Oct 26 2021

How Healthcare Organizations Can Keep Active on Email Security

Healthcare providers safeguard email and protect data from social engineering attacks with a mix of cloud-based and on-premises security tools.

Though email is a ubiquitous and integral part of everyone’s workflow, it has also been a longtime point of vulnerability.

Healthcare systems in particular continue to face cyberthreats via email. In 2021, for instance, a phishing attack gave hackers unauthorized access to some employee email accounts at a California-based health system, compromising patient, employee and student data, including medical records and financial information.

It may be a back-to-basics approach, but strengthening email protections can help an organization’s overall cyber-security posture.

Healthcare systems must adopt a defense-in-depth strategy and deploy multiple email security solutions, including secure email gateways, multifactor authentication and data loss prevention (DLP) or data exfiltration prevention tools, says Michael Osterman, president of Osterman Research.

“You want to look for phishing attempts, viruses, malware and other business email compromise attempts and filter them out as much as possible,” he says.

Healthcare organizations also can’t overlook the importance of providing email security awareness training to employees. “No system is perfect. Something will eventually get through to the user, and that’s why you need good training as the last line of defense,” Osterman says.

Click the banner below to dig deeper into cybersecurity with planning guidance from CDW.

Stop Emerging Cyberthreats to Healthcare Organizations

Social engineering attacks cause a majority of data breaches, according to Verizon’s 2021 Data Breach Investigations Report, and phishing attacks that target cloud-based email are the most common of these. Threat actors use phishing attempts to lure people to click on malicious links or open infected attachments.

Since the COVID-19 pandemic’s start, 63 percent of organizations across all sectors, including healthcare, have seen an increase in phishing attacks, according to a 2021 Mimecast survey.

To protect data and guard against email-based cyberattacks, Magnolia Regional Health Center in Corinth, Miss., uses a secure email gateway to block spam, malware, phishing attacks and other threats. It also provides cybersecurity training for employees.

“Email security is a huge concern, from viruses and ransomware to protected health information and personally identifiable information being transmitted, so we have a multitiered security strategy,” says MRHC Cybersecurity Manager Bill Chelmowski.

The healthcare center’s first line of defense is a suite of Forcepoint security products that unifies email security, web content filtering and DLP capabilities.

The 200-bed regional hospital with more than a dozen clinics serving northeast Mississippi and southern Tennessee standardized on Microsoft Exchange on-premises. Its employees rely heavily on email and are constantly under attack from phishing attempts, Chelmowski says.

Bill Chelmowski

Photography By Kyle Carpenter

The IT staff implemented Forcepoint’s email security gateway in a hybrid cloud and on-premises configuration. When incoming email arrives, Forcepoint in the cloud first scans and blocks spam, viruses, malware and phishing attacks. Emails deemed safe are then sent to MRHC’s on-premises Forcepoint virtual appliance, which performs another security scan to look for issues such as spoofed email headers, he says.

As a precaution, the appliance adds an external email warning in the subject line for emails from outside the organization. “It notifies the recipient to use extreme caution when opening attachments or links,” Chelmowski says.

In addition, Forcepoint’s Secure Web Gateway tool inspects links and stops users from going to malicious sites, while Forcepoint’s DLP software checks to ensure that users do not accidentally expose sensitive information in email or on websites. “If they are on a webpage and try to enter something sensitive, it can alert them,” Chelmowski says.

An email encryption virtual appliance doubles as another DLP tool, checking outbound email for protected health information. If found, it automatically encrypts the email before sending it.

LEARN MORE: Why is layered security essential to healthcare systems' incident response planning?

If malicious emails somehow get through the Forcepoint technology, MRHC’s traditional on-premises security tools, such as firewalls and anti-virus desktop software, defend against threats. A security information and event management tool also aggregates logs from network and security devices to look for malicious activity.

“We try to limit the threat landscape as much as we can,” Chelmowski says.

Healthcare Cybersecurity Defense in Depth

The reliance on digital communication has grown during the pandemic for the Moffitt Cancer Center in Tampa, Fla., a 7,500-employee nonprofit with five core clinical locations and a cancer research facility. Securing email is a top priority, says Cybersecurity Operations Manager Hugh Percy.

The organization scans emails three times before they reach users: with the cloud-based Mimecast Secure Email Gateway, a next-generation firewall with an intrusion detection and prevention system, and an advanced endpoint detection and response tool, which guards user devices from malware, ransomware and other exploits.

Moffitt also runs its own threat ana­lysis center, where six cybersecurity professionals do around-the-clock threat hunting. “We believe strongly in defense in depth,” Percy says.

The cancer center uses a hybrid Microsoft 365 cloud email and Exchange system approach, allowing medical care teams and staff to send and receive emails and to receive alerts from internal medical endpoints while maintaining strict adherence to security principles and policies to ensure message hygiene, says Moffitt Senior Solutions Architect Doug Blankenship.

The key tool for protecting email is Mimecast, which blocks spam, malware and phishing, he says. The cloud service performs threat scanning based on policies set by the IT staff, such as blocking emails on blacklists or malformed message lists.

Mimecast also blocks users from ­visiting malicious websites and always monitors for new global threats. When it discovers new zero-day threats, it updates its technology with the latest security protections, Blankenship adds. “A lot of the threats are stopped at the gateway and never make it into our environment,” he says.

GET THE WHITE PAPER: Find out how to establish an effective incident response program.

Always Room for Improvement in Cybersecurity

Healthcare systems must continually strengthen their email security with the latest tools and user education, says Michael Gaskin, CIO of Camarena Health in Madera County, Calif.

After seven years of using the same email security protection and DLP software, Gaskin says, he began evaluating solutions last year.

In February 2021, he switched to Mimecast Secure Email Gateway in the cloud because he says it has more features and provides better security for the organization’s 500 employees across 17 clinics in Northern California.

When Mimecast creates new ­protections for recently discovered zero-day attacks, Gaskin says he can tell the cloud service to delete all the emails that previously made it through with the exploit attached. It also has a DLP feature that automatically encrypts emails with sensitive data, he says.

Gaskin says Camarena Health, which has standardized on Microsoft Exchange email on-premises, recently began using Mimecast CyberGraph. The service uses artificial intelligence to eliminate trackers embedded in emails and to better learn the connections between senders and recipients to determine potential threats, he says. CyberGraph also color-codes messages as alerts for risky emails.

Include Training in Your Email Security Program

Email security awareness training is also a critical part of defense. Systems have to defend every endpoint, which means thousands of devices, but hackers need to infiltrate only one of them, Osterman says.

“Education is key. One user clicking on the wrong email can circumvent the best technical controls that are available,” Chelmowski says. “We educate users to be extremely cautious opening any attachments or links from external emails.”

MRHC trains employees both when they are hired and annually. The IT staff also sends alerts and periodic newsletters about cybersecurity best practices and runs monthly phishing tests on users.

Similarly, Moffitt trains new employees and regularly sends articles about current breaches and data on recent hacking attempts against the organization.

Camarena Health provides regular training and hires an outside consultant to test users. Gaskin knows the training is working because employees regularly ask him if the emails they received are legitimate.

“Because of the education we’ve done, users have taken it upon themselves to call or email me asking, ‘How about this email?’” Gaskin adds. “It’s reassuring they are taking it seriously.”

Intpro/Getty Images