Time and time again we see healthcare organizations using free email accounts. While convenient, it is an extremely dangerous decision in a world where HIPAA fines are increasing in cost and occurrence.
If you or your employees have access to or use the free email services from you organization’s network, either officially for business and/or for personal use, you are at an extreme risk of being breached!
Why? Think about what can be sent via email. Whether you are using email to send patients reminders or any other communication, there is a strong likelihood of PHI being sent. If you allow employees to access those accounts from your organization’s network, it is easy for them to send patient data either by accident or to steal data.
Guess what happens if a hacker gets into an email account that your employee uses? You’ve been breached and need to report it, which will trigger a HIPAA audit.
Now, think about these headlines over the last year…
- Hundreds of Millions of Email Accounts Hacked and Traded Online, Says Expert
- A Russian hacker has 272 million stolen Gmail, Yahoo, and Hotmail passwords
- 500 Million Yahoo Accounts Hacked, Change Your Passwords Now
- and on and on…
What is worse is that the free email services make their money by serving ads in their online email client. Have you ever wondered how they tailor those ads? They do it by data-mining your emails, which means that any potential PHI data is now being kept in their databases!
Notice we didn’t even go into the threat of malware and ransomware, which is also extremely high when using these free services.
There is never a good reason to use the free email services within a health organization or any organization that deals with PHI. More importantly it is extremely important to block access to these services on your organization’s firewall so that no one can access them from your organization’s resources.
If you are looking for hosted email service providers, there are options out there and most will not break the bank. Below is a list of a few of the options. (note we are not tied to these providers)
- Hushmail
- Email Pros
- MD OfficeMail
- Also Microsoft Office 365 can be setup for HIPAA, as long as you get it setup and the BAA in place.
Sources