Email Spam Protection
An email spam protection solution is a foundational element of any cybersecurity strategy. Get it right and it will greatly improve your security posture. Get it wrong and you are likely to have to deal with a costly data breach.
Why Email Spam Protection is so Important
Email is the primary vector used to distribute malware, ransomware, viruses, botnets, adware, and spyware. Without effective email spam protection, employees would have their inboxes flooded with spam and all manner of malicious messages.
Most healthcare organizations have some form of email security solution in place, but with attacks increasing in sophistication, more advanced email security solutions are required. Spam and phishing campaigns now incorporate a variety of measures to evade detection and get the emails to users’ inboxes.
Social engineering techniques are then used to trick message recipients into opening infected attachments or clicking links to malicious websites. The emails can be very convincing and hard to distinguish from genuine communications from a company, colleague, or business contact.
A spam filtering solution acts as a sieve that catches malware, phishing emails and other unwanted messages and keeps inboxes clear of spam and email threats.
An effective email spam protection system will:
Block Nuisance Emails
According to Kaspersky Lab, in Q1, 2019, spam accounted for between 55% and 56% of all email traffic. Spam is a major drain of productivity and increases the likelihood of important emails being missed.
Block Malware and Ransomware
Email is the primary way used to deliver malware and ransomware. A study by Verizon found 66% of malware on healthcare networks was delivered via email attachments.
Verify the identity of Senders
Email impersonation is a common tactic used in phishing attacks. Trust in well-known brands, companies, contacts, and colleagues is abused to get end users to take a particular action.
Block Phishing Attacks
Phishing is the biggest cyber threat faced by healthcare organizations. Figures from Cofense suggest that more than 90% of data breaches start with a phishing email.
Detect Potential Account Breaches
Once an unauthorized individual gains access to an email account it is often used to send phishing emails within the organization and to contacts and business associates.
HIPAA and Email Spam Protection
While HIPAA does not specifically mention spam filters, the HIPAA Security Rule is quite clear about the importance of implementing safeguards to ensure the confidentiality, integrity, and availability of ePHI. HIPAA covered entities are required to conduct a risk analysis to identify threats and vulnerabilities to PHI and must reduce these to a reasonable and acceptable level. An anti-spam solution is essential for reducing email security risks to an acceptable level.
HIPAA fines have been issued to healthcare organizations that have failed to do enough to prevent phishing attacks from succeeding. UW medicine paid OCR $750,000 and Metro Community Provider Network paid $400,000 to settle alleged HIPAA violations that contributed to their phishing-related breaches.
Healthcare Email Security Found Lacking
Despite email being the primary attack vector, healthcare email security defenses often come up short. A survey conducted by the Global Cyber Alliance (GCA) revealed only 6 out of the 50 largest public hospitals had deployed DMARC email authentication technology. Research from Agari found only 15% of healthcare organizations valued over $1 billion had implemented DMARC.
Don’t Neglect Security Awareness Training for Employees
It is important to remember that technical email spam and anti-phishing protections will not be 100% effective 100% of the time. Cybercriminals are constantly changing tactics and developing new methods of attack and it is inevitable that some malicious messages will arrive in inboxes. It is therefore important to make sure all employees are trained how to recognize email threats.
Employees should be taught how to recognize threats such as phishing attacks and other email scams and should be encouraged to adopt cybersecurity best practices to reduce risk. Security awareness training for healthcare employees is an essential part of any cybersecurity strategy and also a requirement of HIPAA.
Just as it is important to test backups to make sure file recovery is possible, the effectiveness of a security awareness training program should also be assessed. Phishing email simulations can help to identify weaknesses which can be addressed through further training.