Are your emails safe?

Why you need to be more concerned about email security - and what you can do about it.

Since revelations that the U.S. government is collecting massive amounts of data from electronic communications, the notion of online privacy has taken a big hit. Yet the loss of sensitive patient data is not merely a question of government snooping or corporate espionage. Email poses the highest risk for accidental data exposure, breaches of privacy or non-compliance with data protection regulations.

Your email is an open book. Almost all email traffic traverses the public internet unencrypted in plain text format. It’s like sending a postcard in the mail. Anyone that stumbles across it, either maliciously or coincidentally, can read the full content without you ever knowing. You might be wondering who could be interested in reading your email.

Related article: How to create a captivating email campaign from scratch

What about your ISP or online mail service provider? Google is definitely interested. In a recent court filing, Google acknowledged that Gmail users have no “reasonable expectation” of privacy or confidentiality. In its motion to dismiss a May 2013 class action lawsuit against it, Google stated:

“All users of email must necessarily expect that their emails will be subject to automated processing. Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their emails are processed by the recipient’s [email provider] in the course of delivery. Indeed, a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”

That’s a “stunning admission,” according to the Consumer Watchdog advocacy group, which recommends that people concerned with email privacy shouldn’t use Gmail. Unfortunately, that’s no solution. It’s about as practical as recommending people not use email at all. Even if you don’t use Gmail, undoubtedly you have to correspond with patients, partners or other stakeholders who do.

But the risks with email are not limited to intentional snooping by the likes of Google or the NSA. How many times have you accidentally “replied all” to an email intended for one recipient? Or accidentally sent an email to the wrong individual thanks to auto-complete in your email client? This happens all the time. And the consequences of sending sensitive information to the wrong person could be devastating, ranging from publicly acknowledging a leak to fines, loss of trust, reputation damage and worse.

Related article: How to ensure your email is HIPAA compliant

Then there’s the latest email attacks to consider such as phishing, which continue to evolve. Phishing is the act of attempting to acquire information such as usernames, passwords or credit card details by masquerading as a trustworthy email.

Up next: The steps you need to take

 

Phishing is often successful because of a technique known as email address spoofing, where the attackers use addresses in the “from” field that mimic legitimate accounts such as a bank, or even one using your company’s domain name to make the email appear to come from an internal sender like one of your staff.

The latest trend is to target specific individuals or groups within organizations in a more personal and devious manner - now called spearphishing. Spearphishing is a common tactic of Advanced Persistent Threat campaigns, which aim to gain entry to the target organization’s network and obtain confidential information.

Related article: 7 ways to avoid becoming a HIPAA horror story

If you want to shoot for compliance, here are three simple steps:

  • Start with defining a policy and educating users. Provide your employees and stakeholders with a documented policy that explains the key elements of your data loss prevention strategy. Focus on the types of data you need to protect, your motivations for protecting it, the consequences if you don’t and the procedures to follow to ensure it’s protected.

  • Deploy email data protection technology. Your users and policy must be supported by effective, transparent technology. You need a solution to protect from accidental loss and to secure sensitive data that must leave the organization. A secure email gateway with policy-based encryption is an essential element of any effective data protection compliance solution.

  • Start with the essentials, expand over time. Data protection can easily become overwhelming, which is why it’s important to prioritize your data protection needs. Start with the most likely source of leaks: email. Make sure you’ve got the necessary policies in place to protect your most sensitive client, employee or partner data first, including credit card numbers, Social Security numbers and other HIPAA data. Once those policies are running smoothly, you should consider broadening your implementation.