Email Security Solutions in Healthcare

Email security solutions are used to protect email accounts and emails against unauthorized access and for blocking threats that are delivered via email. Email threats can take many forms, such as phishing attacks that trick users into revealing their credentials. Compromised email accounts can be used in Business Email Compromise (BEC) attacks, where the compromised account is used to send emails to trick employees into making fraudulent wire transfers. If credentials are stolen in phishing attacks, attackers gain the initial access they need to launch a more extensive attack on an organization. Email is also used for distributing malware, often via malicious scripts in email attachments. Email is one of the most common ways that ransomware actors gain access to healthcare networks.

Why Multiple Email Security Solutions are Needed

Healthcare organizations are extensively targeted by Advanced Persistent Threat (APT) actors and cybercriminals, and email is one of the most common attack vectors. Cyberattacks using email as the attack vector are increasingly sophisticated, so protecting against these attacks requires more than using antivirus solutions to scan attachments or blocking certain types of attachments.

Secure email gateways are one of the most effective email security solutions to deploy, but even advanced secure email gateways will not protect against all email attacks. To defend against email attacks, multiple email security solutions can be used to provide defense-in-depth protection. The defense-in-depth approach involves using several different solutions and methods that provide overlapping layers of protection. Should one of those layers fail to block a threat, others will be in place to continue to provide protection.

Secure Email Gateways

Secure email gateways act like filters, preventing spam and malicious emails from being delivered to inboxes. These email security solutions scan all inbound emails and perform a barrage of checks on the headers, email body, and attachments. Secure email gateways use blacklists of known malicious IP addresses and domains and will block any emails sent from those blacklisted IP addresses. Scans of the message body are performed to assess the content to determine if it is spam or malicious. Solutions with AI/machine learning components can identify when emails deviate from standard emails received by an organization and assign a score to the email on the likelihood of it being spam or malicious. Tolerance levels can be set for individuals, user groups, or the entire organization.

Antivirus protection is also included, which scans files looking for signatures of known malware. Signature-based detection only works for known malware variants, so will not block new malware threats. More advanced email security solutions feature a sandbox where attachments are sent for behavioral analysis if they pass initial inspection by the antivirus engines. Secure email gateways provide visibility into threats and are fed intelligence to automatically protect users from emerging threats.

These email security solutions often include outbound scanning and have data loss prevention capabilities. They can be configured to prevent certain data from being sent externally, such as PHI. Outbound scanning can identify misuse of email and compromised email accounts, such as when email accounts are being used to send phishing emails or malware.

Secure email gateways are delivered as an on-premises solution or a cloud service, with the latter the best choice for protecting Microsoft Office 365 accounts. Email security solutions delivered as a SaaS solution require no hardware on-premises, and the cloud service provider is responsible for updating and patching the service, so it doesn’t add to the IT team’s patching burden. Cloud-delivered services also benefit from the scalability of the cloud, which means performance can be easily maintained in the event of a spike in email traffic.

Security Awareness Training

Email security solutions will block spam email and the majority of email threats, but no single solution will provide complete protection and some threats will be delivered to employee inboxes. Your email security strategy should include security awareness training for the workforce, and that training should be provided to everyone from the CEO down. Security awareness training is concerned with teaching employees security best practices and eradicating risky behaviors.

It is important to train employees on how to recognize and avoid phishing emails and make them aware of the threats they are likely to encounter and how to respond if such as threat is identified.

Security awareness training should be provided regularly. A once-a-year training session is unlikely to allow an organization to develop a security culture. Annual training sessions should be augmented with regular refresher training sessions throughout the year. Phishing simulations are also recommended. These involve sending fake but realistic phishing emails to test the effectiveness of the training. Individuals who fail phishing simulations can then be provided with additional training.

Email Encryption

Email encryption is the process of scrambling the content of emails and attached files to prevent anyone other than the intended recipient from viewing the content of the messages. When emails are encrypted, if they are intercepted, they will be unintelligible. There are two main protocols for encrypting emails: Transport Layer Security (TLS) encryption for protecting emails in transit, and end-to-end encryption. TLS protects against man-in-the-middle attacks, where cybercriminals intercept, view, and alter emails in transit. TLS protect emails from the moment they are sent to when they are delivered. TLS does not protect emails and data from unauthorized access once they are delivered. End-to-end encryption provides further protection, requiring the recipient to authenticate to view emails.

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement a mechanism to encrypt protected health information (PHI) if it is transmitted over an open network. While the HIPAA text does not specify the method that must be used for encryption, covered entities should refer to the recommendations of the National Institute of Standards and Technology (NIST), which, at the time of writing, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.

Email encryption solutions should automate encryption, ideally scanning all outbound emails and automatically encrypting the messages if the content contains sensitive information such as PHI, as this reduces the potential for human error.

Multifactor Authentication

Multifactor authentication can prevent stolen and compromised passwords from being used by unauthorized individuals to access accounts. In the event of credentials being compromised in a phishing attack or being guessed using brute force tactics, those credentials can be freely used to access email and other accounts. Multifactor authentication adds another layer of protection by requiring an additional form of authentication in addition to a password, such as a one-time code sent to a mobile device.

While multifactor authentication can slow down access, it is important for security. According to Microsoft, multifactor authentication blocks more than 99% of automated attacks on accounts.

DNS Filtering

DNS filtering is used to protect against web-based threats and adds another layer of protection against phishing and malware. DNS filters allow organizations to exercise control over the Internet content users can access and are commonly used to block access to categories of websites that serve no work purpose – pornography, gambling, and gaming sites for instance. DNS filters use blacklists of known malicious websites and block any attempt by a user to access that content, providing time-of-click protection against malicious links in emails and protection from redirects to malicious websites through web browsing. DNS filtering can also be used to block the downloading of certain file types from the Internet.

Backups and Email Archiving

Emails often contain business-critical data, so ensuring emails can always be accessed is important for business continuity. Email archiving is an often-neglected element of email security but will ensure that emails are always available even during an email server outage or ransomware attack. Email archiving is often delivered as a cloud service. Subject to the organization’s policies, every email is automatically sent to the cloud archive. The archive is replicated across multiple data servers to ensure constant availability and archives are automatically backed up. Email archives can be searched, and emails recovered in seconds.

While email archives can form part of a disaster recovery strategy, it is important to ensure that backups of email accounts are also made. Backups should be made at least daily for all email accounts, backups should be tested to make sure email recovery is possible, and backups should be encrypted. Since backups are often targeted in ransomware attacks, it is important to ensure that backups are stored securely off-site on a non-networked device.


Email security solutions are required to protect against unauthorized email access and to block a wide range of threats. Email security solutions should be combined to provide layered protection to ensure that should one element fail to block a threat, other mechanisms are in place to provide protection.