Posts

Infographic: Ransomware’s Devastating Impact on Real-World Businesses

Still relatively new to the cyber threat landscape, ransomware continues to be one of the high-profile malware types that grab headlines. It’s one part Hollywood-style drama mixed with the “mystery” of cryptocurrencies and the seemingly personal nature of ransomware attacks.

But it’s not hyperbole. Ransomware remains one of the most malicious cyberattacks that can cripple a business. SonicWall’s new infographic highlights composite data that demonstrates how ransomware impacts businesses’ ability to operate.

So, how do you prevent your organization from being severely disrupted by ransomware? The best approach is to use multiple layers that deliver automated, real-time breach detection and prevention. While this isn’t an exhaustive list of all security options, these cornerstone tactics will mitigate most of today’s most malicious cyberattacks, including ransomware.

How to Block Ransomware

Businesses have no choice but to proactively mitigate ransomware attacks. But is there a proven approach that can cost-effectively scale across networks and endpoints? Four key security capabilities make full ransomware protection possible.

  1. Next-Generation Firewall

    Detect and prevent cyberattacks with power, speed and precision.
    Next-generation firewalls (NGFW) are one of your first lines of defense against hackers, cybercriminals and threat actors.

    For example, SonicWall firewalls deliver real-time, cloud-based threat prevention, while augmenting the security from on-box deep packet inspection of SSL traffic (DPI-SSL). And all new SonicWall firewalls integrate with our award-winning network sandbox for advanced threat protection.

  2. Network Sandbox

    Identify and stop unknown attacks in real time.
    A network sandbox is an isolated environment on the firewallthat runs files to monitor their behavior. SonicWall Capture Advanced Threat Protection (ATP) is a multi-engine sandbox service that holds suspicious files at the gateway until a verdict can be achieved.

    Capture ATP also features Real-Time Deep Memory InspectionTM (RTDMI). RTDMI is a memory-based malware analysis engine that catches more malware, and faster, than behavior-based sandboxing methods. It also delivers a lower false-positive rate to improve security and the end-user experience.

  3. Email Security

    Filter email-borne attacks before they hit your network.
    Secure email solutions deliver comprehensive inbound and outbound protection from advanced cyberattacks, including ransomware, phishing, business email compromise (BEC), spoofing, spam and viruses. Proven solutions will be available in on-premise email security appliances and hosted secure email.

    SonicWall Email Security also integrates with Capture ATP to protect email from advanced threats, such as ransomware and zero-day malware.

  4. Advanced Endpoint Client Security

    Block ransomware before it compromises user devices.
    Traditional antivirus (AV) has been trusted for years to protect computers. This was a sound approach when the total number of signatures required numbered in the hundreds of thousands. Today, millions of new forms of malware are discovered each month.

    To protect endpoints from this endless onslaught of malware attacks, SonicWall recommends using a next-generation antivirus (NGAV) solution that can monitor the behavior of a system to look for malicious activities, such as the unauthorized encryption of your files.

    For example, SonicWall Capture Client delivers advanced malware protection and additional security capabilities for SonicWall firewall

Ransomware remains one of the most damaging cyberattacks to businesses. Follow these four ransomware protection best practices to help ensure ransomware does not impact your ability to operate.

Advancing Beyond Hygiene to Next-Gen Email Protection Services

This story originally appeared on MSSP Alert and was republished with permission.


Most of us have a love-hate relationship with email. It’s been around for what seems like forever and while new channels of communication like Slack are making inroads, email is still the primary means of communicating in most organizations.

Since it is so ubiquitous, we know it will be a primary target of malicious attackers. Because of the attack surface area, attackers have been targeting email as a point of entry into organizations for over a decade. Most companies have responded with some form of email security solution. However, there seems to be a disconnect in outcomes versus goals in the industry.

For instance, 90 percent of current attacks against organizations use spear phishing as the primary means of breaching those organizations, yet most people would say they have email security in place.

