Ensuring Email Security and Availability in Healthcare

By Stacey McDaniel

As with many other industries, email has become a mission-critical component for every individual and group in a healthcare organization, from those providing patient care to those who oversee the daily management of business operations. In the patient/physician setting, email is transforming communication, treatment, and care, while on the operations side, millions of transactions are processed each day via email at a fraction of the time and costs associated with hard copies. However, if left unprotected, or unavailable, email can interfere with a healthcare organization's primary mission of providing high-quality patient care.

Email security concerns

The complexity of securing and making email available grows every day. For one, email is becoming a de facto distribution method in the increasingly sophisticated world of viruses, phishing attacks, fraud, spyware, and blended threat techniques. Spam also continues to be a pervasive problem, resulting in lost productivity, wasted network and storage resources, and liability for organizations that are not doing what they can to deal with the problem. IDC estimates the amount of spam being sent on an average day worldwide jumped from 4 billion messages in 2001 to 17 billion last year. Lastly, the diverse and remote nature of most healthcare IT networks poses additional challenges for IT staff. Ensuring that the proper security technology is installed on all devices -- from desktops to handheld computers to remote email servers -- can be a daunting challenge.

Ensuring email security and availability

Building a flexible solution for a dynamic IT environment that is also secure and available can pose a challenge for IT groups in healthcare organizations, but there are cost-effective ways to achieve it. First, begin with a layered approach that starts at the earliest point of entry onto the network, through to the end user and beyond to archiving and storage systems.

• Security The first line of defense should be user education and awareness regarding email usage policies and best practices. For example, all users should know to avoid the following: replying to spam messages, using unsubscribe links, following links in suspicious emails, opening email attachments where there is no clear business relevance or where the intention is suspect (i.e., the attachment may contain a virus or vulnerability patch), and paying attention to virus hoaxes.

Beyond user education, technology is still needed to stop email threats. The most common virus content found in email is the product of mass-mailer worms. Gateway-based antivirus scanners should be used to identify and distinguish mass-mailer worms so they can be removed before causing harm. A policy to delete attachments when the presence of a suspect extension type, such as .scr and .pif, is detected can also be employed. A reliable and accurate antispam solution that is integrated and frequently updated is also recommended.

• Archiving Email systems weren't designed to store the high volume of data that is typically sent and received today. IT administrators are well aware of the need to store this data, and are finding a few ways to do so. Email archiving systems are being used to store messages and information according to rules such as date and size of message as outlined in a custom policy. Depending on the rules set by the policy, messages and attachments may be moved to a secondary -- and often less expensive -- storage location. Message archiving solutions allow organizations to provide users with a seemingly infinite mailbox while controlling storage usage on the primary messaging servers. Not only is archiving an efficient way to house overflow data, it is considered a best practice with regards to the privacy and security concerns of HIPAA because it offers a way to preserve protected healthcare information.
• Build a resilient foundation  Just as important as maintaining the security and availability of email information is the need to build the email infrastructure on a resilient foundation -- one that is robust in its ability to meet growing demands, resistant to failure, and able to quickly recover when failure occurs. Storage management and clustering software are the key technologies that should be employed for building this scalable email infrastructure.

Addressing availability starts with ensuring protection of the email data using a backup and recovery solution. To minimize the business disruption, backup software should offer a single management tool to consolidate all backup and recovery operations, while providing management, alerting, reporting, and troubleshooting technologies at the same time. It is also important that healthcare organizations take advantage of both tape and disk storage, with its advances in disk and snapshot-based protection, off-site media management, and automated disaster recovery.

The right storage management solution will allow administrators to perform nearly all storage-related tasks online without having to take storage offline to perform these regular maintenance functions. Clustering technology should be able to mirror data for redundancy and automatically move data from failing disks to healthy disks to cut downtime from unplanned events, or to quickly move an application from a failed server to a healthy server.

Conclusion

As email enhances seemingly every facet of healthcare in the 21st century, the benefits continue to be tempered by security and privacy concerns. Email has become a mission-critical component for individuals and groups in healthcare organizations, and a flexible solution that ensures its security and availability must be employed.

Stacey McDaniel has been writing about high-tech issues for more than six years.