HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

MSP Spam Filtering for Healthcare Organizations

Demand for MSP spam filtering services is growing as healthcare organizations struggle to deal with the number and complexity of email-based attacks. An increasing number of MSPs now offer email security services to the healthcare industry. According to Datto, 99% of MSPs have started providing managed security services to their clients, and 82% of MSPs offer managed email security services.

Healthcare Clients Require Advanced Email Security

The healthcare industry is a prime target for hackers. Healthcare organizations store huge amounts of sensitive data, which is extremely valuable to cybercriminals. Access to healthcare networks can be easily sold to other cybercriminal groups, and there is great demand from ransomware gangs. Email is the main attack vector, with phishing the most common way that access to healthcare networks is gained. According to the Carahsoft 2021 HIMSS Healthcare Cybersecurity Survey, phishing attacks were the most common threat over the past 12 months and were behind 45% of all security incidents.

Email-based attacks are becoming more sophisticated and multiple layers of protection are required to block the attacks and it has become increasingly burdensome for small- to medium-sized healthcare organizations to manage email security solutions in-house, especially with the difficulty of recruiting cybersecurity professionals. Healthcare organizations are increasingly turning to MSPs to manage email security. MSPs that provide managed spam filtering will be able to better protect their clients against the full range of email-based attacks to allow them to concentrate on running their business.

What Should MSP Spam Filtering Services Incorporate?

MSP spam filtering services for healthcare organizations need more advanced capabilities than those provided by email service providers. While these solutions provide a reasonable level of protection against spam, the healthcare industry is extensively targeted by threat actors and email-based security needs to be more sophisticated to deal with advanced phishing threats, zero-day attacks, and novel malware variants.

MSP spam filtering services need more than just antivirus engines to detect malware. Behavioral-based detection – such as sandboxing – is needed to detect zero-day malware threats. Malicious URL protection is required to block phishing attempts and robust anti-phishing controls are required, with machine learning/AI capabilities to detect new phishing and social engineering attacks. MSP spam filtering solutions from cybersecurity companies will block the majority of malicious emails if they have these advanced features; however, some threats will reach inboxes. You should also provide an email client plugin that allows employees to report suspicious emails, and your security team should monitor any alerts and remediate threats rapidly.

You will need to provide a solution that has highly granular controls for precision filtering, AD integration for ease of management and setting risk-based spam filtering controls based, and extensive reporting and analytical capabilities to allow you to investigate and remediate threats quickly.

Business Associate Agreements and SLAs

Healthcare organizations are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), which has many data privacy and security provisions for ensuring the confidentiality, integrity, and availability of protected health information. Service providers such as MSPs that have access to systems that contain ePHI are classed as business associates under HIPAA, and they are also required to comply with the HIPAA Rules. They must enter into a business associate agreement (BAA) with HIPAA-covered entities, and any subcontractors used by the MSP will also be required to sign a BAA and agree to comply with the HIPAA Rules. Business associates can be fined directly by regulators for HIPAA violations.

In addition to signing a BAA, it is strongly recommended to draw up a service level agreement with each HIPAA-covered entity that outlines the responsibilities of each party with respect to email security and what is covered by the MSP spam filtering service. The SLA should define the services you will be providing to make it clear to your customers what is and is not covered, the hours of support, the extent to which security incidents will be investigated and remediated, and where your responsibilities end. SLAs will help you resolve any disputes with your clients and are invaluable for managing expectations.