines range from 100 dollars to 50,000 dollars per violation, so implementing an encryption solution will not only help secure your patients’ data, but could be the preventative measure that saves your organization from enormous financial pressure.

However, implementing an encryption service isn’t enough to ensure HIPAA compliance; you need to make sure that you’ve configured the service properly, and that you’re using your encryption service in the correct way. To do this, there are a few things you should consider:

  1. Make sure that your encryption provider signs a Business Associate Agreement (BAA) before you use their service to send any emails containing PHI. This agreement outlines the responsibilities of both you and the provider when it comes to ensuring the confidentiality of your patients’ PHI.
  2. You need to acquire written consent from your patients before sending any PHI via email, even if you’re using a HIPAA compliant email provider. Before patients agree to having their information sent via email, you need to advise them of the associated risks — only once they’ve declared that they’re willing to accept these risks can you send PHI via email.
  3. Make sure that you store all emails containing PHI in a secure archive — including all documentation related to your use of encryption to secure these emails. The retention period for this information is usually six years, but this can change state-to-state, so be sure to check your state laws on email archiving for HIPAA compliance.
  4. You need to configure your encryption service to use end-to-end encryption. End-to-end encryption secures data at rest and in transit with the use of a public key architecture. This means that the sender uses a public key to encrypt the email and the recipient uses a private key, known only to them, to decrypt it. This means that nobody but the recipient can access the information in an encrypted email — not even the encryption service provider.

Built-In Encryption: Google Workspace And Office 365

Google Workspace and Office 365 are the two most popular cloud-email providers that businesses are currently using, and both providers are willing to sign BAA’s to help ensure HIPAA compliance. However, it’s not enough to just use either of these services; you need to use them correctly in order to be compliant.

Google Workspace’s email service is HIPAA compliant only when used alongside a business domain, and configured to use end-to-end encryption. It’s important to note that the same rules don’t apply for Gmail; Gmail is a free, consumer product, and can’t be made HIPAA compliant because Google doesn’t sign a BAA for its free services.

The Enterprise E3 and E5 versions of Microsoft’s Office 365 suite support HIPAA compliance, but other versions (including the Office 365 for Business plan) do not. This is because only the E3 and E5 plans include the capability to maintain audit logs.

Microsoft’s HIPAA and HITECH documentation page clearly states that “using Microsoft services does not on its own achieve [compliance with HIPAA and the HITECH Act]”, and that organizations are responsible for making sure that their use of Microsoft services is in line with both regulations.

Similarly to Google Workspace vs Gmail, Microsoft’s free, consumer email service — Outlook.com — isn’t HIPAA compliant, and healthcare organizations shouldn’t use it to send electronic PHI.

Start A Trial Of Trustifi Email Security

What Is Email Encryption?

So you know that, in order to be HIPAA compliant, you should be encrypting your emails. But what exactly is encryption, and how does it work?

Encryption is a process that encodes information in a message or a file so that it can only be read by someone with the knowledge to decode the information. An algorithm encrypts the data, and the encoded message is sent to its recipient, who uses a password called a “cryptographic key” to decrypt it. Decryption changes the encrypted ciphertext back into plaintext, so that the recipient can read it.

There are a few different types of encryption, but the one you need to implement in order to be HIPAA compliant is called “end-to-end” encryption. This method of encryption ensures that data is unreadable to any unauthorized persons while at rest, in storage and in transit. The most commonly used method of end-to-end encryption runs on a public key architecture, where the decryption key is stored on the recipient’s device, rather than on the encryption provider’s server. This means that only the recipient has the ability to decrypt the data; even if a hacker compromises your encryption provider, they still won’t be able to read your encrypted data.

Encryption itself doesn’t stop an attacker from accessing sensitive data; it stops them from being able to read it, should they breach the organization’s firewalls.

However, it’s important to remember that, like any cybersecurity solution, encryption has its vulnerabilities. In the case of end-to-end encryption, this vulnerability lies in the security of the users’ devices. If an attacker were to hack into a user’s device, they could steal that user’s cryptographic key or even just read their victim’s already-decrypted emails. For this reason, it’s important that you also implement robust endpoint security defenses (such as multi-factor authentication and endpoint security solutions) to prevent attackers from gaining device and account access.

Why Do You Need To Encrypt Your Emails?

As an organization in the healthcare industry, there are a number of reasons why you should be encrypting your emails. Let’s take a look at them.

