Healthcare Industry: It’s Time for New Email Security Policies

The U.S. healthcare industry is the latest victim in a series of massive cyber-attacks. Most recently, Premera Blue Cross, a not-for-profit insurance provider, underwent a cyber-hack that reportedly exposed the medical and financial information of 11 million members. Last month, Anthem, the nation’s second-largest health insurer, was the target of one of the biggest data breaches ever reported, with cyber-attackers gaining access to the medical records, social security numbers, income data and home addresses of as many as 80 million members.

This string of targeted data breaches proves that no industry is safe from the attention of cyber criminals. And now, more than ever, email security should be top-of-mind for all organizations.

The healthcare industry, in particular, has a unique set of challenges to consider when it comes to IT infrastructure – specifically, email security. Budget is a known hurdle, as most healthcare organizations have allocated the majority of their IT dollars to improving systems to manage electronic patient records and systems to meet Healthcare Insurance Portability and Accountability Act (HIPAA) compliance.

The focus and spend on systems to support HIPPA compliance coupled with little-to-no IT resources means data security often isn’t prioritized. The economics of this decision are changing. The Target breach settlement of $10 million, in response to a class action suit, will likely open the doors for similar class action suits against other major organizations with large-scale breaches.

It is important to remember that healthcare information is one of the most personal and sensitive types of data – people care deeply about who can access this. There is a high expectation that healthcare data is protected, and this expectation is often held to a higher standard when compared to other industries.

Today’s sophisticated attacks combine social engineering and spear-phishing to penetrate organizations’ networks and steal critical data. Most of the major data breaches that have occurred over the past year have been initiated by this type of threat. The only defense against this level of attack is a layered approach to security. Email security solutions that might have been adequate several years ago often lack features to protect against these spear-phishing attacks.

By following these easy steps, email security no longer has to be costly or complex for the healthcare industry. Make sure you have:

- Broad Spectrum Email Security: Malware protection needs to go beyond email attachments and include the destination of any embedded email. Effective spear phishing protection needs to happen at the time of the user click to ensure that malicious sites are identified based on the browser platform being used.

- Transport-level Encryption: Emails should be encrypted during transmission between email servers to provide protection from interception.

- Secure Webmail: The most secure approach is some form of secure webmail delivery, in which the message is stopped at the gateway. The recipient of the email gets a delivery notification with a link that is used to access the original email. Secure webmail delivery solutions typically require a password to access the email which adds another layer of security to message access, giving worried doctors peace of mind. Ideally, the solution will also track recipient access.