Phishing Emails & Patient Information

How can you help minimize risk?

To allow the healthcare team to timely communicate with one another, ETSU allows us to securely send patient information when necessary via encrypted email.  

Encrypted email, however, does not protect patient information in the event our email mailbox is compromised.  If you click on a link in a phishing email or respond and provide your username and password, the “phisher” can now view your emails (encrypted or not) just as you see them.  This can result in a breach of patient information when your mailbox contains patient information.  

What can you do to minimize risk?

1. Delete! Delete emails you receive that contain patient information as soon as the task associated with the email is complete. Make sure and empty your deleted items folder as well.
   
   1. Where appropriate, copy emails that are clinically relevant into the patient’s electronic medical record before deleting.
   2. If an email that contains patient information is required to be kept for other purposes, save the email to your ETSU computer, password-encrypt it, and delete it from your email and deleted items folder.
2. Protect! Identify workflows in which you send large amounts (10 or more patients) of patient information via email and secure the list/report/etc. in a password-encrypted file and attach the file to an encrypted email.  If your email is phished, the phisher cannot view these password-encrypted attachments.
   
   1. You will still put the word encrypt in the email subject line and ensure the subject does not contain PHI.
   2. You will password-encrypt the file that contains the large amount of patient information and attach it to the encrypted email. 
      
      1. You can find instructions on how to password-encrypt a file on the ETSU HIPAA website's FAQs. 
   3. You will share the password to the file via telephone, TigerText, or other method that does not include sending the password via email. For repetitive workflows you can establish a complex password that your team will always use for that workflow so you do not have to remember multiple passwords.

You can easily identify the emails in your ETSU email that contain health information by typing the word encrypt in the Outlook search box and selecting “All Outlook Items” from the dropdown menu.  Once you have identified the items at risk, you can take appropriate action. 

Help us help others by reporting phishing emails you receive.  Simply forward the suspected phishing email to itshelp@etsu.edu.  ITS will then purge the phishing email from everyone’s mailbox so others don’t see it and click on it accidently. If you have any questions regarding patient information and phishing email, please contact the HIPAA Compliance Office by calling 423.439.8533 or emailing hipaa@etsu.edu.