Immediate Security Steps for Preventing Email BreachesWhy Workforce Training Isn't Enough
While it's critical for healthcare organizations to provide data security and privacy training to users, they also should consider implementing technology to help prevent user mistakes that can lead to breaches of protected health information, says Geoffrey Bibby of ZixCorp.
"It's obviously important to continue to remain vigilant and disciplined in offering security awareness training, and making staff aware of the fact that you just really shouldn't ever be putting PHI in an unsecured communication channel like email or texting," Bibby says in an interview with Information Security Media Group to discuss the results of the 2015 Healthcare Information Security Today survey of information security and privacy leaders. "However, a safety net that we feel is important to go along with that training is to remove any need for user action in terms of being able to encrypt an email."
Registration for a webinar on the survey results is now available. Also coming soon is a full report with in-depth-analysis of the survey findings.
The survey shows the top measures that healthcare organizations are taking to prevent breaches in 2015 include improving staff training and implementing audit tools to enhance detection of unauthorized access. Also among the top measures they're taking are implementing encryption on mobile and other devices and implementing email encryption.
"Email encryption has progressed and evolved to a point now where you simply have to put in a policy-based email encryption solution and that removes any need for your users to have to concern themselves with whether or not they need to encrypt this sensitive mail or not," Bibby says. "Once the email passes through a gateway that your organization would have, it gets scanned for any sensitive content. And if there is any sensitive content, that would immediately trigger encryption, and it is sent in a secure fashion. So, that's one really simple way that someone can address a very major source of data loss, which is email."
Bibby advises against encrypting mobile devices to help prevent breaches. "We don't believe that encrypting mobile devices is the way to go," he says. "We fundamentally disagree that has to be the path that someone takes, and a lot of our customers ... support the fact that they just don't want the sensitive information on someone's mobile device in the first place."
In the interview, Bibby also discusses:
- How to avoid falling victim to phishing schemes;
- Important steps that healthcare entities can be taking right now to improve their overall information security and privacy programs;
- How secure email technology is evolving.
Bibby joined ZixCorp, a provider of secure email technology, in September 2003 and serves as vice president of corporate marketing. Before joining ZixCorp, he spent six years at Entrust Inc., an Internet security vendor, where he served in various management roles, including marketing director for Entrust European operations.
Key ThreatsMARIANNE KOLBASUK MCGEE: We asked our survey respondents about the single emerging cyber threat that they're most worried about in 2015, and the top five threats they are concerned about are: hackers, business associates taking inadequate security precautions for protected health information, growing use of mobile devices including bring-your-own-device, users texting or sending PHI on personally-owned devices, and also cybersecurity threats from nation-states. So now, Geoff, what do you think about those worries? And when you speak to clients on a day-to-day basis, what do they seem most worried about?
GEOFF BIBBY: Well, we experience a lot of what you just mentioned. It's really core to what Zix does. For those that don't know Zix, we've built our brand around delivering encrypted email and email data protection solutions specifically for healthcare and for financial services; organizations that need to comply in this space obviously with high-tech and HIPAA responsibilities. And so we really have a view from the trenches on what organizations are facing. Couldn't agree more with the worries people have about communicating with their business associates, and likewise, we're witnessing a lot of breaches that continue to occur through the whole enabling BYOD and so we definitely support and would validate what you found in your survey.
Breach PreventionMCGEE: So now, Geoff, when it comes to the steps that organizations say they're taking to prevent breaches in 2015, the top measures are improving staff training on information security and privacy issues and implementing audit tools to enhance detection of unauthorized access. But also on the top 10 steps that they're taking is implementing encryption on mobile and end user devices and also implementing email encryption. So now what should healthcare entities be doing to improve breach prevention, especially as it relates to email and also email attachments?
BIBBY: A great question. So it's obviously important to continue to remain vigilant and disciplined in offering security awareness training and making staff aware of the fact that you just really shouldn't ever be putting PHI in an unsecured communication channel like email or texting. However, a safety net that we feel is important to go along with that training is to remove any need for user action in terms of being able to encrypt an email. What I'm referring to is the email encryption market has progressed and evolved to a point now where you simply have to put in a policy-based email encryption solution, and that removes any need for your users to have to concern themselves with whether they need to encrypt this sensitive mail or not. Once the email passes through a gateway that your organization would have, it gets scanned for any sensitive content and if there is any sensitive content, that would immediately trigger encryption and it would send in a secured fashion. So that's one really simple way that someone can address a very major source of data loss, which is email.
