Email is the top channel for HIPAA data breaches so far in 2018 – according to the OCR’s Breach Portal – but that’s not the whole story.
Email is only the top channel – i.e. “location of breached data” – by breach count. When looking at the number of people impacted by HIPAA breaches, the location “network servers” tops the list.
We reviewed the OCR’s HIPAA Breach Portal for breaches reported from Jan. 1, 2018 to June 13, 2018. We tabulated the locations of the breaches to create the two charts below and provide you more insight.
Note: some breaches had more than one reported location, such as “Desktop Computer, Email”.
Email has led the pack for a while. It was also the top location of healthcare data breaches reported to OCR in 2017, accounting for 25% of the total. You can see more about this in our new Healthcare Threats Report 2018.
Many cyber attacks that are attributed to “hacking” or “malware” first enter the organization through email. It’s a reliable channel for attackers – they’ve used it for decades.
With a cleverly crafted email, hackers can convince employees to install malware, share access credentials, or perform any number of actions that give the attackers a foothold.
In this way, staff members become unwitting pawns of the attack and help it succeed. Only a few seconds of oversight by a single employee can spark a breach that takes years to resolve.
Massive phishing attacks often rely on generic emails sent to huge lists. Attackers know they will see a low infection rate, so they make up for it with volume. The strategy has worked for years, but some attackers are moving on.
Today, generic campaigns are giving way to spear phishing attacks. This approach sends fewer emails to smaller lists – sometimes to a single recipient – and tailors the message more carefully.
A spear phishing email may reference the recipient’s role or industry, and may even name-drop the person’s boss. The result is a higher success rate for attackers and a continuing cyber security problem for email in healthcare.
A survey of health IT professionals revealed two-thirds (69%) had experienced a spear phishing attack within the last 12 months, according to a Ponemon report, The State of Cybersecurity in Healthcare Organizations in 2018 (which is no longer online).
In another survey, cybersecurity staff in healthcare were asked about their organization’s most recent major security incident. Where did it occur? 62% said email was the initial point of compromise, according to the 2018 HIMSS Cyber Security Survey.
Most often, malicious emails try to trick people into opening a malware attachment or clicking a link to open a malicious website or open a phony web form.
Clever attackers can also convince people to reply to an email with sensitive information – such as access credentials. This happened recently at Flexible Benefit Services, a Chicago-based health insurer.
Attackers gained access to an employee’s email account after the person responded to a phishing email and disclosed the account’s login credentials, according to HIPAA Journal.
Not all email data breaches in healthcare are malicious or part of a cyber attack. Some are genuine mistakes, such as when protected health information is accidentally emailed to the wrong person.
In one breach, reported to OCR on March 12, an employee at RoxSan Pharmacy emailed a spreadsheet to an attorney.
“The spreadsheet contained the ePHI of approximately 1,049 individuals. The ePHI included patient information, such as insurance information, prescription information, and physician names,” according to the Breach Portal.
Email is a powerful channel. Even a momentary oversight by a single employee – either when checking emails or sending them – can spark a small crisis and earn the organization a spot on the OCR Wall of Shame.