Email Security

2014 - 2 April – Patient- and Family-Centered Care
Christine C. Toevs, MD, FCCM; Brian Toevs, PhD
Two experts review what can and cannot be sent in email per the Health Insurance Portability and Accountability Act (HIPAA).
 
Throughout 2014, Critical Connections will feature a series of articles highlighting the challenges and benefits of emerging technologies in the intensive care unit.

We have been using email for decades. It has surpassed the U.S. Postal Service as the preferred medium for sending correspondence to our professional associates, family and friends. Healthcare providers routinely use this tool for communicating patient information to colleagues and patients. What are the risks of that information getting to someone who should not have received it? What can you do to help prevent that from happening? Here are some of the questions you need answered before sending that email:
 
• What is the risk of using the various electronic devices at my disposal?
 
• I’m not in the hospital, so what are the concerns I should have?

• What can I do to mitigate the risks?
 
• What are the authorities saying about using email for protected health information?
 
This article is designed to help you protect the contents of your emails and review your options for electronic communications.
 
HIPAA and Email

Several factors should be considered as we examine the security of email messages. If you’re reading it at work on a work computer, using work-supplied software (i.e., Outlook) on a work-supplied network, then your workplace has assumed the responsibility for the protection of the messages that are sent and received. If you’re reading at home in a WiFi hotspot, using a cellular connection for your smartphone, tablet or laptop or are using some third-party email system, then it’s all on you.
 
The Health Insurance Portability and Accountability Act (HIPAA) and other federal initiatives have rules about what can be included in email correspondence. Related to email, HIPAA, The Joint Commission and other governing organizations are primarily interested in preventing electronic Protected Health Information (e-PHI) from unauthorized access and release. E-PHI is defined rather vaguely by HIPAA. Generally, it is defined as health or demographic information about an individual that can reasonably be used to identify the individual (http://www.hipaa.com/2009/09/hipaa-protected-health-information-what-does-phi-include/). “The [HIPAA] Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”(1) HIPAA permits the inclusion of e-PHI in your email as long as no one can read the contents if they are intercepted or you accidently put the wrong address on the email. You can send general, anonymous information about the census of the floor patients, but you are not allowed to identify any of them individually unless the contents are protected by encryption. So, it probably is not acceptable to say “the patient in bed six needs more methadone,” but it is permitted to say “there are five patients on the floor receiving narcotic withdrawal treatment.”

Encryption encodes messages so that only authorized parties can read them. This is usually accomplished by converting the message into unreadable, apparently random characters. It isn’t random, though. A very complicated algorithm is used to perform this conversion. It requires a key to return the message to the original, readable text. The encryption system is different across the various email systems. If you encrypt a message in Outlook and send it to a Gmail account, the recipient is not going to be able to read it. Encryption should not be a problem for emails sent to other hospital employees within your network. Talk to your information technology (IT) department and verify that you have encryption activated for your email account. It should then be fine for sending e-PHI to your internal colleagues across your hospital network. This also is true for the Internet browser version of your work email system at home on your personal computer. If you’re using your home computer and accessing your Outlook email through the Internet browser, it’s just like you were sitting at your desk at work. Just don’t send that email to anyone outside of your network. You can use encryption on accounts associated with other email systems, like Gmail and Microsoft 365; however, you’ll be limited to sending encrypted email to those recipients who have the same type of account or who can figure out the complicated setup for these systems. You are not allowed to include e-PHI in your Gmail or 365 account when you send it to a colleague’s hospital email address, and you’re not allowed to send e-PHI from your hospital account to a colleague’s Gmail or 365 account.
 
Personal Email: Your Personal Responsibility
 
Third-party email systems consist of the big providers that we’re likely to use for our personal email correspondence, including systems from Google (Gmail), Microsoft (Exchange 365), and Yahoo (Mail). These are convenient email services that are accessible through an Internet browser from practically anywhere in the world. There are generally two versions of these systems: free and fee-based. A very important privacy distinction exists between these two versions. The free version has no implied privacy guarantee; several of the providers clearly state in their terms of service that they will mine/search the content of your emails and sell it to their customers. They are telling you flat out that your email is being examined and its content aggregated for sale to marketing firms. This is why if you have ever sent an email that said you liked a particular item, you’ve then seen ads for that item all over your browser. Fee-based versions from these same providers do not mine the content. If you want to protect your email privacy, you have to pay for it.

Even if you’re using a fee-based email system, the content is still only as secure as the rest of your system. If you’re using your personal desktop computer, tablet or laptop, you need to keep it secure from viruses and malware -- programs that can scan content (not just on emails) and forward it to a third-party without your knowledge. You acquire these little “gifts” by not keeping your computer up-to-date. First, if you are using Windows XP, please upgrade now. Microsoft is going to stop supporting this operating system by the time you read this. You can bet that the hackers are going to be attacking with gusto the many thousands who haven’t upgraded. Keep your operating system current. For Windows, it’s as easy as accessing the Start menu, choosing All Programs, then Windows Update. For Macs, the sequence is Apple icon, then Check for Updates. For Linux, it is Apt, then Get Update. Second, make sure you have a good, current antivirus system installed on your computer. Several free antivirus programs are great. Turn on the auto-update to keep its definitions and database current as well.
 
Are you using WiFi? If so, please check your router to verify that you’re using a strong encryption protocol. There are several excellent tutorials on the Internet for setting up your WiFi encryption.(2) The default for most routers used to be a protocol called WEP. If your router is older than a couple of years, this is probably what you have. You should be aware that even the most basic hacker can breach this in less than three minutes and within ten minutes can be downloading the contents of your hard drive from the street in front of your house. You will want to use the WPA2 option. This will make it safe to use the Outlook Web Access (OWA) version of your work email service at home. When you are at the local coffee shop, what are they using for their wireless security? Do you really think that the barista has your personal security in mind? Don’t use the free Internet anywhere. If you must use a free service, remain connected for only as long as needed, and use your antivirus scan as soon as you can after you disconnect.

What do you do if you’re travelling and want to access your email? This is a legitimate need, and fortunately there are convenient solutions. The first is your smartphone or cellular-enabled tablet computer. Cell service carriers handle email correspondence and attachments differently than SMS text messages; emails receive additional privacy protection. It is still possible to intercept cellular emails, but without malware on the device, it is very unlikely. If you want to use your laptop or non-cellular-enabled tablet, you can now purchase cellular hotspots very reasonably. These devices are specifically designed for connecting your WiFi-based device to a cell network. Now you can use your work OWA email on the road.
 
Summary and Recommendations

Email remains an excellent way to correspond, even in today’s protected HIPAA environment, as long as you are aware of the limitations and stay within the boundaries. Verify with your IT department that email encryption is activated for your account. Check your home WiFi security and verify that it is using the WPA2 security encryption protocol; this is for your network only, not for specific emails. Avoid using public WiFi hotspots whenever possible. Use your work OWA email interface when away from the office. Finally, keep the software versions current on all of your devices. Be especially sure to keep your antivirus software up to date. Unless your colleague sent that email about the patient in bed six on your encrypted work email service, it really wasn’t acceptable.  A calendar appointment with the compliance officer may soon appear in your inbox.

References:

1. U.S. Department of Health and Human Services. Health information privacy. FAQ: Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied? http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2006.html.  Accessed January 28, 2014.
2. Strom D. Tutorial: How to set up WPA2 on your wireless network. Computerworld, August 24, 2006. http://www.computerworld.com/s/article/9002706/Tutorial_How_to_set_up_WPA2_on_your_wireless_network_.  Accessed  January 28, 2014.