How HIPAA Security Policies Affect Corporate E-mail SystemsWritten by CipherTrust
Although considered by many to be sole concern of health care providers, Health Insurance Portability and Accountability Act (HIPAA) affects nearly all companies that regularly transmit or store employee health insurance information. HIPAA was signed into law in 1996 and it's original purpose was to protect employee health and insurance information when workers changed or lost their jobs. As use of internet became more widespread in mid-1990s, HIPAA requirements overlapped with digital revolution and offered direction to organizations needing to exchange healthcare information. HIPAA regulations apply to any establishment that exchanges individually identifiable healthcare information.
Collaboration between healthcare professionals, their colleagues, their patients, and employers has grown progressively more digital, and e-mail has played an ever-increasing role in this communication. In process of this development, need for information security and privacy has created an impediment to widespread adoption.
In addition to usual concerns about privacy and security of e-mail correspondence, even organizations that are not in heathcare industry must now consider regulatory compliance requirements associated with HIPAA. The Administrative Simplification section of HIPAA, which, among other things, mandates privacy and security of Protected Health Information (PHI), has sparked concern about how e-mail containing PHI should be treated in corporate setting. HIPAA, as it relates to e-mail security, is an enforcement of otherwise well-known best practices that include:
Organizations regulated by HIPAA must comply and put these practices in place. However, need to comply with regulations puts particular pressure on healthcare industry to enhance their use of technology and “catch up” with other industries of similar size and scope.
- Ensuring that e-mail messages containing PHI are kept secure when transmitted over an unprotected link
- Ensuring that e-mail systems and users are properly authenticated so that PHI does not get into wrong hands
- Protecting e-mail servers and message stores where PHI may exist
The privacy protection provisions in HIPAA pose a major compliance challenge for healthcare industry. These provisions are intended to protect patients from disclosure of any of their individually identifiable health information. Organizations that fail to protect this information face fines ranging from $10,000 to $25,000 for each instance of unauthorized disclosure. If disclosure is found to be intentional, HIPAA provides for fines ranging from $100,000 to $250,000 and possible jail time for individuals involved in violations.
Secure Your E-mail Systems - Protecting Against Port 25 VulnerabilitiesWritten by CipherTrust
It goes without saying that e-mail plays a critical role in any organization. This relatively new communication technology has, by many accounts, replaced telephone as most useful business tool available. Unfortunately, e-mail has also been a victim of its own success and presents a unique threat to enterprise network as a whole.
Protecting networks from viruses and hackers has traditionally been responsibility of Firewalls, Virus Scanners, and Intrusion Detection Systems (IDS) set up by enterprises as a defense against myriad attacks they come under each day. Virus scanners scan each PC in network, gateway servers are guarded against attempts to gain access by locking down extraneous ports and firewalls prevent unauthorized programs from accessing network. All these measures prevent direct attacks against network on every port except port 25 and port 110 – ports used by SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) to transmit e-mail from one server to another.
Ports are openings in operating system through which applications connect to each other. When a firewall receives an e-mail connection on port 25, it generally assumes that transmission is e-mail and allows it to flow through to e-mail server. The transmission may be a valid e-mail, it could be a virus or a spam, or it could be a job offer for an employee or something much worse. Regardless of true intent of “e-mail”, at this point it is incumbent upon various systems within network to guard against these threats. Unfortunately, experience has taught us that partial success in these areas is norm, not exception.
Stop E-mail Threats at The Gateway
The best place to stop a threat is before it gets inside network. Virus scanners are only as good as their latest update, and are virtually useless against new viruses that have yet to be identified. If a user does not update his virus definition list, then his machine will be infected. A pornographic spam will offend an employee when it slips through spam filter, and job offer from competitor won’t go away once recipient has printed it out on her printer. The best way to prevent these malicious attacks is to stop them before they become a problem – at gateway.
Stopping spam and other malicious e-mail traffic at gateway requires a coordinated effort to solve a whole host of issues. These include, but are certainly not limited to, spam, viruses, corporate policy infringements, directory harvest attacks, denial of service attacks, phishing, spoofing, and snooping. Furthermore, accuracy in identifying spam e-mails is crucial. It is much better to receive occasional spam than accidentally filter out an important e-mail from a customer.