How to Build Healthcare System’s Email Security Strategy

Cyberattacks, including malware, email phishing, and ransomware, are all on the rise this year. Healthcare organizations continue to be a favorite target of cybercriminals. Read this article to receive a blueprint for an email security strategy that will keep your organization and its data safe.

What’s covered:

• The top 10 cybersecurity tips for healthcare organizations
• A framework for building your security strategy and utilizing technology to work for you
• How to combat the “human element,” which is the biggest source of security failures

Content Summary

Think people first
Provide protection everywhere
Make technology work for you
About Coral
Challenge
Solution
Results

Cyberattacks—among them malware, phishing, and ransomware attacks— have been on the rise since 2020. While these are not new threats, the challenges these past two years are unlike anything any of us encountered before. COVID-19’s swift spread across the world resulted in many companies rapidly switching to remote work—in many cases, without sufficient security tools or technologies in place.

Cybercriminals have lost no time in taking advantage of the shift. According to a report by SonicWall, ransomware attacks increased by 151 percent in the first half of 2021 as compared to the same period in 2020. Healthcare organizations continue to be a favorite target. Nowhere is this gap more evident than in the healthcare industry, which has borne the greatest impact from the COVID-19 pandemic. Healthcare organizations updated policies and pivoted rapidly, increasing their need to communicate with patients and providers about everything from elective surgery cancellation to personal protective equipment (PPE) guidelines.

Establishing a strong security posture doesn’t have to be difficult or complicated. However, executing a robust security strategy does require individual employees to take specific actions to keep the organization secure. While these steps seem almost too basic (use strong passwords, keep your security tools updated, and use good computer habits), studies show that users are indeed the weak link.

According to HHS, “Security professionals are unanimous: The weakest link in any computer system is the user. Researchers who study the psychology and sociology of Information Technology (IT) users have demonstrated time and again how very difficult it is to raise people’s awareness about threats and vulnerabilities that can jeopardize the information they work with daily.”

Because users don’t dependably apply good security practices, they can be one of the greatest threats to an organization’s security without realizing it. According to CyberEdge’s 2020 Cyberthreat Defense Report, “The greatest barriers to establishing effective defenses are (a) lack of skilled IT security personnel and (b) low security awareness among employees.”

According to the respondents, these are more serious issues than having too much data to analyze, lack of management support, or budget.

Therefore, it follows that the best place to start when building—or strengthening —an organization’s security strategy is finding tools and techniques that take the responsibility of cybersecurity away from the organization’s users.

HIPAA compliance is crucial

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) became law in the United States. HIPAA created a set of rules and requirements for how covered entities subject to HIPAA, from health insurance plans to hospitals, can use individuals’ protected health information (PHI). It requires them to protect PHI, only disclosing it in certain specific situations. HIPAA aims to balance the need to share PHI—giving patients’ medical record details to their doctors, for example —with a patient’s right to keep their health information private.

HHS’ top 10 cybersecurity tips for healthcare organizations

According to the U.S. Department of Health and Human Services (HHS), building an effective security strategy for healthcare organizations includes the following 10 steps:

1. Establishing a security culture
2. Protecting mobile devices
3. Maintaining good computer habits
4. Using a firewall
5. Installing and maintaining antivirus software
6. Planning for the unexpected
7. Restricting access to PHI
8. Using strong passwords and changing them regularly
9. Limiting network access
10. Controlling physical access

How to build your security strategy

Think people first

When given the choice to choose a data-first or a user-first methodology, focus on the people inside your system first. After all, human error is the biggest source of security failures, and therefore IT teams must spend significant time on initial onboarding and ongoing training for employees. And once training is complete, it’s up to the individual user to follow through with every step of the security protocol—something many people don’t do. The human element is what keeps IT security pros up at night.

The fact is, most email security solutions are only as good as the people operating them. Senders may forget to enable email encryption, transmitting unprotected information as a result. Recipients forget passwords, meaning they cannot read emails sent to them via an email portal. Many people still use unsecured passwords, making their accounts easy to hack.

So, all of this leads to an essential part in email communication for the healthcare industry, and that is to find an adequate HIPAA-compliant email service. Most of people will think of Gmail, but as you can read in Hushmail’s article, just because you can make it HIPAA compliant, it doesn’t mean it’s ideal.

Paubox Email Suite solves these problems. Once it’s configured, our HIPAA compliant email solution does not require users to do anything at all to secure an email. Senders simply click “send,” and recipients simply click “open.” Paubox encrypts all emails by default using TLS 1.3 encryption, which is the newest and most secure version of the Transport Layer Security (TLS) protocol.

When a recipient’s email address does not support TLS encryption, Paubox software blocks the email from being delivered in plain text and instead moves the email to a secure web app, ensuring that organizations stay HIPAA compliant.

Whereas some solutions achieve security by using clunky, multistep, password- based portals, Paubox Email Suite provides truly seamless encryption. Other solutions require users to remember to take extra steps, such as putting a certain keyword in the subject line or choosing an encryption option on the email’s interface. All it takes to cause a HIPAA violation is one employee sending one email without taking these precautions. Given recent research on users’ security behavior and awareness, that risk is simply too great.

Provide protection everywhere

Now that the workplace has expanded to include both traditional and home offices, email use continues to explode. More than 300 billion emails are sent every day.

