Technology is but one solution to e-mail security

(Editor's note: This the last in our series of articles on the risks of using e-mail in health care.)

Electronic safeguards for e-mail in health care, like sophisticated encryption systems, are one piece of the security puzzle but cannot be the entire solution, according to the experts. A risk manager must take comprehensive steps to avoid the inherent risks that come from using e-mail for private information and important medical communications.

In addition to encryption and similar protections, a health care provider must do a thorough assessment of how e-mail is actually used in the organization, says Mark Rasch, senior vice president and security counsel for Solutionary, a security consulting company in Omaha, NE. Rasch is a former Department of Justice prosecutor who helped form the cybercrime division, and he now advises health care providers on electronic security.

"You should ask how people are using e-mail, and that's more than just how they say they're using it," Rasch says. "Look at telecommuting, for instance. Are people using e-mail at home and using personal e-mail systems at home, without any safeguards, to transmit protected health information?"

Not necessary to ban some usage

Rasch points out one common myth about e-mail communication in health care: Other than the obvious, like profane or criminal content, he says it is not necessary or productive to forbid discussing certain types of information in e-mail. Even if you try to forbid communicating protected health information by e-mail, people will still do it, he says. And it can be just silly to require to people print out digitally stored documents and walk them down the street to someone else who will scan them into a digital storage system.

"The better alternative is to provide them a way to transmit the document electronically but to do it securely," Rasch says. "That's something you can enforce much more effectively than telling them not to do it at all."

Ultimately, some information must be communicated in some manner, and the alternatives are often no more secure than e-mail, Rasch says. Sometimes they are much less secure.

"The average communication transmitted by snail mail is secured with nothing more than a fifteenth of an ounce of spit on the envelope flap," he says. "There is an illusion of security with regular mail but there's no reason to think that is automatically safer than sending the information by e-mail."

Of course, that depends on exactly how you send that e-mail. The postal service promises a measure of integrity and certain safeguards to protect the mail contents, so e-mail must do the same by encrypting the message.

"As long as you take the proper security steps, you don't have to think of e-mail as any less secure than any other method of communication," he says. "The problem is most people don't add the proper security and they just use the e-mail in its most basic configuration."

Without proper safeguards, it can be very easy to make a big mistake with e-mail, says Kevin Kalinich, managing director of technology and professional risks for Aon, a Chicago-based provider of risk management services and insurance. Just ask anyone who has ever mistakenly mailed a love note to a co-worker instead of a spouse, or accidentally copied the boss on the mail venting about his incompetence.

Kalinich cites the example of a company that had a database of Prozac users and wanted to e-mail a reminder about updating their prescription information. A careless mistake caused everyone's e-mail to appear in the address line, so each recipient received the addresses of everyone else on the list.

"Someone just hit the wrong button and the addresses appeared in the cc: line," he says. "It's that easy, and health care providers have a lot to lose when mistake happens. A HIPAA violation is not mitigated when you explain that it was a simple typing error."

A burden added

HIPAA creates an added burden for health care providers that other industries may not face. Patients or others whose privacy is violated may sue, as they can in any industry, but health care risk managers must worry about the added threat from HIPAA. That should be plenty of motivation to study the issue carefully, he says.

In addition to the disclosure of protected health information, Kalinich outlines other e-mail risks:

  • Viruses, worms, and other malicious software that can be transmitted by e-mail.

Not only can the harmful bugs get into your own system, but you can pass them on to others without proper safeguards — both technological and policies, such as warning employees to never open an unknown attachment or an attachment from an unknown sender.

  • An employee may send inappropriate content through your e-mail system, such as libelous comments.

"The company can be subject to third-party liability for libel, slander, defamation, and other charges when an employee sends something offensive or something inappropriate from your hospital's e-mail system," he says. "Even if there is no legal ramification, you can suffer tremendous damage to your public reputation if inappropriate or offensive e-mail from your system is reported in the media."

Be careful when e-mailing lawyers

Rasch notes that risk managers must be especially careful when transmitting legally sensitive information by e-mail to an attorney, for instance, or someone else within the health care system. If you are discussing a malpractice case and include privileged information in the e-mail, you must be very careful that the message goes to the right person and is not intercepted along the way.

Encryption can help with that risk, but Rasch notes that the security of such sensitive e-mail can be assured only as far the recipient's inbox.

"While I can be assured that you got the e-mail, you're only one who got it, and you opened it, I have no assurance that you have any security on your own network," he says. "If I give my lawyer a file to review after an adverse outcome, I normally wouldn't worry about the lawyer protecting that paper file I sent over. But with an electronic communication, it can be trickier."

HIPAA puts the burden on the sending party to protect information transmitted electronically so Rasch says you must have written agreements on electronic safeguards with anyone you send protected health information to, and that includes your lawyers, Rasch says.

Hackers are another risk for health care providers. A hacker could get into your billing system and generate bills for fake patients and/ or procedures, and then divert the payment to his own account, Rasch says. The safeguards for that kind of intrusion are highly technical and you will have to rely on your IT folks to keep hackers at bay.

Rely on IT

But that doesn't mean you should turn over such concerns to the techies and leave it at that.

"The technology determines what you can do, but the risk manager determines what you should do," Rasch says.

Risk managers should make an effort to learn the language of electronic security and at least understand the broad issues as they relate to risk management, Rasch suggests.

"Rely on your IT people for technical support and implementation, but have enough understanding of the relevant issues to know when there is a potential problem," he says. "When someone in a meeting brings up a great new electronic way to communicate, you need to understand enough so you can speak up and say, 'Wait, there could be some security concerns.'"

Kalinich recommends that risk managers organize a regular meeting, perhaps monthly, with IT, human resources, and a physician representative. At the meeting, the parties should discuss any new developments in electronic communication (such as new ways physicians are exchanging files), whether current policies and procedures are sufficient, any technological innovations or problems, compliance, and any need for staff education.

"The communication among those areas is crucial," he says.

Kalinich says most of the risk from e-mail can be controlled with "social engineering" instead of technological changes. For instance, a good e-mail policy will set forth what is appropriate and inappropriate use of the system, including the proper way to set a password.

What's the most common password that people use for their e-mail access? It's "password."

"Even if it's a good password that people can't guess, about 10% of computer users have their passwords stuck to the monitor on a sticky note," Kalinich says. "That's the kind of thing you have to control with a good policy, and a policy that is enforced."

Common errors often made in controlling e-mail risks

Mark Rasch, senior vice president and security counsel for Solutionary, a security consulting company in Omaha, NE, offers risk managers these three common failings regarding e-mail:

  • There is no assessment of the risks. If you don't know what the risks are in your own organization, based on how your people actually use e-mail, you can't address the risks effectively. Don't assume that the risks are the same for anyone in health care.
  • You assume everyone is following the correct policies and procedures. Not likely at all. People fail to follow rules all the time, either because they just don't know the rule or they're motivated by other needs. Your policies on e-mail use are no different, so don't think a carefully crafted policy is the end of your worries.
  • Risk managers are often brought in far too late in the process. It is common in health care for e-mail use to take hold in a particular part of the organization, such as radiologists sending images to each other electronically, long before anyone thinks to consult the risk manager. Create a culture in which everyone is aware that there are significant risk management concerns with all electronic communication and that you should be consulted from the start.

Rasch says you want to avoid someone stopping you in the hall and saying "Oh by the way, we've been doing this by e-mail for six months. That's OK, isn't it?"