The Majority of Ransomware Attacks Start with an Email.
A HIPAA Breach Case Study
I routinely review the HIPAA wall of shame to see if there is anything that can be learned from the breaches and HIPAA violation notifications.
The most recent notification is a practice in Ohio that was breached through email. The type of breach states it was unauthorized access/disclosure. This could mean an unauthorized employee or ex-employee had access, or in this case, it looks more like a Business Associate without a BAA had access to PHI through email.
What we run into a lot is ex-employees log in information not being disabled. This gives an ex-employee full access to your data even after they leave.
We also find that the principle of least privilege is often not followed. There is no reason the receptionist at the front desk should have access to patient charts with historical information.
I have not been able to get more details about this breach (yet). Though it does not appear to be the case here most often breaches and HIPAA violations through email are one of two scenarios.
Two Ways Email Can Lead to a HIPAA Breach
- There was PHI in their email and the email was not encrypted and/or there was no BAA from the email provider.
I still see a lot of dentists using Gmail, AOL, Yahoo, and free ISP accounts for email. This is not HIPAA compliant and can lead to fines. In the last two days alone, I have seen a Gmail account, AOL and SNET.
A BAA is required from the email provider to be HIPAA compliant. Microsoft Office 365 and Google (GSuite) can provide one. You also need a BAA from the IT Consultant if you have one managing email for you (you should have one).
If you have any client data or sensitive information in your email, then it should be encrypted. This does not apply to just healthcare. Lawyers, Financial Firms and other regulated industries should at minimal have encrypted email.
- An employee received a phishing email and clicked the link. That link probably led to the installation of ransomware and compromised their practice.
While phishing attacks occur for various reasons including identity theft, financial theft and taking control of computers for other nefarious attacks Ransomware attacks most often begin with a phishing email.
The number of ransomware attacks that begin with a phishing email is estimated to be at 90%. This is very preventable.
There are two core components to preventing a successful phishing attack. The first one is a proactive email monitoring tool that alerts to potential phishing attempts, allows you to report them to IT and allows IT to approve or reject them based on their findings.
The second component is training. Your employees (and you) need to be trained on how to recognize a phishing email and what to do if they suspect an email is a phishing attempt.
Education is the most important aspect of any successful cybersecurity program. Your people are the weakest link.
The Potential Cost
The average cost of a HIPAA breach is $408 per record. This breach (a relatively small one) was 612 records. That means this healthcare practice could be on the hook for almost $250,000.
To put that another way it would have cost them approximately $3500/month to have 24/7 Healthcare IT Consulting from a HIPAA Compliant BAA which would have included required HIPAA and Security Audits.
They could have paid for this IT support for 6 years before spending $250,000. They would have had everything set up the way it should be and would have had Phishing and Ransomware mitigation and education.
Businesses of all sizes and types try to save money where they can. This is understandable. Businesses stay in business by turning a profit.
Cyber Security, and in the case of Healthcare HIPAA Compliance, is not a good place to skimp on. The cost in the long run can far exceed your savings.
Email can be complicated but with the right support team it doesn’t have to be. Here’s what we know from this HIPAA breach case:
- Email should be encrypted
- PHI should not be stored in email
- A BAA is required from the email provider (Usually Microsoft or Google)
- Free email accounts should never be used in Healthcare
- Phishing mitigation and education should be a core part of your cybersecurity plan
- Access to PHI should only be given to those who need it to perform their job
I plan on doing more “case studies” like this going forward. I hope you find this useful.
If you have any questions or want to take advantage of a deeply discounted HIPAA and Security Audit click here.