E-mail traps: what you don’t know can hurt you

Would you drop a post card in the mail with your Social Security and credit card numbers marked in red ink? An unsecured e-mail that contains sensitive information is the equivalent of just that. E-mail has become a critical component of modern medical communications. It allows physicians and staff to send messages around the world instantly from home, work and mobile devices. Many people assume that, since e-mail is electronic, it is a secure form of communication. Sadly, it isn’t. An e-mail message can be intercepted and compromised at many locations on its journey from sender to recipient unless appropriate “authentication” and “encryption” controls have been put into place. Without these controls, sensitive information could be captured by anyone who intercepts the message and could result in identity theft or, at the very least, Health Insurance Portability and Accountability Act violations.
This article outlines some basic steps to provide security and awareness for the transmission and protection of sensitive data via e-mail.

Be “aware”

Take a stroll around your office and you may observe usernames and passwords written on sticky notes and attached to monitors or in other openly public locations. Similarly, you may note that co-workers share such information or leave their workstations logged on. This provides an opportunity for unauthorized access to HIPAA Protected Health Information. Your office policies and training should emphasize that this information should be protected like their own social security or credit card numbers.

Be “strong”

One of the most effective methods to enhance e-mail security is to use “strong” passwords. This may sound intuitive, but choosing a password that has mixed case, alphanumeric characters, a special character, and is at least eight characters long substantially reduces the likelihood of unauthorized access to an e-mail account. Often users complain that “strong” passwords are difficult to remember but that does not need to be the case. A simple tip is to construct passwords from pieces of data that are well-known to the user and combine them in unique ways that are easily recalled, but make little sense to anyone else. For example, combine the model of your first car, the year of high school graduation and a state abbreviation. Capitalize the first letter, place an exclamation point at the end and you have a strong password (Geo82Mo!) that is easily remembered but virtually “unhackable.”

Be “secure”

Most major security software vendors provide real-time scanning capability for e-mail communications and offer automatic updates. Insure that the automatic update feature is enabled on all office computers and if the security software requests an update allow it to run. Most security software does an adequate job of removing or quarantining infected items and protecting users from risk. Should the software discover malware of some kind allow it to delete or disinfect the message. When possible, insure that individual users cannot disable the security software on their local workstation, as this exposes the entire network to harmful intrusions.
While staff members may complain that restarts demanded by the security software cause an interruption of work flow, it is far more cost-effective to restart a workstation or allow scanning to occur than to hire an information technology firm to clean a malware outbreak and determine if sensitive information has been compromised.

Be “sensitive”

Request that vendors and other business associates not send sensitive information, such as Social Security numbers or credit card information, via e-mail and make sure that your staff members know that these practices are prohibited. Software is available that checks all incoming or outgoing messages for sensitive information and alerts the network administrator when detected. If your practice doesn’t have this protection, consider acquiring it. As a best practice, if a message containing sensitive information is detected, it should be deleted and the sending party should be informed and counseled to avoid recurrence. Staff members should review the PHI identifiers that are defined by HIPAA. Many people do not know these identifiers include names, phone numbers, fax numbers, e-mail addresses and a number of other data elements and that including these data in e-mails may create HIPAA violations. Where there are ongoing business relationships that require sensitive information exchange, security certificates should be installed by the sending and receiving parties to provide authentication and encryption.

Be “unattached”

Unfortunately, it is very easy for health care professionals to inadvertently send PHI in a manner that may violate HIPAA. Many forms, surveys and reports from modern medical management systems readily provide PHI in formats that are easy and, in fact, are designed to e-mail. Often people request that documents and data be sent in an e-mail even though the material contains sensitive information. Why is e-mail such a prevalent practice? Its popularity likely stems from the fact that e-mail is a “comfortable” technology for most users. While it can be difficult to upload spreadsheets or case information to a secure server or set up a virtual private network, e-mail is a quick and easily understood tool.
Attachments should always be reviewed for content before sending and those containing PHI should never be e-mailed unless steps to secure the system have been completed. When attachments are received be sure that they appear plausible and are from a known sender. The majority of viruses and malware are transmitted via e-mail attachments. Instruct all staff members to delete attachments that are received from unknown senders, appear suspicious or have file extensions that are not common or recognized.
Be “private”

Many small practices do not have company e-mail and rely on free e-mail accounts from Yahoo!, Hotmail, Google, and others. While there is nothing inherently insecure about these e-mail services, since the process to change account passwords is simple and public, they are open to abuse. Note also that messages sent via these services are typically not HIPAA compliant.
A high profile case of this type was the hacking of former Gov. Sarah Palin’s Yahoo! e-mail account during the 2008 election cycle. The hacker used information readily found on the Internet to correctly answer security questions, changed Palin’s password and accessed the account information. While this may seem far-fetched for you or your staff—Palin is, after all, a very public figure—given the proliferation of social media web sites and the archives of information online, the answers for many of your basic security questions may be just a search query away.
E-mail is a powerful tool that facilitates the exchange of information from next door to around the world. Education consisting of basic security practices, knowing and identifying sensitive data and protecting patient data through secure methods and technologies helps maintain compliance and prevents costly data breaches. Forewarned is forearmed!
ABOUT THE AUTHOR
Brendan J. Gallagher is technology services manager and Stephen C. Sheppard is managing principal of Medical Consulting Group, LLC, Springfield, Mo. Either can be reached at 417-889-2040 or via e-mail at bgallagher@medcgroup.com or ssheppard@medcgroup.com.