As complexity increases, so does probability that not all e-mail containing PHI will be encrypted. Doctors, who are always pressed for time, may not take extra few minutes required to encrypt an e-mail. The clerk handling outbound messages for a nurse may not understand which information requires encryption and which does not. Furthermore, many healthcare administration workers have not been trained on identification of PHI and subsequent proper handling.

The uncertainties and potential liabilities have led some organizations to go so far as to outlaw all PHI in e-mail. Instead of solving problem, however, these decisions generally force employees to find alternative, and usually insecure, methods of transmitting PHI via e-mail in order to accomplish their jobs. This leaves organizations vulnerable to lawsuits based, at best, on non-compliance with HIPAA and, at worst, exposed PHI. The liability is tremendous – leading many insurance providers to be extremely hesitant to provide coverage in IT space unless sound security practices and compliance can be proven.

The same problems arise with client-based encryption technologies that require user to be trained or to take extra time to accomplish his or her task. The effect is an increase in likelihood that PHI will be transmitted through an insecure channel as rushed or untrained employees break policies set up to protect information.

Another issue faced by organizations is a lack of technological standards. Some organizations may be employing technologies such as S/MIME or PGP encryption, while others utilize secure connection technologies such as TLS or HTTPS. The effect is that any two organizations, each complying with HIPAA regulations in their own way, may be unable to communicate electronically due to a lack of standardization within industry.

The solution to each of these issues is to move encryption responsibility from individual user to a specialized server, and to utilize a system that can select from a number of encryption technologies depending on recipient’s technological capabilities. The server should be capable of applying encryption policies based on heuristics determined by security officer, administrator, or business rules. Individual users should be able to specify that a message be encrypted, but encryption should automatically be applied where appropriate regardless of user involvement.

Beyond encryption issues, CE's need to maintain system integrity, and availability of information. At all times, network should not be at risk of downtime due to hacking attempts, Denial of Service (DOS) attacks, spam attacks, phishing, social engineering, or viruses.

E-mail Security Issues for Graham-Leach-Bliley Act

The Graham-Leach-Bliley Act (GLBA) was signed by Bill Clinton in 1999 and made fully effective on July 1, 2001. GLBA requires financial institutions, partners and contractors to protect consumer’s private financial information. It is similar in purpose to HIPAA regulations governing use and transmission of information in healthcare industry. It also imposes many of same challenges on financial industry as those faced by healthcare industry.

As with organizations affected by HIPAA and Sarbanes-Oxley regulations, financial institutions are faced with need to protect confidential data, comply with regulations, keep network operational and secure, and operate on a budget. The consequences of a failure to perform in any of these areas could result in imprisonment of company officers and fines. It could also have devastating effects on business itself – potentially causing existing and potential customers to lose faith in company’s ability to service their financial needs.

As with healthcare organizations and corporate entities, need to establish centralized policy-based governance over transmission, encryption, and archival of sensitive information requires a secure server-based solution. The solution should be capable of interfacing with all of an organization’s business partners regardless of partner’s technological capabilities, and it should be transparent to user in order to maximize efficiency and utility of e-mail and encourage adoption of acceptable means of corporate communication.

Conclusion

The trend is clearly in direction of more complex security regulations and an increasing concern by consumers and investors over an organization’s ability to protect privileged information. Fortunately, this increasing awareness of general public and government agencies has coincided with a rapid development of technologies required to meet these demands. CipherTrust has led e-mail security industry in developing comprehensive solutions to e-mail borne threats such as spam, hackers, phishing, DOS attacks and more.

CipherTrust’s IronMail provides first true balance of security and usability that will enable businesses to protect confidentiality and integrity of information as required while ensuring that employees can continue to use e-mail easily as a central communication medium. IronMail enables e-mail security governance with ease, solving a problem that has plagued industry for 15 years.

Others merely claim it. IronMail does it. We invite you to try it. Click here to schedule a FREE online demonstration of IronMail.

CipherTrust manufactures leading Enterprise E-mail Security appliance, IronMail. To learn more about how IronMail can help your organization filter spam, block attacks, and prevent fraud, download our white paper, "Controlling Spam: The IronMail Way."

Stay up to date on all E-mail security issues by signing up for IronMail Insider Newsletter.

For years, corporations addressed their various email security needs through a mixture of third-party software “solutions” designed to address specific areas of vulnerability. Today, however, this approach is ineffective. New amorphous threats adapt to even latest security technology, helping hackers and spammers stay a step ahead of most stand-alone protective measures. System administrators remain in a reactionary mode, waiting for next attack and hoping their mixed bag of security software is up to test. The new challenges posed to email security demand a new approach that protects enterprises from all types of malicious attacks. Enter CipherTrust’s IronMail.

IronMail and Sarbanes-Oxley

CipherTrust’s IronMail has been created to protect organizations from both known and unknown email security attacks. IronMail offers automatic or manual updates to protect against both known and newly discovered email security threats and vulnerabilities, and comprehensive messaging security provided by IronMail assists organizations in key areas of maintaining effective internal controls. Specific financial information threats and vulnerabilities protected by IronMail include:

• Viruses, worms, and other malicious code
• Internal users and external hackers attacking email systems
• System failures from malicious attacks that can lead to subsequent legal liabilities
• Unintentional or malicious information access or exposure

IronMail provides a comprehensive solution to Sarbanes-Oxley information integrity requirements as they relate to protecting corporate financial information that is transmitted and stored via email. Everything from message privacy/encryption to email firewall and intrusion protection to content filtering is included in IronMail solution.

Take Next Step

Learn more about how IronMail helps organizations ensure Sarbanes-Oxley compliance by visiting www.ciphertrust.com or requesting CipherTrust’s free whitepaper, ““Contributing to Sarbanes-Oxley Compliance with IronMail”.