Collaboration between healthcare professionals, their colleagues, their patients, and employers has grown progressively more digital, and e-mail has played an ever-increasing role in this communication. In process of this development, need for information security and privacy has created an impediment to widespread adoption.

In addition to usual concerns about privacy and security of e-mail correspondence, even organizations that are not in heathcare industry must now consider regulatory compliance requirements associated with HIPAA. The Administrative Simplification section of HIPAA, which, among other things, mandates privacy and security of Protected Health Information (PHI), has sparked concern about how e-mail containing PHI should be treated in corporate setting. HIPAA, as it relates to e-mail security, is an enforcement of otherwise well-known best practices that include:

• Ensuring that e-mail messages containing PHI are kept secure when transmitted over an unprotected link
• Ensuring that e-mail systems and users are properly authenticated so that PHI does not get into wrong hands
• Protecting e-mail servers and message stores where PHI may exist

It goes without saying that e-mail plays a critical role in any organization. This relatively new communication technology has, by many accounts, replaced telephone as most useful business tool available. Unfortunately, e-mail has also been a victim of its own success and presents a unique threat to enterprise network as a whole.

Protecting networks from viruses and hackers has traditionally been responsibility of Firewalls, Virus Scanners, and Intrusion Detection Systems (IDS) set up by enterprises as a defense against myriad attacks they come under each day. Virus scanners scan each PC in network, gateway servers are guarded against attempts to gain access by locking down extraneous ports and firewalls prevent unauthorized programs from accessing network. All these measures prevent direct attacks against network on every port except port 25 and port 110 – ports used by SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) to transmit e-mail from one server to another.

Ports are openings in operating system through which applications connect to each other. When a firewall receives an e-mail connection on port 25, it generally assumes that transmission is e-mail and allows it to flow through to e-mail server. The transmission may be a valid e-mail, it could be a virus or a spam, or it could be a job offer for an employee or something much worse. Regardless of true intent of “e-mail”, at this point it is incumbent upon various systems within network to guard against these threats. Unfortunately, experience has taught us that partial success in these areas is norm, not exception.

Stop E-mail Threats at The Gateway

The best place to stop a threat is before it gets inside network. Virus scanners are only as good as their latest update, and are virtually useless against new viruses that have yet to be identified. If a user does not update his virus definition list, then his machine will be infected. A pornographic spam will offend an employee when it slips through spam filter, and job offer from competitor won’t go away once recipient has printed it out on her printer. The best way to prevent these malicious attacks is to stop them before they become a problem – at gateway.