Secure Your Patients’ PHI

Protecting confidential electronic PHI at rest, in storage and in transit is an important responsibility of any healthcare organization, be that organization an insurance company, a doctor’s surgery, or a clearinghouse checking medical claims for errors. This responsibility includes being able to securely share and collaborate on sensitive information, in order to be able to provide patients with the treatment they need, such as sharing data between healthcare providers and third-party supply chains.

The reason that this data must be kept so secure is because of how sensitive it is. Confidential patient data is particularly valuable to attackers, and it can be very damaging to both your organization and your patients if an attacker manages to gain access to it, which they might try to do by carrying out a business email compromise (BEC) attack.

There are three main steps to a BEC attack:

  1. The hacker taps into unsecured outbound emails to learn who your employees are communicating with, and how.
  2. Once they’ve got a good grasp of their target’s communication patterns, they email that target, impersonating one of their known contacts and asking them to click on a link or open an attachment.
  3. If the user does open the link or the attachment, they install malware onto their machine, which enables the hacker to gain access to their mailbox. From here, they can steal any PHI stored insecurely within the mailbox, and they can carry out further internal BEC attacks — undetected — from their target’s account.

This type of breach can have catastrophic consequences to affected organizations, who may consequently find themselves the target of a ransomware attack. On September 10 th 2020, one such ransomware attack compromised the digital infrastructure of Düsseldorf University Clinic in Germany. The hospital was forced to cancel hundreds of scheduled procedures, reduce its capacity by almost half, and close its accident and emergency department. As a result of this, the hospital was unable to admit a nearby patient; a 78-year-old woman suffering with an aortic aneurysm, who needed immediate attention. The closure meant that the patient had to travel to another facility 32 kilometers away. Her treatment was delayed by an hour, and she died shortly afterwards.

A strong encryption solution can help mitigate such attacks on healthcare organizations by ensuring that attackers can’t read those original emails.

Protect Your Reputation

The consequences of a data breach, particularly ones involving lost or stolen personal patient information, can be enormous. This doesn’t just mean the financial cost of recovering from the breach itself, but also loss of reputation. When your patients entrust you with their personal data, they expect you to keep it safe and secure; if they no longer believe that you can keep that data secure, they lose trust in your organization and look elsewhere for one who can.

Save Costs

A strong encryption solution will enable you to send and sign confidential documents totally securely, increasing your organization-wide adoption of digital document delivery. This reduces the need for hard copies and enables you to save on printing costs. That may not seem like a big deal at first glance, but those figures can quickly add up. According to Gartner, companies spend an average of 1-3% of their annual revenue on printing. That means that an organization with an annual revenue of 10 million dollars could save up 300,000 dollars every year on printing costs alone by leveraging a secure digital document delivery service.

Achieve Compliance

We’ve been through this one already: in order to comply with any data protection regulations, you need to be able to prove that you’re implementing processes and tools to keep the data you work with secure.

The same goes for HIPAA, and HIPAA regulations extend to the fact that you must encrypt all emails containing electronic PHI that are being sent externally to your organizations, i.e. beyond your firewall. That includes insurance information being sent between health plans, healthcare clearinghouses and healthcare providers.

What Features Should You Look For In An Encryption Solution?

Email encryption is a crucial tool for healthcare organizations looking to secure their patients’ electronic PHI. However, there are a lot of encryption services on the market and, while this means that you’re bound to find one to suit your business need, it also means that finding the right solution can be challenging — particularly if you aren’t sure where to start.

To help you find the right encryption service we’ve put together a list of the most important features that healthcare organizations should look for in an encryption solution:

Security

Your number one priority when implementing an encryption solution should be making sure it offers the necessary security you need — after all, the reason you’re investing in a solution is to secure data. There are a few key considerations here:

  1. Your encryption solution should support NIST- and FIPS-approved encryption standards. Currently, AES 128, 192 and 256-bit encryption are the most widely recommended standards.
  2. You should be using end-to-end encryption, rather than server-side encryption, to make sure that the only person who can decrypt confidential data is the intended recipient, because they’re the only person with access to the decryption key; with end-to-end encryption, not even the service provider can access encrypted information.
  3. Your service needs to provide long-term security. While some industries may only need to keep data secured for a relatively short period of time, say, a few years, you may need to keep certain information confidential for the concerned patient’s entire lifetime.

Ease Of Deployment, Integration And Scalability

It’s important that your chosen solution is easy to deploy and roll out across your organization. A cloud-based encryption solution will be easier to deploy than its on-premise counterpart, as cloud solutions usually include the ability for admins to sync the solution with their current user directory. Because they don’t require the installation of any hardware, cloud-based encryption solutions are also much more flexible in terms of scalability.

