SMB Adoption of Secure Messaging in Healthcare Part 1: Why is the risk so high?


Today, we’re starting a three-part blog series on the rising adoption of  secure messaging (i.e. email encryption) by SMBs in healthcare. It’s an important topic for many of our customers that operate private medical and dental practices. Over the three posts, we’ll examine the risk at hand, the high profile story of a small practice that recently had to pay a large fine, and end by sharing best practices on secure messaging for SMBs. While HIPAA compliance is critical for all healthcare organizations, it  may be even more imperative for small practices because their business viability can be jeopardized by a single security incident. Let’s start by exploring why the risk of a security incident is so high in healthcare.

According to the recently published 2013 Identity Theft Resource Center Breach Statistics Report, healthcare-related breaches accounted for 43 percent of all breaches reported in the United States last year. That is more than banking and finance, government and the military, and education categories. In fact, healthcare has the dubious distinction of being the number one vertical for number of breaches. According to the U.S. Department of Health and Human Services, as many as 67.7 million people have been affected by healthcare breaches since 2009. That is an astounding figure.

One of the reasons why protected health information (PHI) is being breached so frequently is because it is valued by data thieves. Healthcare IT News Contributing Editor Tom Sullivan explained in this article, “All of the evidence suggests that a healthcare record is in fact much, much more valuable than a financial record. It can be used for financial ID theft crimes, or a medical ID theft or both. It provides a dossier of personal information so bad guys can do more and better stuff like create passports, and visas, and because they have physical characteristics as well.” One of the more notorious cases of medical identity theft left an unsuspecting victim charged with over $140,000 in medical procedures. It would really suck to be that guy. Compared to a stolen credit card number, where the damage can be contained after the first fraudulent charge, medical records can have a more diverse and larger payoff for identity thieves.

Step one for SMBs to improve security and HIPAA compliance is to understand the magnitude of the risk of being in healthcare. You are entrusted to hold valuable patient data, which makes you a target for theft. That understanding helps provide the right impetus when searching for  solutions to improve your ability to keep PHI safe.  Bare bones or do-it-yourself solutions are generally ill-advised because of the seriousness of the risk.  Stay tuned for part two of our blog series where we will examine the case study of a small medical practice that recently had to pay a large financial penalty following a security breach.