Posts

Tips for Email Security

May 5th, 2016 is World Password Day – a day created to encourage safe password practices. The best defense against external threats is staying informed and diligent with your security practices, especially when it comes to email security.

Here are some tips to help stay safe from email threats:

  • Never share your password. If someone is requesting this information via email, they are phishing for access to your account. Understand that reputable businesses would never ask for personal information via email.
  • Change your password often and create strong passwords – use a combination of letters (capital and lower case), numbers, and special characters that is at least eight characters long
  • DO NOT open email attachments unless you know the sender, are expecting attachments from them, or can verify that the approved sender sent the attachment. If you receive an attachment you cannot verify, DELETE IT – it’s better to have someone have to resend the attachment.
  • DO NOT reply to spam messages or emails that seems suspicious.
  • Learn how to recognize phishing and spear phishing attacks. Some examples of frequently used techniques to steal your credentials are:
  • Messages that contain threats to stop services or shut down your accounts
  • Emails that request personal information (i.e. account numbers, PHI, credit card information, passwords, etc.)
  • Emails that use words such as “Urgent” or Immediate Response Requested”. These words usually raise a sense of alarm, and make feel like a reply is warranted
  • Forged email addresses. These are sometimes hard to notice as some email programs leave out email addresses in the body. If you are suspicious of messages in the body you can check the senders true Identity in the email headers
  • Poor writing or grammar errors
  • Be aware of links in email. Before clicking anything, verify the links are valid by hovering over link to see if the URL looks legitimate. You can also check links by typing them into virustotal.com or using Google search engine
  • Be aware of where you are posting your personal information. Spammers tend to “troll” social media sites for information they can use to make their email seem legitimate or guess your password.

Just following these few tips will help to keep your email more secure and ensure your password protected information is safe.

 

They’ve Got Your Email

Lost or stolen laptops and now smart phones with unencrypted data account for many of the cases of compliance violations. Often the confidential data is inside an email. We recommend using an email security solution, such as Proofpoint, with integrated Data Loss Prevention (DLP) and policy-based encryption capabilities to minimize the risk of disclosing protected data.

Data Loss Prevention (DLP) systems can identify emails and attachments with protected data like Patient IDs, SSNs, Credit Card numbers, etc. The majority regulatory compliance issues come from inadvertent data loss. We recommend a system that supports selective sender-based remediation. For example, a hospital administrator may attach a spreadsheet containing information on multiple patients. Options should include putting an temporarily stop on this message and sending a notification back to the sender alerting them of the content within the message, but also the ability to block that message permanently, the ability to release that message, or to encrypt that message before sending.

Policy-based email security solutions need to work with the various types of mobile devices that have proliferated within most organizations. The best approach is to scan emails at the gateway to assure all emails are checked whether they originate from a desktop or a mobile device. We like Proofpoint because recipients of encrypted emails are also treated to a mobile optimized experience. If recipients access their encrypted messages from a mobile device, optimized pages are displayed. No mobile-side, client software is required – ensuring that all recipients have the best mobile experience, regardless regardless of whether it is an iPhone, Android or Windows Mobile device, or Blackberry.

Target – FAPD Phishing HIPAA Breach

On June 1st, the Florida Agency for Persons with Disabilities (FAPD) disclosed that a phishing attack had compromised a single email account. The email account contained information that had PHI of over 1,951 customers and/or guardians. Although no evidence was gathered that indicated the information was accessed, FAPD could not completely rule out that it had not been. As a result, FAPD is providing the potentially affected patients with breach credit monitoring services for the following year for free.

The Proficio Threat Intelligence Recommendations:

  • Implement multi-factor authentication for email access of users that may access ePHI
  • Validate that auditing has been enabled to prove what emails were accessed during a user session
  • Limit email access to IP addresses geolocated within the organization’s place of business

General Info – Click Here