Health systems are fighting back against the onslaught of email data breaches

The news: More than half of US healthcare providers say they’ve had a patient encounter in which the patient refuses to complete a telehealth appointment due to tech concerns with data and privacy, according to a cybersecurity firm Kaspersky survey of 389 healthcare leaders across 34 countries.

How we got here: Healthcare organizations across the US reported a record number of data breaches—likely due to a lack of cybersecurity preparedness amid last year’s telehealth boom.

This year, 578 healthcare organizations reported that nearly 42 million individuals were affected by data breaches, per HHS data.

  • For example, a data breach of Tallaheasee-based Florida Healthy Kids Corp. affected 3.5 million individuals.
  • And a breach of University of Medical Center Southern Nevada’s system put over 1.3 million patients’ data at risk.

But the uptick of healthcare data breaches isn’t surprising, considering many organizations lack the necessary armor:

  • Only 32% of healthcare organizations have a comprehensive security program, including new standards like quarterly security progress and semi-annual security updates, per a 2021 CHIME survey.

What’s next? While patients are concerned about the security of digital health tech, most healthcare organizations’ data breaches are caused internally—not on the tech platforms used to enable virtual care.

  • Most healthcare data breaches are actually due to the rise in suspicious emails opened by employees.
  • In 2012, only 4% of healthcare data breaches involved email, but this figure jumped to a staggering 42% in 2021 per HHS data.
  • That’s likely because most bad actors are impersonating organizations’ login portals: About 73% of phishing sites impersonate Microsoft product-related pages (which many health systems use), per new Atlas VPN data.

Major health systems a slowing down phishing email attacks by deploying new software, in combination with more employee training:

  • For example, this year, Northwell Health deployed tech that does a live scan of a URL when it’s clicked in an email, enabling the health system to determine whether or not it should block the message.

"Behind the Numbers" Podcast