Cybercriminals use email as a gateway for data breaches. This is not old news. New cyberattacks happen almost daily across all industries.
The bad news is, the speed of innovation for email threats has skyrocketed in the last year. If you don’t already know that 91 percent of breaches are due to phishing attacks, you at least shouldn’t be surprised to learn this statistic. What may shock you is that there has been a 270 percent increase of social-engineering-based whaling attacks since January 2015.
The healthcare industry, in particular, has been a ripe target for cybercriminals seeking to obtain massive amounts of personal, private patient data. Why the focus on healthcare? IT staff at healthcare organizations are often over-burdened and dealing with tight budgets and limited resources. While many IT teams have looked to cloud services to solve these issues and increase their capabilities, many have been unable to make the move due to concerns over their ability to adopt cloud security solutions in a regulated environment.
Mimecast can address these concerns and ease the fear that stops many healthcare organizations from moving to the cloud. We have recently passed the Health Insurance Portability and Accountability Act (HIPAA) Security Compliance Assessment. This third-party assessment verifies the safeguards in place to protect health information within Mimecast’s software and facilities.
Now, healthcare organizations can take advantage of the benefits of cloud services without worrying about violating stringent rules, policies and regulations. And, most importantly, they can effectively protect patient data from email-based threats like whaling, spear-phishing and ransomware.
Here are three healthful tips to help healthcare organizations have it all when it comes to the cloud: security, compliance, efficiency and a positive patient experience:
- Update your email security: Traditional malware scanning and spam management are not enough. Organizations will invariably have a breach if they are not protecting themselves against the latest generation of email-based threats.
- Transport-level encryption: Emails should be encrypted during transmission between email servers to provide protection from interception.
- Message-level encryption: Because issues can arise with the servers themselves, message-level encryption can be used to protect content on the remote email server.
- Secure webmail: The most secure approach is some form of secure webmail delivery, in which the message is stopped at the gateway. The recipient of the email gets a delivery notification with a link that is used to access the original email. Secure webmail delivery solutions typically require a password to access the email which adds another layer of security to message access, giving worried doctors peace of mind. Ideally, the solution will also track recipient access. Use transport-level encryption for access to the Web server.
Read our Healthcare Security Checklist to learn more.
The U.S. healthcare industry is the latest victim in a series of massive cyber-attacks. Most recently, Premera Blue Cross, a not-for-profit insurance provider, underwent a cyber-hack that reportedly exposed the medical and financial information of 11 million members. Last month, Anthem, the nation’s second-largest health insurer, was the target of one of the biggest data breaches ever reported, with cyber-attackers gaining access to the medical records, social security numbers, income data and home addresses of as many as 80 million members.
This string of targeted data breaches proves that no industry is safe from the attention of cyber criminals. And now, more than ever, email security should be top-of-mind for all organizations.
The healthcare industry, in particular, has a unique set of challenges to consider when it comes to IT infrastructure – specifically, email security. Budget is a known hurdle, as most healthcare organizations have allocated the majority of their IT dollars to improving systems to manage electronic patient records and systems to meet Healthcare Insurance Portability and Accountability Act (HIPAA) compliance.
The focus and spend on systems to support HIPPA compliance coupled with little-to-no IT resources means data security often isn’t prioritized. The economics of this decision are changing. The Target breach settlement of $10 million, in response to a class action suit, will likely open the doors for similar class action suits against other major organizations with large-scale breaches.
It is important to remember that healthcare information is one of the most personal and sensitive types of data – people care deeply about who can access this. There is a high expectation that healthcare data is protected, and this expectation is often held to a higher standard when compared to other industries.
Today’s sophisticated attacks combine social engineering and spear-phishing to penetrate organizations’ networks and steal critical data. Most of the major data breaches that have occurred over the past year have been initiated by this type of threat. The only defense against this level of attack is a layered approach to security. Email security solutions that might have been adequate several years ago often lack features to protect against these spear-phishing attacks.
By following these easy steps, email security no longer has to be costly or complex for the healthcare industry. Make sure you have:
- Broad Spectrum Email Security: Malware protection needs to go beyond email attachments and include the destination of any embedded email. Effective spear phishing protection needs to happen at the time of the user click to ensure that malicious sites are identified based on the browser platform being used.
- Transport-level Encryption: Emails should be encrypted during transmission between email servers to provide protection from interception.
- Secure Webmail: The most secure approach is some form of secure webmail delivery, in which the message is stopped at the gateway. The recipient of the email gets a delivery notification with a link that is used to access the original email. Secure webmail delivery solutions typically require a password to access the email which adds another layer of security to message access, giving worried doctors peace of mind. Ideally, the solution will also track recipient access.
