Email most likely source of healthcare data breach

A survey of senior information technology and security professionals in healthcare found the most likely source of a data breach to be email—which the vast majority of respondents admitted to using frequently to transfer protected health information and consider critical to their organization.

Seventy-six IT professionals were surveyed by Mimecast, a data security company, and HIMSS Analytics. When asked to rank likely sources of a breach, email got more first place votes (37) than the other categories combined. Laptops and other portable devices were the next likeliest sources.

Many of the respondents have seen for themselves have email can be the opening for a cyberattack—78 percent said they’ve experienced an email-related attack in the form of ransomware or malware in the past year, with many saying they’ve seen more than a dozen instances.

“This study confirms that no healthcare provider is immune to this growing threat of email-related cyberattacks,” Bryan Fiekers, senior director of HIMSS Analytics, said in a statement. “While the results show that larger providers are being hit harder, especially with ransomware, these same organizations are also the ones leading the charge in defining industry best practices to address these threats.”

A large majority (87 percent) said they expect email-related security threats to increase in the near future, particularly ransomware attacks like WannaCry and Petya, which 83 percent of respondents labeled the most concerning type of email-related threat.

Better protection for email will be key for IT and data security investments because, judging by the survey responses, communicating through other means isn’t an option. Some 93 percent of respondents said email is “mission critical to their organization,” with 43 percent saying its so important that any downtime “couldn’t be tolerated.” 80 percent of respondents said they use email to send protected health information.

“The results indicate the importance of secure messaging and encryption solutions that keep sensitive patient data safe,” wrote David Hood, Mimecast’s director of technology marketing. “This is also relevant in the event an account is compromised; a user is careless or in the unfortunate case of a malicious insider – all which put patient data at risk.”

The issue isn’t going unnoticed—97 percent of respondents said they have a “have a high level of concern about cybersecurity and resilience.” The most common initiatives being implemented, according to IT professionals, were preventing attacks (94 percent), training employees (90 percent), and securing email (77 percent). More than 70 percent said they were going further by standardizing cybersecurity policies or performing periodic audits of their security systems.

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.