Continued from page 1
As complexity increases, so does probability that not all e-mail containing PHI will be encrypted. Doctors, who are always pressed for time, may not take extra few minutes required to encrypt an e-mail. The clerk handling outbound messages for a nurse may not understand which information requires encryption and which does not. Furthermore, many healthcare administration workers have not been trained on identification of PHI and subsequent proper handling.
The uncertainties and potential liabilities have led some organizations to go so far as to outlaw all PHI in e-mail. Instead of solving problem, however, these decisions generally force employees to find alternative, and usually insecure, methods of transmitting PHI via e-mail in order to accomplish their jobs. This leaves organizations vulnerable to lawsuits based, at best, on non-compliance with HIPAA and, at worst, exposed PHI. The liability is tremendous – leading many insurance providers to be extremely hesitant to provide coverage in IT space unless sound security practices and compliance can be proven.
The same problems arise with client-based encryption technologies that require user to be trained or to take extra time to accomplish his or her task. The effect is an increase in likelihood that PHI will be transmitted through an insecure channel as rushed or untrained employees break policies set up to protect information.
Another issue faced by organizations is a lack of technological standards. Some organizations may be employing technologies such as S/MIME or PGP encryption, while others utilize secure connection technologies such as TLS or HTTPS. The effect is that any two organizations, each complying with HIPAA regulations in their own way, may be unable to communicate electronically due to a lack of standardization within industry.
The solution to each of these issues is to move encryption responsibility from individual user to a specialized server, and to utilize a system that can select from a number of encryption technologies depending on recipient’s technological capabilities. The server should be capable of applying encryption policies based on heuristics determined by security officer, administrator, or business rules. Individual users should be able to specify that a message be encrypted, but encryption should automatically be applied where appropriate regardless of user involvement.
Beyond encryption issues, CE's need to maintain system integrity, and availability of information. At all times, network should not be at risk of downtime due to hacking attempts, Denial of Service (DOS) attacks, spam attacks, phishing, social engineering, or viruses.
E-mail Security Issues for Graham-Leach-Bliley Act
The Graham-Leach-Bliley Act (GLBA) was signed by Bill Clinton in 1999 and made fully effective on July 1, 2001. GLBA requires financial institutions, partners and contractors to protect consumer’s private financial information. It is similar in purpose to HIPAA regulations governing use and transmission of information in healthcare industry. It also imposes many of same challenges on financial industry as those faced by healthcare industry.
As with organizations affected by HIPAA and Sarbanes-Oxley regulations, financial institutions are faced with need to protect confidential data, comply with regulations, keep network operational and secure, and operate on a budget. The consequences of a failure to perform in any of these areas could result in imprisonment of company officers and fines. It could also have devastating effects on business itself – potentially causing existing and potential customers to lose faith in company’s ability to service their financial needs.
As with healthcare organizations and corporate entities, need to establish centralized policy-based governance over transmission, encryption, and archival of sensitive information requires a secure server-based solution. The solution should be capable of interfacing with all of an organization’s business partners regardless of partner’s technological capabilities, and it should be transparent to user in order to maximize efficiency and utility of e-mail and encourage adoption of acceptable means of corporate communication.
The trend is clearly in direction of more complex security regulations and an increasing concern by consumers and investors over an organization’s ability to protect privileged information. Fortunately, this increasing awareness of general public and government agencies has coincided with a rapid development of technologies required to meet these demands. CipherTrust has led e-mail security industry in developing comprehensive solutions to e-mail borne threats such as spam, hackers, phishing, DOS attacks and more.
CipherTrust’s IronMail provides first true balance of security and usability that will enable businesses to protect confidentiality and integrity of information as required while ensuring that employees can continue to use e-mail easily as a central communication medium. IronMail enables e-mail security governance with ease, solving a problem that has plagued industry for 15 years.
Others merely claim it. IronMail does it. We invite you to try it. Click here to schedule a FREE online demonstration of IronMail.
CipherTrust manufactures leading Enterprise E-mail Security appliance, IronMail. To learn more about how IronMail can help your organization filter spam, block attacks, and prevent fraud, download our white paper, "Controlling Spam: The IronMail Way."
Stay up to date on all E-mail security issues by signing up for IronMail Insider Newsletter.
CipherTrust is the leader in anti-spam and email security. Learn more by downloading our free whitepaper, “Securing the E-mail Boundary: An overview of IronMail” or by visiting www.ciphertrust.com.