Email most likely source of healthcare data breach

A survey of senior information technology and security professionals in healthcare found the most likely source of a data breach to be email—which the vast majority of respondents admitted to using frequently to transfer protected health information and consider critical to their organization.

Seventy-six IT professionals were surveyed by Mimecast, a data security company, and HIMSS Analytics. When asked to rank likely sources of a breach, email got more first place votes (37) than the other categories combined. Laptops and other portable devices were the next likeliest sources.

Many of the respondents have seen for themselves have email can be the opening for a cyberattack—78 percent said they’ve experienced an email-related attack in the form of ransomware or malware in the past year, with many saying they’ve seen more than a dozen instances.

“This study confirms that no healthcare provider is immune to this growing threat of email-related cyberattacks,” Bryan Fiekers, senior director of HIMSS Analytics, said in a statement. “While the results show that larger providers are being hit harder, especially with ransomware, these same organizations are also the ones leading the charge in defining industry best practices to address these threats.”

A large majority (87 percent) said they expect email-related security threats to increase in the near future, particularly ransomware attacks like WannaCry and Petya, which 83 percent of respondents labeled the most concerning type of email-related threat.

Better protection for email will be key for IT and data security investments because, judging by the survey responses, communicating through other means isn’t an option. Some 93 percent of respondents said email is “mission critical to their organization,” with 43 percent saying its so important that any downtime “couldn’t be tolerated.” 80 percent of respondents said they use email to send protected health information.

“The results indicate the importance of secure messaging and encryption solutions that keep sensitive patient data safe,” wrote David Hood, Mimecast’s director of technology marketing. “This is also relevant in the event an account is compromised; a user is careless or in the unfortunate case of a malicious insider – all which put patient data at risk.”

The issue isn’t going unnoticed—97 percent of respondents said they have a “have a high level of concern about cybersecurity and resilience.” The most common initiatives being implemented, according to IT professionals, were preventing attacks (94 percent), training employees (90 percent), and securing email (77 percent). More than 70 percent said they were going further by standardizing cybersecurity policies or performing periodic audits of their security systems.