Email Security in Healthcare

By Stacey McDaniel

As with many other industries, email has become a mission-critical component for every individual and group in a healthcare organization, from those providing patient care to those overseeing the daily management of business operations. In the patient/physician setting, email is transforming communication, treatment, and care, while on the operations side millions of transactions are processed each day via email at a fraction of the time and cost associated with hard copies. However, should it become un-secure or unavailable, email can actually interfere with a healthcare organization's primary mission of providing high-quality patient care.

Email security concerns

Making sure that email is both secure and available grows more complex every day. For one thing, email is becoming a de facto distribution method in the increasingly sophisticated world of viruses, phishing attacks, fraud, spyware, and blended threat techniques. Spam also continues to be a pervasive problem, resulting in lost productivity, wasted network and storage resources, and liability for organizations that are not doing what they should to deal with the problem. IDC estimates the amount of spam being sent on an average day worldwide jumped from 4 billion messages in 2001 to 17 billion in 2004. Lastly, the diverse and remote nature of most healthcare IT networks poses additional challenges for IT staff. Ensuring that the proper security technology is installed on all devices -- from desktops, to handheld computers, to remote email servers -- can be a daunting challenge.

Ensuring email security and availability

Building a flexible security and availability solution for a dynamic IT environment can pose a challenge for IT groups in healthcare organizations, but there are cost-effective ways to achieve it. First, begin with a layered approach that starts at the earliest point of entry onto the network, working through to the end user and beyond to archiving and storage systems.

• Security  The first line of defense should be user education and awareness regarding email usage policies and best practices. For example, all users should avoid the following: replying to spam messages, using unsubscribe links, following links in suspicious emails, opening email attachments where there is no clear business relevance, and falling for virus hoaxes and phishing attempts.

Aside from user education, technology is necessary to stop email threats. The most common virus content found in email is the product of mass-mailer worms. Gateway-based antivirus scanners should be used to identify mass-mailer worms so they can be removed before causing harm. A policy to delete attachments when the presence of a suspect extension type such as .scr and .pif is detected can also be employed. A reliable and accurate anti-spam solution that is integrated and frequently updated is also recommended.

• Archiving  Email systems weren't originally designed to store the high volume of data that is typically sent and received. IT administrators are well aware of the need to store this data, and are finding a few ways to address this issue. Email archiving systems are used to store messages and information according to rules such as date and size of message as outlined in a company policy. Depending on the rules set by the policy, messages and attachments may be moved to a secondary -- and often less expensive -- storage location. Message archiving solutions allow organizations to provide users with a seemingly infinite mailbox while controlling storage usage on the primary messaging servers. Not only is archiving an efficient way to house overflow data, it is considered a best practice with regards to the privacy and security concerns of HIPAA because it offers a way to preserve protected healthcare information.
• Build a resilient foundation  Just as important as maintaining the security and availability of email information is the need to build the email infrastructure on a resilient foundation -- one that is robust in its ability to meet growing demands, resistant to failure, and able to quickly recover when failure does occur. Storage management and clustering software are the key technologies that should be employed for building this scalable email infrastructure.

Addressing availability starts with ensuring protection of the email data using a backup and recovery solution. To minimize the business disruption, backup software should offer a single management tool to consolidate all backup and recovery operations, while providing alerting, reporting, and troubleshooting technologies at the same time. It is also important that healthcare organizations take advantage of both tape and disk storage, with its advances in disk and snapshot-based protection, off-site media management, and automated disaster recovery.

The right storage management solution will allow administrators to perform nearly all storage-related tasks without having to take storage offline. Clustering technology should be able to mirror data for redundancy and automatically move data from failing disks to healthy disks to cut downtime from unplanned events, or to quickly move an application from a failed server to a healthy server.

Conclusion

Email has become a mission-critical component for individuals and groups in healthcare organizations, and a flexible solution that ensures its security and availability is essential. Recently, the American Medical Association released its "Guidelines for Patient-Physician Electronic Mail." This document aids physicians in the appropriate use of email in the delivery of health care to their patients. Guidelines include establishing a well-documented, office-wide policy for email communication, communicating it to patients, and establishing a method for storing and retrieving messages. These guidelines represent a good start toward establishing a comprehensive email security, retention, and availability strategy.

Stacey McDaniel has been writing about high-tech issues for more than six years.