It’s up to us as health care providers and administrators to do our due diligence in securing our sensitive business information and member electronic protected health information (ePHI). In addition to implementing robust security measures through the IT organization, Kaiser Permanente employees should follow the best practices described below to ensure that our email communications are appropriate and that our member’s information is kept safe.
Since the content within KP email systems and messaging functions are considered business records and can be subpoenaed (and electronically retrieved, even after you “delete” them), nothing should be included in emails or instant (IM) messages that you would not consider writing in a paper copy memo.
Never include offensive content. Offensive content includes, but is not limited to:
- sexual comments or images
- racial slurs
- any comments that would offend someone on the basis of his or her age, gender, race, sexual orientation, religious or political beliefs, national origin, or disability
Because email and messaging functions are intended for business use only, communications on these systems should be businesslike and professional in tone and content.
Employees should refrain from including PHI in subject lines of emails, calendar items, and task lists.
Make sure that information being sent meets the minimum necessary standard which states that “Except under limited circumstances, KP may only use, disclose, and request the minimum necessary PHI to accomplish the intended purpose.”
If you receive an email that looks suspicious, it may very likely be a phishing email attempt. Here are the steps to take when you receive a suspicious email:
- Do not click on any links in the email.
- In Outlook, highlight the email from your inbox, and click the “Report Spam” button in the upper right corner of your screen.
- If you do not have a “Report Spam” button, please report the email by forwarding it to email@example.com.
- You can also report the email by contacting the IT Service Desk at 888-457-4872.
For more tips on identifying phishing emails, see the phishing training in KP Learn.
Be cautious when opening attachments because of the danger of viruses.
- Never open attachments which are executable programs (file extension of .exe)
- The following attachment extension types are automatically blocked from incoming mail
.bat, .chm, .cmd, .cpl, .hlp, .hta, .inf, .com, .job, .js, .jse, .pif, .reg, .scf, .scr, .sct, .vb, .vbe, vbs, .wsc, .wsf, .wsh
Note: Files with a .exe extension will be blocked only as directed by KP IT Security during a virus outbreak. Also, the .com extension listed above is for attachments that have a .com extension (this is not when you are receiving a URL that contains .com as part of the web address).
If you believe you’ve received an email containing a virus, or your computer is affected by a virus, call the IT Service Desk at 888-457-4872 immediately.
Be cautious with email from strangers or with odd subject lines. The email may contain a virus or worm or be a phishing attempt. If you are unsure, do not open it.
Don’t click on website links in emails. If you wish to go to that site, key in the address directly on the address bar on your browser or use the bookmark if you have one for that site. Often fraudulent emails will lead you to bogus sites that spoof the real sites.
Kaiser Permanente scans every email looking for spam. Spam often contains viruses and other malicious code, and some spam does get through our filters. If you believe an email is spam, forward it to “Report Spam” with its original subject line.
- Do not open spam.
- Do not reply to spam; this only validates your email address to the spammers.
- Do not give out your email address to anyone or any website you don’t trust.
- Do not open any attachment or click on any links embedded in the email.
- In Outlook, highlight the email from your inbox, and click the “Report Spam” button in the upper right corner of your screen.
- If you do not have a “Report Spam” button, please report the email by forwarding it to firstname.lastname@example.org.
- If you believe you have received an email containing a virus, or your computer is affected by a virus, contact the IT Service Desk at 888-457-4872 immediately.
Kaiser Permanente’s Electronic Communications Policy provides guidance on auto-forwarding your KP email to an external email account. Automatic forwarding to personal email accounts is not allowed.
If there is a critical business need for you to auto-forward your KP email, please submit a TRO engagement request.
To review the Email Forwarding Policy, go to http://npl.kp.org/pl/do/public/record?rgid=900&subcatid=5002&VIEW=M&rid=112642601 and locate section 10.2.2.3, “Email Forwarding.”
Avoid forwarding business emails to personal email accounts, which are generally less secure and put our sensitive business information and member data at risk. Sending to personal email addresses allows for sensitive data to be saved to non-KP devices, which is against KP policy.
Delete unnecessary PHI before replying. Use “Reply” instead of “Reply All” unless all the original recipients need to see your message. If the recipient has already seen the attachments or has no need to see the attachments, forward or reply to emails without the attachments, to conserve space and promote better performance.
Attachments may have sensitive data embedded or hidden within a file. Check all attachments for sensitive data on hidden tabs, columns, or rows, and within graphs or tables before forwarding.
Address your mail carefully:
- It’s easy to mistakenly send your mail to a non-company mailbox with a similar name. Double-check the addressee.
- Sometimes, the email program tries to be helpful by completing the address. Be sure it has chosen the correct recipient.
If forwarding to a distribution list, make sure it is the right one.
Providers communicating with members/patients should only use secure messaging via kp.org with patients.
- If patients email, they should be redirected to kp.org.
- If not possible, as with cross-regional members, alternate secure methods should be used, such as encrypted email and voice telephony.
When you send an email or visit an internet site on your Kaiser Permanente work computer, it may seem personal and private, but it’s not.
