According to Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations, a subsection of Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), which was the main publication of the Cybersecurity Act of 2015, Section 405(d) Task Group, “Most small practices leverage outsourced third-party email providers, rather than establishing a dedicated internal e-mail infrastructure.” These types of email service providers are not approved to store, process, or transmit protected health information (PHI). If you are using Gmail, Yahoo, AOL or any other free email service, this means you. This document summarizes Cybersecurity Practice #1: Email Protection Systems for small health care organizations such as the chiropractic office.

Your email protection practices should include safe email system configuration, education, and phishing simulation. Email system configuration refers to capabilities and settings that should, and should not, be included within your email system. Doctor and staff education is needed to increase awareness of email-based cybersecurity threats such as phishing, ransomware, and unintentional HIPAA violations; and gain knowledge on preventive measures to protect your practice. Phishing simulations test the application and implementation by your staff of these preventive measures.

Email System Configuration: Avoid free or consumer email services for your business. These services mine your data and could probably identify your entire patient list. This enables them to send your practice members advertisements from other chiropractors, pain management clinics, etc. Don’t let Google send your patients to the doc down the street.

Step one, get an email service that caters to health care. Such services provide the basic capabilities for safer email system configuration. These capabilities include giving you the option to encrypt an email before sending it, scanning emails for spam/malware/viruses, enabling multifactor authentication, flagging external emails, and housing all data on servers located in the United States. Services provided through an IT company specializing in compliance should provide these basic functions as well as automatically encrypting emails where PHI is detected, implementing a content filter that evaluates and intercepts questionable links or files, and providing a daily list of quarantined emails and a safe environment to view them.

Step two, structure the use of email in your office around best practices for email cybersecurity. Your procedures should include providing an individual email account for each person who will send or receive email on behalf of the business, treating all incoming messages as though from an external source, and deprovisioning or changing the password on email accounts after a staff member is no longer employed by the practice. Additionally, Cybersecurity Practice #1 instructs you to “optimize security settings within your authorized internet browser…to warn users attempting to access potentially danger sites.” Your IT compliance specialist should provide an ad blocker that prevents sites from stealing your data or installing software without your knowledge.

Education: Health care providers are required to establish and maintain a training program covering phishing and various phishing techniques. Your program should consist of educating yourself and your employees on what to look for and what to do/not do when sending and receiving email, to include but not be limited to the following items:

1. Checking embedded links: confirm that the forwarding URL matches the text of the link or logically expected website.

2. Evaluate from addresses, checking for misspellings and uncommon top-level domains.

3. Be cautious with URGENT messages.  Urgent items aren’t usually sent via email.  These attacks are designed to make you act quickly, usually in error.

4. Step away from ‘too good to be true’ messages.

5. Considering the content of outgoing email messages and whether they contain PHI and need encryption.

6. Be aware of the various types of phishing and looking out for new ones that arise in the future.

7. Never click on a link, or open an attachment, in an email you were not expecting. And even if you were expecting the message, be cautious.

Phishing Simulations: Testing staff via phishing simulations serves to reinforce their knowledge of phishing techniques and identify topics needing further education. At least quarterly, implement a phishing simulation for your staff.  Tracking how many of them ‘bite’, falling for the programmed bait. This information enables you to follow up with targeted training in needed areas.

Action Steps for Chiropractic Offices

Stop using the ‘free’ email services for your practice email.  Sign up for a G suite or Microsoft 365 Business account for your domain (website URL). Enable multifactor authentication for accessing your email accounts. Employ a paid email service that does active/on demand encryption for each email account/person that needs to send email on behalf of your office. Setup an email safety/security education program. Implement active phishing campaigns into your office targeting staff and the doctor, at least quarterly. Track who ‘bites’ on the phishing campaign and use it as a teaching opportunity. If these action steps and other practices detailed in this document sound daunting or time consuming to you, contact an IT professional who specializes in cybersecurity for chiropractors.