Healthcare, Compliance, and Email Security
Email, without question, is the most efficient way to communicate information quickly and accurately. However, transmitting confidential patient data electronically is, by no means, risk-free. With government regulations placing added pressure on the healthcare industry to maintain the security and privacy of patient records, email security has become a necessary part of any healthcare organization’s network security strategy.
What do HIPAA and HITECH say about email security?
Interestingly, neither HIPAA (Health Insurance Portability and Accountability Act) nor HITECH (Health Information Technology for Economic and Clinical Health Act) specifically discuss email security requirements; rather, they focus on the overall protection of PHI (Protected Health Information).
Under HIPAA’s Privacy Rule, healthcare providers can send PHI electronically; however, they must implement “reasonable safeguards” to protect it PHI against intentional/unintentional disclosure [45 C.F.R. § 164.530(c)], i.e. ensuring confidential data is kept secure during transit, and verifying that it was delivered to the intended recipient. Should either party fail to do so, both the provider and the employee involved can be found liable. [Under the Privacy Rule, the individual (client/patient) has the option of deciding whether or not they would like to receive their PHI electronically.]
HITECH extends HIPAA’s Privacy Rule to business associates, including subcontractors. For example, if a healthcare provider uses a third party for email, said third party would be considered a “business associate” and is, thereby, deemed responsible for the safeguarding of patients’ PHI as well.
Email Security Beyond Compliance
Vague wording when it comes to regulations has its pros and cons. While it does allow flexibility in cybersecurity deployment, it can also result in organizations doing the bare minimum to meet those requirements. Based on today’s dynamic threat landscape, it is imperative to look at email security beyond mere compliance.
Rather than attempting to decipher what would constitute a “reasonable safeguard,” let us first do a quick review of the current state of email security. According Verizon’s 2018 Data Breach Investigations Report, 92% of malware is still delivered via email, and a HIMSS Analytics survey of healthcare CIOs found that emails were the “most common source of data breaches.” Earlier this year, a series of phishing attacks on UnityPoint Health in Des Moines, IA compromised approximately 1.4 million patient records.
With the understanding that being compliant does not necessarily equate to being secure (and that being secure sets the foundation for compliance), what features should you look for in an email security solution?
Right off the bat, comparing email security solutions can seem daunting. Each vendor uses different terms and techniques to describe their respective solutions. Nonetheless, when dissected, an enterprise-class email security solution should ideally include these features:
- Anti-malware and anti-spam with zero-day protection
- Email and web policy enforcement
- Inbound and outbound email scanning and filtering
- Data Leakage Prevention (DLP)
- DDoS and Directory Harvest Attack Protection
- Protection for Encrypted Protocols (SMTPS, STARTTLS)
Similar to network security offerings, an effective email security solution needs to be automatically updated, in true real-time, to ensure up-to-the-minute threat protection. IT security experts continue to talk about the rapid rate of threat generation and the challenging task of staying ahead in such an environment. An email security solution, most notably anti-spam and anti-malware engines, that is not updated in true real-time is essentially useless.
While HIPAA and HITECH standards apply to electronic communications, neither standard outlines specifically what is required for an email security solution to be classified as complete. This places the responsibility on healthcare providers to evaluate comprehensive, multilayered solutions that provide the best, most up-to-date protection. Fortunately, there are a host of solutions available in on the market with varying levels of email security.
Needless to say, a true email security blueprint must be supplemented with ongoing education, policy development, best practices and diligent enforcement in order to be fully robust.