KP has the obligation to safeguard its networks and computing resources and per company policy. That means monitoring workforce usage of email and internet. Technology makes it possible for KP to track and monitor emails being sent, what internet sites are being surfed, as well as instant text messaging.
Personal use is not allowed if the email or internet site surfed:
- interferes with the work performance of any workforce member;
- has undue impact on the operation of KP’s network or computing systems/devices, or;
- violates the Acceptable Use policy, any other KP policy, or federal or applicable state law.
Inappropriate use of networks and computing resources can expose the company to liability, including regulatory fines, lawsuits, and negative brand impact. Some examples include:
- unauthorized disclosure of protected health information (PHI)
- sending or posting questionable content that can lead to lawsuits over discrimination and harassment
- forwarding of chain letters and jokes that impact system performance, causing a slow down of the email system or having kp.org blocked as a spamming site
Not following KP policy may lead to corrective action/discipline, and possibly termination. Refer to the Acceptable Use Policy for more information.
If you think of phishing exploits and other email scams as obvious fakes put together by people who apparently can’t speak English, you may be in for a surprise. A few people at KP have been taken in by these scams as evidenced by a recent eGreeting ‘virus’ in NCAL. Here are answers to some common questions on these rapidly evolving fakes.
Q: Most spam seems so obvious, even ridiculous. This stuff couldn’t possibly work, could it?
A: Email scammers aren’t necessarily clever. But they have learned to send out millions of bogus messages and hope that just a few recipients fall for their traps. If they were sending junk mail the old-fashioned way and paying for postage, they’d go out of business. But the incremental cost of sending spam email is negligible, so from a spammer’s point of view, there’s little reason not to send more. They also realize that companies are using automated tools to screen out their emails, so they are relying more and more on social engineering to trick people into taking some action, such as clicking on a link and downloading malicious code.
Q: In today’s world, consumers are pretty savvy. How do scammers mislead them?
A: A recent, particularly successful scam started with an email that purported to be from a bank, credit card company, eGreeting card, or PayPal. It looks authentic and says, for example, that your credit card was inadvertently charged $127.83. To correct the error, you must send certain information to an email address. As you’ve probably guessed, the email actually goes to a scam artist who uses your information to buy products with your credit card or to apply for credit in your name – in other words, to steal your identity. Another ruse is the eGreeting card. You receive a message saying you have a greeting card from an old friend. Please go to this site. When you get to the site, they say their software is down, please click here to view the card on your own computer by downloading this software. Once you click on it, you have now downloaded a virus or Spyware or some other bad code. This is a case of social engineering, and automated protection cannot protect KP. We must remember not to download software from unknown sites and not to open emails from strangers.
Q: Why is this effective?
A: Nobody likes having their card charged by mistake, so many recipients click to reply before thinking about the risks. Most people want to see who that old friend is and what they have to say.
Q: How do I protect myself?
A: If you think a message from your bank, credit card company, or PayPal are legitimate, call the company’s 800 number (don’t get it from the email – that number may be bogus), ask for Customer Service, and discuss the email with them. If you are not expecting a greeting card and there is no indication of who sent it, discard the email. If a website wants you to download software, don’t do it. Be suspicious. Be cautious. Don’t fall for these tricks.
For more information, go to the Suspicious email section above.
Email has made communication easier and faster in many cases. However, there are a few serious drawbacks. Here are some tips to help protect yourself and others from the potential pitfalls of workplace email.
- Don’t send more email than you need to. If you wouldn’t stop by a colleague’s office every 10 minutes for a chat, you probably don’t want to email him or her frivolously 30 times a day.
- Don’t use “Reply to All” when “Reply” will do. Do all the other recipients need to see your response or just the sender?
- Use “Reply without Attachments.” The sender does not need the exact copy of what he/she has sent to you.
- Email does not replace a phone call or face-to-face communication. Conveying an emotion, handling a delicate situation, testing the waters – these are all better undertaken with the human voice, or, when possible, in person.
- Use appropriate formality. Email tends to be an informal medium, but that’s a trap; don’t assume instant familiarity when emailing strangers, colleagues you’ve never met, or prospects.
- Important information can be hidden in seemingly innocuous messages. Make sure your PowerPoint presentations and Excel spreadsheets do not contain hidden worksheets with member PHI.
- Email never dies. When you type a quick message, keep in mind that it becomes part of a permanent, searchable record. That means even throwaway comments about coworkers or other subjects may come back to haunt you, so watch out.
- The ease with which email can be forwarded poses a danger. To obey “netiquette,” never forward anything without permission, and forward it only to those who truly need to know the information. And to protect yourself, always assume that any email you write will be forwarded to your manager or even your CEO. That’s a good way to keep your email use appropriate!
- Take a walk before sending an angry email. “Flame” emails are so tempting, and they offer a brief moment of satisfaction. But they always come back to bite you in the … well, you know where. When struck by the urge to flame, walk away from your keyboard and cool off.
- Delete unwanted emails and Skype messages as soon as practical, especially those containing sensitive information. . Unnecessary electronic storage and traffic affect the network’s ability to provide adequate service to users.