I recently attended the Midmarket CIO Forum in Tucson, AZ, a three-day event for IT executives and solution providers. CIOs attending the event were asked to pick a Vendor Excellence award-winner within six categories, based on strategy and innovation. We’re pleased to announce that Mimecast was honored in the “Best Midmarket Solution – Service” category, recognized as an established service that has been exemplary in specifically meeting the needs of the midmarket.
The award ceremony took place on the third night of the Forum, following a few days of networking and boardroom sessions. I led one session titled, “The Future of Email – On Premises, Hybrid or Cloud?” in which I spoke about how organizations can remove the risk, complexity and cost of their email environment. IT managers are tasked with providing uninterrupted, ubiquitous email access to all employees amid the growing threat of malicious attacks like spear phishing, as well as downtime and data leaks.
As I noted in my session, and Vendor Excellence award voters recognized, this makes it necessary for organizations to have a solution, like Mimecast’s Unified Email Management (UEM), that extends their email platform’s core capabilities. For an organization with Microsoft Office 365, for example, Mimecast helps to enhance the solution’s key benefits, while mitigating the risk of the organization being reliant on a single cloud provider. With the strength Mimecast’s targeted set of solutions, like broad spectrum email security and journal archiving, alongside Microsoft, organizations ensure the constant availability of their email with a business continuity plan in the cloud.
We’re proud to have received this recognition from Midmarket CIO Forum and feel it validates not only our technology but our desire to support mid-market organizations around the world move to the cloud and improve the protection of their critical data and email. If you’d like to learn how organizations have worked with Mimecast to support their primary email environment, I invite you to check out these case studies.
The 2014 Atlantic Hurricane season is in full swing through November, putting your organization – and mission-critical systems, like email – at sudden risk of exposure to tropical storms, floods and fires.
Ask yourself: When was the last time you tested your business continuity plan? If the answer is one year or longer, you risk significant network downtime, data leakage and financial loss. According to Gartner, depending on your industry, network downtime can typically cost $5,600 per minute or more than $300,000 per hour, on average. Don't wait for disaster to strike. Treat email like the critical system it is, and avoid making these six mistakes that could jeopardize business continuity – and your job.
- Not testing your continuity solution. You've devised and implemented what you believe to be a solid continuity solution, but you've not given it a production test. Instead, you cross your fingers and hope when (and if) the time comes, the solution works as planned. There are two major problems with not testing your plan from the start. First, things get dusty over time. It's possible the technology no longer works, or worse, maybe it was not properly configured in the first place. Plus, you might not be regularly backing up critical systems. Without testing the solution, you'll learn the hard way that data is not being entirely backed up when you perform the restore. Second, when it comes to planning, you need a clear chain of command, should disaster strike. If your network goes down, you need to know who to call, immediately. Performing testing once simply is not enough. You need to test your solution once a year, at a minimum. Depending on the tolerance of your business, you'll likely have to test more frequently, like quarterly or even monthly.
- Forgetting to test fail back. Testing the failover capabilities of your continuity solution is only half the job. Are you prepared for downtime that could last hours, days or even weeks? The ability to go from the primary data center to the secondary one – then reverting back – is critical, and this needs to be tested. You need to know that data can be restored into normal systems after downtime.
- Assuming you can easily engage the continuity solution. It's common to plan for “normal” disasters like power outages and hardware failure. But in the event of something more severe, like a flood or fire, you need to know how difficult it's to trigger a failover. Also, you need to know where you need to be. For example, can you trigger the fail over from your office or data center? It's critical to know where the necessary tools are located and how long it'll take you or your team to locate them. Physical access is critical. Distribute tools to multiple data centers, as well as your local environment.
- Excluding policy enforcement. When an outage occurs, you must still account for regulatory and policy-based requirements that impact email communications. This includes archiving, continuity and security policies. Otherwise, you risk non-compliance.
- Trusting agreed RTP and RPO. In reality, you've got to balance risk and budget. When an outage happens, will the email downtime agreed upon by the business really stick? In other words, will the CEO really be able to tolerate no access to email for two hours? And will it be acceptable for customers to be out of touch with you for one day? The cost associated with RTO and RPO could cause a gap in data restore. If you budget for a two-day email restore, be prepared that during an outage, this realistically means two days without email for the entire organization. As part of your testing methodology, you may discover that you need more or less time to back up and restore data. It's possible that, as a result, you may need to implement more resilient technology – like moving from risky tape backup to more scalable and accessible cloud storage.
- Neglecting to include cloud services. Even when you implement cloud technologies to deliver key services, such as email, you still have the responsibility of planning for disruptions. Your cloud vendor will include disaster recover planning on their end to provide reliable services, but mishaps – and disasters – still happen. Mitigate this risk by stacking multi-vendor solutions wherever possible to ensure redundancy, especially for services like high availability gateways in front of cloud-based email services, or cloud backups of key data.
With the proper testing and upfront business continuity preparation, you can significantly reduce – or even prevent – email downtime, data leakage and financial loss after disaster strikes.