In addition to a straightforward deployment process, your solution should offer integrations with your existing user management tools, such as Active Directory, and security tools, such as password managers and single sign-on solutions. This will enable users to sign in to the service quickly and securely, while enabling admins to sync the management portals for each solution.

Ease Of Use For End Users

No matter how robust the security it provides, if your solution is complicated to use, your employees aren’t going to use it. There are two types of user that this corresponds to: the sender and the recipient.

Not only does it need to be easy for senders to encrypt emails from within their inbox, but they should also be able to configure further settings such as alerts for when emails have been received and opened, expiration dates, and email editing or recall, to be able to update information if needed or retract a message if it was sent to the wrong person.

As for the recipient, it should be easy to access encrypted emails. While this may seem like an obvious feature, many encryption solutions require recipients who ­don’t have the encryption service installed to create an account to access encrypted emails, or open the email in a secure web portal. The strongest email encryption solutions enable recipients to open emails without having to create an account with the encryption service provider.

Auditing And Reporting Capabilities

When it comes to HIPAA, it isn’t enough just to be compliant; you also have to prove your compliance. A good encryption solution will be able to generate reports into email delivery, including when they were sent, delivered and opened, by whom, and from which location. These reports help to demonstrate that your organization is taking measures to secure PHI at rest, in storage and in transit, as required by HIPAA. They will also enable you to demonstrate that you’ve not only implemented an encryption solution, but that you’ve configured it correctly to ensure compliance.

Get A Quote Of Trustifi Email Security

Our Recommendation

Trustifi is a market-leading encryption provider that helps organizations to secure their email content via powerful AES 256-bit end-to-end encryption. Trustifi’s solution is easy to deploy, easy to use for both senders and recipients and — crucially — enables “one click” HIPAA compliance.

One-Click HIPAA Compliance

Trustifi’s user-friendly encryption service enables healthcare organizations to make their emails HIPAA compliant with just one click. Admins can configure the solution’s “One-Click Compliance” and data loss prevention (DLP) policies, choosing the regulations that they need to comply with, to help reduce the complexities involved in maintaining and proving compliance, while ensuring that all electronic PHI sent or stored via email is kept secure. With this feature enabled, Trustifi’s AI engine scans all outgoing emails for sensitive content and automatically takes appropriate measures to reduce the risk of human error. If an employee forgets to encrypt an email containing PHI, that email will still be encrypted, ensuring that your organization remains compliant.

The One-Click Compliance feature is compatible with HIPAA/HTECH standards, as well as PII, GDPR, FSA, FINRA, LGPD and CCPA.

As well as automating encryption, Trustifi’s “Postmark” feature provides users with certifiable proof of delivery and enables users to track delivery progress. Users can also recall, block, modify and set expiration dates for emails that have been delivered, including editing attachments that have already been sent.

This security extends to the recipient, too — Trustifi uses multi-factor authentication to verify the identity of each recipient, ensuring the highest level of security while enabling them to access emails sent to them without having to create an account with Trustifi.

Inbound Email Security

As well as securing users’ outbound emails, Trustifi offers a range of advanced inbound security features that help protect users against potential spam, viruses, malware and ransomware, as well as BEC attacks.

Firstly, Trustify scans all inbound email communications for potential threats and rates each message in terms of its threat level and type. These ratings range from “Authenticated”, i.e. “safe to open”, through to “Impersonation Attack” and “Spoofing Attack”. System admins can take these automated threat warnings a step further by configuring inbound protections policies to automatically quarantine emails that are deemed malicious, so that they never reach your employees’ inboxes.

In addition, Trustifi offers email address whitelisting and blacklisting, which helps organizations to avoid repeat attack attempts from known threat actors, or to ensure that emails from known senders that may not be recognized by the platform aren’t mistakenly quarantined.

Summary

Healthcare organizations exist to serve their patients, and a critical aspect of that involves protecting the personal data of those patients.

The task of securely storing and transferring PHI can be a mammoth one when attempted manually, and it’s for that reason that we recommend you take advantage of one of the powerful encryption platforms on the market to help you overcome this challenge.

A strong email encryption solution like Trustifi will help you to protect your patients’ PHI from falling into the wrong hands, whilst also bolstering the reputation of your organization’s as being one who cares about its patients’ security. Additionally, it can help to secure your organization against sophisticated email threats such as social engineering, BEC and ransomware.

Trustifi’s solution offers secure, reliable encryption without slowing down your employees’ work days. Trustifi also accommodates all HIPAA regulations, helping you to help your patients, whilst remaining totally compliant.

If you’re looking for a user-friendly encryption solution that will help ease the complexities of email security and compliance, you can start a free trial of Trustifi via the link below.