To create a robust security strategy, companies must protect data at the center and all the way out to the edge, covering all endpoints. Two-factor authentication, for example, is an easy way to add a layer of security that takes advantage of the ubiquity of mobile devices.

And to make sure every email your organization sends—whether it’s from the office or the couch —is secure, use Paubox Email Suite. Paubox Email Suite utilizes zero-step email encryption that enables seamless protection across any and all devices.

Healthcare organizations must think about the needs of email recipients as well. Security solutions that require people to download software or create an account in order to log in to a portal to read an email make users reluctant to read the message. Extra steps also create friction, making email unnecessarily complicated. In cases like these, encryption technology is working against the organization’s mission by preventing critical communication from happening.

Make technology work for you

Luckily, there are elegant security solutions available that make it easy for an organization to adopt a robust security posture. For all its focus on innovation, healthcare as an industry continues to rely on outdated communication methods. Many healthcare organizations are still using the fax machine—which was cutting-edge technology in the 1800s. Fax machines are slow and cumbersome technology with functionality that has largely been replaced by email encryption solutions.

However, not all HIPAA compliant email technologies are created equal. Unlike other solutions, Paubox Email Suite offers a seamless experience for both sender and recipient. It is HITRUST CSF® certified, which means that it has met key regulatory requirements and is appropriately managing risk. And Paubox is always on, working in the background to protect every email no matter what device it is sent from. It’s light years ahead of other email encryption technologies.

Paubox Email Suite is the cornerstone around which smart healthcare organizations—big and small—are building their security strategies in 2022.

About Coral

CUSTOMER SUCCESS STORY: Coral

Coral is a healthcare IT company with a platform that directly connects health plans and providers, cutting out thirdparty health plan administrators, paying providers faster, and cutting costs for both health plans and patients. Its nationwide system is used by self-insured employers who want bundled offerings and providers who want easy access and management for bundled cases. Coral has 60 remote employees and works with more than 1,000 provider offices across the country.

A key part of Coral’s platform is sending transactional email notifications to providers, employers, and patients. Its messaging platform must be HIPAA compliant and guarantee that every automated notification is secure and encrypted.

At the same time, Coral’s team sends thousands of emails a month outside of its secure platform, some of which may include protected health information (PHI).

Challenge

Email notifications are a vital part of Coral’s platform—they alert customers whenever they have a new Coral message, prompting them to check the system. However, before Paubox, in order to remain HIPAA compliant, those automated notifications were not as helpful to customers as they could have been.

“Within our system, we used very vague language in our notifications, so that we didn’t violate HIPAA,” said Morgan Smith, Coral’s head of product development.

While this approach was in compliance with regulations, it missed an opportunity to provide excellent service to Coral’s customers. For example, a provider would get a notification that read, “You have a new message in Coral.” There was no way for the provider to know if the message was important, urgent, or neither. The provider had to go to the trouble of logging in to find out. Over time, Coral users became engaged with the platform as a result of this friction.

Email security also presented a roadblock as Coral sought to add new features to its platform. For example, Coral is launching a new feature that creates healthcare vouchers. However, without encryption, emailing these vouchers would constitute a HIPAA violation.

Solution

Coral’s team first learned about Paubox when a customer sent them an email with the Paubox email footer explaining that the message was encrypted and HIPAA compliant. Paubox’s seamless, behind-the-scenes email encryption secures every email automatically, with no extra steps for senders or recipients to take. Unlike cumbersome portal-based email encryption solutions, Paubox doesn’t add time or complexity for users. And unlike keywordbased solutions, Paubox doesn’t depend on senders remembering to encrypt specific messages—which can lead to lapses in HIPAA compliance. Paubox Email API and Paubox Email Suite are HITRUST CSF certified, meeting the industry’s highest email security and HIPAA compliance standards.

“Using Paubox Email Suite has amplified our ability to provide excellent customer service quickly.” – Morgan Smith, Head of Product Development, Coral

With Paubox Email API, developers can add Paubox’s amazing technology to their own healthcare IT solutions. Coral uses the API to bring Paubox’s HIPAA compliant email infrastructure to Coral’s messaging platform. That way, Coral can add more information into the notifications it sends customers. “Using Paubox Email API for our system notifications saves our customers time, saves them trouble, and gives them more information,” Smith said.

For regular emails sent outside Coral’s platform, the team uses Paubox Email Suite to encrypt every email automatically. “Using Paubox Email Suite has amplified our ability to provide excellent customer service quickly,” Smith said. “For both notifications and our general, day-to-day communications, Paubox is stellar.”

Results

In the past year, Paubox has encrypted nearly 500,000 emails for Coral, including outbound notifications sent through the Coral platform and emails sent directly from 46 Coral team member accounts. “Paubox protects everyone from themselves in a great way. The peace of mind that we get from knowing that everything we send is encrypted frees everyone at Coral up to focus on their work instead of focusing on compliance,” Smith noted.

The time savings—both for Coral’s employees and for its customers—has been tremendous. “Using Paubox doesn’t add anything to our workload. Rather, it reduces the mental burden of focusing on email encryption and HIPAA compliance,” Smith said. “Paubox is a guardian angel protecting the Coral team.”