Email Breaches Lead to 'Wall of Shame'Recent Health Data Incidents Spotlight Common Security Challenges
Several recent large data breaches involving email mishaps serve as a reminder of precautions that healthcare entities must take with protected health information contained in digital communications that are sent or received by their organizations.
Among recent incidents listed on the Department of Health and Human Services' "wall of shame" website of HIPAA breaches affecting 500 or more individuals are two incidents at the North Carolina Dept. of Health and Human Services. Another reported incident, not yet publicly posted on the HHS website, occurred at the University of Cincinnati Health.
In both North Carolina DHHS breaches, which were discovered about a month apart, employees sent unencrypted email messages containing PHI to other local health departments in the state. One incident affected more than 1,600 individuals, the other DHHS breach about 524 people.
In a statement, the North Carolina public health officials say, "DHHS cannot determine for certain that the email was not intercepted during transmission over the Internet, but has no reason to believe any information was compromised. DHHS is reminding staff to encrypt emails containing confidential information prior to sending, and is also exploring technology that will encrypt emails automatically to avoid human error in the future."
PHI exposed in those incidents include names, Medicaid recipient ID numbers, Social Security numbers, dates of birth, addresses, gender, ethnicity, race, insurance information and healthcare provider names.
Meanwhile, the University of Cincinnati Health says its recent breach, affecting a total of 1,064 individuals, involved email messages that were sent to the wrong domains on nine occasions over a period of about a year.
In a statement, UC Health says, "emails containing PHI that were intended to be sent internally within UC Health were inadvertently sent to an incorrect email address at a domain similar to UC Health's authorized domain. The mistake was made when two letters were transposed in the email address domain name."
Some privacy and security experts say HIPAA breaches - large and small - involving email are a persistent problem for many healthcare entities.
"I believe email is a common source of breaches," says Rebecca Herold, partner and co-founder of the consulting firm SIMBUS Security and Privacy Services. "Many people are very nonchalant about making such mistakes," she adds. "In this year alone I've had a lawyer, a privacy officer and an information security officer all accidentally send me email messages they had meant for other 'Rebeccas.''"
Herold says she believes most people erroneously receiving such messages probably don't bother to notify the senders of the errors, and most senders don't check to ensure their intended recipients actually received the message. "Most people assume email delivery is guaranteed, and most don't think about the possibility that they made a mistake and sent a message to the wrong person," she says.
Such errors can potentially translate to massive breaches, especially if there are unencrypted attachments, such as spreadsheets, containing PHI for lists of patients, as was in the case in both recent North Carolina DHHS email breaches.
"Using data leak prevention tools can be used to stop clear text PHI in emails from being sent to recipients outside of the network, and within the network," Herold says.
When it comes to preventing breaches like the one at the UC Health involving misdirected emails, Herold recommends shutting off the auto-fill feature for email addresses. Also, Herold suggests entities use network tools to identify when PHI is within emails going outside of the network to then flag them.
Of the 1,390 major HIPAA breaches listed on the wall of shame as of Nov. 19, 116 involve email. Some, like the recent incidents at the North Carolina DHHS, have been accidental, but others have involved malicious insiders.
Among the largest email breaches involving malicious, unauthorized access or disclosure was a 2012 incident at the South Carolina Department of Health and Human Services, which affected nearly 228,500 enrollees of the state's Medicaid program.
In that breach, a former state employee in November 2014 was sentenced to three years of probation, plus community service, after pleading guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy.
Besides email incidents involving intentional and accidental unauthorized disclosures of PHI, the HHS wall of shame is also splattered with a variety of major breaches involving email and hackers.
Among the largest hacking incidents listed on the wall of shame involving email is a breach reported earlier this year at South Bend, Ind.-based Beacon Health System. In that incident, the PHI of 220,000 individuals was exposed as a result of phishing attacks on some Beacon Health employees that started in November 2013, leading to hackers accessing "email boxes" that contained patient data.
"Phishing is definitely a top problem that doesn't always get the attention it deserves," says Mark Dill, who joined consulting firm tw-Security earlier this month from the Cleveland Clinic, where he served as director of information security for 15 years.
For instance, the Verizon Data Breach Investigation report for 2015 states that 23 percent of users open phishing emails; 11 percent click on the embedded link. Plus, 50 percent of users open the phishing email within the first hour, Dill notes. Major breaches caused by compromised internal credentials are often the result of a successful phishing attack, he adds.
Steps to Take
Experts recommend a number of measures that organizations should take to reduce the risk of breaches involving email.
For incidents involving unauthorized disclosure, "most email filters have at least a lexicon - as simple as a word list or weighted word list - to sense when PHI and other sensitive data types are being sent, then auto-route for encrypted delivery - or data in motion," Dill says.
"Making users aware of other key words that can be an encryption trigger like 'confidential' or setting the sensitivity flag before sending - can be coded to auto-route for secure delivery," he adds.
Still, "data loss prevention tools will likely do the best job to monitor, alert, quarantine for review, forward and encrypt, and/or block based on job role - to enforce corporate appropriate use rules," Dill says.
"Emerging market place tools provide encryption with lifecycle management tools - where the file has to 'check in' before use," he notes. "When the sending organization has the encryption key, they can always control what can be done with the file, and by whom - deleting the key when they choose, rendering the file a useless blob."
Herold notes that to reduce the risk of phishing related breaches, "training is essential." she says. The training should also provide examples and case studies of phishing attempts that succeeded, and the damage they caused, she notes.
Also, Dill suggests user behavior analytic tools that can highlight when user IDs and devices' behavior "is stepping away from baseline behaviors," can help signal when a credential has been compromised.
Other safeguards include "effective web filters" that can block outbound egress to known infected sites or sites with no or a bad reputation, he says.
However, safeguarding endpoints is "the tool of last or first defense," he adds. "Emerging tools that don't rely on pattern files may block malware variants more effectively." Finally, "disallowing access to user's personal webmail accounts while at work...will eliminate one common vector," he says.