The second thing as it relates to enabling the use of mobile devices, we don't believe that encrypting mobile devices is the way to go. We fundamentally disagree that that has to be the path that someone takes and a lot of our customers, for example, Knoxville Hospital and clinics, would support the fact that they just don't want the sensitive information on someone's mobile device in the first place. And so we have a bit of a different approach to that whole area.
Awareness & TrainingMCGEE: Geoff, as I mentioned, improving staff training and awareness about information security and privacy issues is a top priority for survey respondents in 2015. What should organizations be doing in terms of worker awareness related to secure email communication, but also when it comes to not falling victim to phishing attacks, for instance? What do you advise your healthcare clients to do?
BIBBY: Obviously it begins with making sure that you have a comprehensive assessment done and then from there it really just comes down to continuing to have programs in place. We, for example, at Zix, have an automated program in place that even though we're a security vendor and security is top of mind for us every day, we continue to have a compliance program in place that requires us to go through training and just general awareness training of what to or not to do as it relates to email. And one of those things that can be wrapped into that kind of awareness training is related to phishing and knowing what to avoid in terms of a spear-phishing attacks or any other sophisticated attacks that people continue to use.
Email EncryptionMCGEE: So now when it comes to security technologies that organizations plan to implement in 2015, audit tool and log management, data loss prevention and intrusion/misuse detection, top of the list, but also on the top ten list was email encryption. So when it comes to the healthcare industry, how does that compare to other industries in terms of their understanding and use of email encryption from what you see?
BIBBY: The healthcare space has been complying with HITECH and HIPAA for a number of years now, as you know. And so awareness of the need to do something has always been relatively high. They certainly face a lot of challenges as it relates to being resource constrained and so unfortunately there's still lots of organizations that haven't implemented a solution. But yeah, there definitely is a high awareness as it relates to many industries out there. It would be similar to the financial services market, maybe not as many organizations are deployed in healthcare as there are in financial services, but awareness is high.
Encrypted DevicesMCGEE: Geoff, I wanted to go back to something you had mentioned earlier that a lot of healthcare clients that you deal with don't necessarily want to encrypt their mobile devices; they'd rather have protection against sensitive information even ending up on those devices in the first place. What sort of tips do you give those healthcare entities to make sure that happens, that there isn't any sensitive information that gets stored on these mobile devices? Because as we know, many of the large data breaches that have happened in the healthcare sector have resulted from unencrypted devices being lost or stolen and that's often seen as a safe harbor from the Department of Health and Human Services, if you encrypted device, you don't necessarily have to report it.
BIBBY: Right. There's some just general awareness and education I think that would really help people, and what I'm referring to is most people think that they would have to put a solution in place to enable BYOD or manage mobile devices that's called MDM, or a mobile device management solution. And the security construct for an MDM solution is based on one fundamental theory, and that is that if you place a lot of sensitive information on someone's personal device, that you will then have the ability later on to simply wipe that. If you simply take anyone's personal phone or a tablet and switch it into airplane mode or put some sort of shield around it so that the command can't get there, then remote wipe becomes remote wish, and you can't very well expect to have comfort around this solution that doesn't guarantee that you can wipe information off of there. What Zix does is a little different in that we don't ever put information on the person's personal device. We simply use that device, we use an app on the device that is merely giving a window back into your corporate exchange server. And so if someone is to lose the device, you're not concerned about that whatsoever because none of your corporate information is ever stored on it. And one of the other really powerful things from the user standpoint is an MDM solution presumes that you're going to get someone to agree to being able to wipe their device.
With a solution like the one I just described where you don't have to store any corporate information on the phone, you don't have to get them to sign such a form. There isn't anything for you to wipe; therefore, there's nothing for them to agree to.
Immediate Security StepsMCGEE: Overall, what would you say the most important steps are that healthcare entities can be taking right now to improve their overall Information Security privacy program? What's most important?
BIBBY: Well, as we said, continuing to remain disciplined around awareness programs is certainly very important. I've never really understood though why it is we don't have full use of encrypted email or encryption within healthcare organizations. And the reason I say this -- as you mentioned, you referenced a safe harbor, you don't have to report the breach if you're showing evidence of using encryption. And it's very, very simple. I think some people may have a jaded view of the difficulty required to encrypt their email or put email data protection in place. I would certainly invite them to revisit that because it has advanced greatly over the years. And it is really very simple and is not a significant resource investment for most organizations.
Steps to Secure emailMCGEE: Finally, Geoff, what's next when it comes to secure email? How is it evolving?
BIBBY: What I mentioned in terms of greater use of automated tools, where there won't be any expectation on behalf of the corporation, that the user will have to know when to encrypt and when not to encrypt. Those decisions would simply be handled at the gateway and the user will not be burdened with trying to think through the policies and the ins and outs of what does or does not need to be encrypted.