Another healthcare organization has experienced a data breach, and this time it had nothing to do with electronic health records. Instead, the incident was caused by unauthorized access to an email account. The University of California at Davis Health System has notified 1,326 patients who had their personal and medical information included in an email sent or received by the compromised account, according to the organization's press release.
The intrusion was only caught when an unidentified member of the UC Davis IT team noticed abnormal activity in a doctor's email account. The healthcare provider hired data security experts, but so far their research into the cause has been inconclusive. The source of the compromise is also unknown, and they have yet to determine which, if any, email messages were read.
UC Davis Health System has an email encryption program in place as well as cyber surveillance protocols and measures to protect against email filtering. In the short-term, the hospital has blocked access to the user accounts and changed the associated credentials to prevent any further data leaks. For additional assistance with the data breach, the healthcare organization has reached out to numerous government agencies including the California Department of Public Health, California Attorney General's office and the federal Office for Civil Rights.
Not the first time While this email breach does not seem to be too pressing of a matter, this is the second time in under a year that UC Davis Health System has experienced an intrusion to its email system. Health IT Security reported that malicious software affected three physicians' email accounts in December of 2013, and the breach was announced in January. The source stated that doctors opened an email disguising itself as a message from the UC Davis IT department, a type of attack that is known as a phishing attempt.
When the message was accessed, the attackers sent emails to others outside of the healthcare organization using the compromised accounts. Hospital representatives told Health IT Security that no patient records had been directly infiltrated, but some emails sent and received by the three accounts contained patient names, medical record numbers and information in regard to past hospital visits.
UC Davis Health System reacted in the same manner to the December breach as it did to the recent intrusion, sending a statement detailing how preventative measures should have stopped the attempt before it succeeded. The relationship between the two email breaches is unknown.
Preventing email intrusions with technology
While UC Davis Health System stated that it has email encryption software and trained employees, the healthcare organization could have implemented a few more security protocols. TechTarget contributor and information security consultant Kevin Beaver wrote that all it takes is one unencrypted email to cause an issue, as evidenced by the UC Davis incident, and offered three suggestions to ensure email compliance:
• Consider third-party services: Beaver explained that IT departments should not claim encryption until all the necessary tools have been implemented and validated. If using Exchange, Transport Layer Security should be combined with a third-party email content filtering tool and easy-to-use encryption mechanism for all email and attachments containing sensitive information. Beaver suggested using this setup for all messages regardless of their contents.
• Train employees: IT administrators need to think beyond the technology, Beaver recommended. End users should have working knowledge of the email encryption process, and expectations in regard to security should be set. Beaver wrote that this will be half the battle toward preventing email breaches.
• Monitor the network: Beaver estimated that somewhere in every organization, an employee or system is sending or receiving emails that contain sensitive information using POP3, SMTP or webmail via HTTP. IT administrators can benefit from using a network analyzer in order to find and stop unencrypted email from being sent.
Learn about phishing The December UC Davis Health Systems email breach was caused by phishing. It is crucial that every healthcare organization provides employees with knowledge about phishing, such as how to identify it and how to avoid it. Tony Bradley, PCWorld contributor, gave a few tips that should be relayed to all staff members. For example, if anyone receives a peculiar message, he or she should reach out to the sender via an instant messaging service or phone call before opening the email. These strange emails can be identified by simple, imperative subject lines or unrecognizable URLs. Bradley also wrote that phishing messages usually have consequences or rewards implied in the body of the text. Other recommendations from Bradley included double-checking the return email address and looking for poorly worded language. Chances are that banks or colleague physicians know the difference between "their" and "there."
Protecting against email threats can be easy for IT departments if the proper measures are taken. However, with so much on their plates already, IT professionals should not be responsible for ensuring that every email is encrypted. Businesses can consider installing encryption software or outsourcing IT security teams to help out their IT departments.
David Bailey is Senior Vice President at Protected Trust.
Protected Trust is a sponsor of the Print4Pay Hotel. I urge members and readers to visit their site to see their full line of products and services. More and more we need to provide well rounded strategic solutions for our customers. Protected Trust offers some unique solutions that can help us in our day to day efforts. Check them out here.
Comments (0)