Sharing data has become easier, but securely sharing that data remains elusive for many providers and attorneys. Email is ubiquitous – everyone has it, and patients and clients want to use it. You may think that HIPAA says you cannot, but you can – if you secure it.
The main goal here is to protect your client or patient data and send data securely. However you also want to protect your organization from other risks – phishing, business email compromise, reputation loss, and more.
Here’s an easy 8-step guide on how to ensure you’re sharing your client’s data safely:
1. Use Email Encryption when sending email. Software vendors like Sophos allow you to send encrypted emails simply by adding “SECURE:” at the front of the subject line. This also protects against business email compromise (BEC) which is crucial for lawyers handling sensitive information. Sending encrypted emails is the only way to meet HIPAA for sending email – you can’t send data securely without it.
2. Use MFA for all of your email accounts. Google and Office365 have it. In fact, if you don’t have it, you may have voided your cyber liability policy by not enabling it for all users. Multifactor Authentication means that if someone gets your credentials they still need the code from your phone to log in. In fact, use MFA on all of your accounts, not just email.
3. Use a filtering service before your email hits your provider. This will stop junk, spam, and malware from reaching your mailbox. If its not in your inbox, you can’t be phished or scammed.
4. Enable “external sender” policies so you know when emails are coming from outside your domain. You will see a message cautioning the email was sent from outside your organization.
5. Enable VIP protection policies so that you know if someone is pretending to be a user from a different email address.
6. Verify if any “typo” domains exist, for example an “i” when capitalized will look like a lowercase L and can be used to target your clients and patients. Go buy those domains so no one else does and then uses them against you or your clients.
Email is ubiquitous – everyone has it, and patients and clients want to use it. You may think that HIPAA says you cannot, but you can – if you secure it.
7. Audit your IT services. If you use internal staff or an outside company make sure that you audit the work. Any decent IT person should not be fearful of their work being wrong or improved by audits.
8. Do regular security and compliance training. This teaches your staff how to recognize scams, phishing attempts, and other threats. Training should include compliance requirements to ensure adherence to legal and regulatory requirements.
Andrew Renck is the owner of RootPoint, an IT services and Cybersecurity Provider located in Miami, FL. Andrew Renck is a 2003 graduate of the University of Miami with multiple degrees including Finance and Economics. While attending the University he created his computer consulting firm RootPoint. He has been providing secure systems integration long before “Cybersecurity” became a recognized term. Renck is an ethical hacker and has provided services for both offensive and defensive cybersecurity projects.
Email is ubiquitous – everyone has it, and patients and clients want to use it. You may think that HIPAA says you cannot, but you can – if you secure it.