Preventing Spam is Only the First Step

The major problem we are having as a security industry is that most people believe they have “security” for their email systems, but what they really have is hygiene. Email hygiene can be defined as “the process of keeping the inbox clean by keeping spam and unwanted advertisements away.”

It’s easy to think that hygiene is security because when email was new, spam was the major source of annoyance and security breaches — we’ve all dealt with Nigerian prince scams.

According to a recent FBI Public Service Announcement, business email compromise is a $12 billion problem today. Anti-malware and anti-spam are hygiene tools provided for free by cloud service providers, such as O365 and G Suite, as part of their mailbox functionality, but these tools do not stop evolving, sophisticated attacks.

Unfortunately, security industry nomenclature to customers hasn’t changed. The consequence has been continual breaches in organizations that believe they have security in place, but the reality is the hygiene solutions they have in place aren’t up to the task of stopping advanced email penetration techniques.

We need to move our language more toward discussing hygiene solutions and advanced email security solutions. What customers need isn’t email security (aka hygiene) but next-generation email security focused on identifying advanced threats. A next-gen email security solution should include:

  • Targeted phishing and email fraud protection
  • Unknown threat detection capabilities beyond just a “sandbox”
  • Compatibility beyond on-premises email server to O365, Gmail, etc.
  • Outbound protection to minimize potential data leakage
  • Hygiene capabilities as needed

Next-Gen Email Security Opportunity

While education is required, customers are starting to realize the need to supplement the native security functionalities with dedicated advanced threat protection (ATP) capabilities.

Gartner says over 50 percent of customers will look for dedicated security tools. MSSPs should look to provide a next-gen email security solution to their customers. This not only solves a real customer problem, but can also:

  • Increase your monthly recurring revenue with a next-gen email security solution as an additional value-added service for your customer
  • Lower analyst workload by blocking threats proactively
  • Enable better translation to real business impact – email addresses are associated with real people in the business rather than just an IP address
  • Reduce risk of liability – if customers are better protected, the chance of a significant breach is lower
  • Ride on the Microsoft Office 365 wave

The transition to Microsoft Office 365 (O365) is interesting as it both presents an opportunity and creates additional fear, uncertainty and doubt in the market. Businesses realize the benefits of moving their IT to the cloud (lower total cost of ownership, easier management, etc.) and email Exchange server was one of the first to move to the cloud.

However, O365 customers are often unsure of the level of security they get. An SMB customer typically evaluates the two Exchange Online Protect plans (EOP 1 and EOP 2). Let’s see what the customer is paying for:

  • In EOP 1, for $4/user/month, customers get the mailbox functionality and known malware protection included with anti-spam and anti-virus. Customer must upgrade to EOP 2 plan at $8/user/month for the addition of DLP functionality.
  • What’s not included is the ATP sandbox. If a customer wants that protection against today’s advanced threats, he needs to pay an additional $2/user/month for the add-on service.

Powering Your Advanced Email Protection Service with SonicWall

This opportunity is ripe, so it’s important that you not only find an effective technology, but a partner that will help you enable your service quickly. To protect against today’s advanced threats, SonicWall’s award-winning solution provides a multi-layered defense mechanism:

  • A multi-engine sandbox to catch the most evasive of malware. Our sandbox supports and scans extensive file attachment types and can scan over 70 percent of the files in under five seconds.
  • To stop spoofing attacks, business email compromise and email fraud, powerful email authentication, including SPF, DKIM and DMARC, is automatically included.
  • In-house anti-phishing, anti-spam and multiple anti-virus technologies protect against known threats.
  • Real-time threat intelligence feeds powered by Capture Labs that include signatures of newly found threats and IP based reputation for URL filtering.

Purpose-Built for MSSPs

The SonicWall secure email platform is built with MSSPs in mind to not only reduce the cost of management, but to ensure your brand is at the forefront:

  • Multi-tenant platform with flexible deployment options – hardware, software, virtual and cloud
  • Customizable branded experience
  • Integration with restful APIs and syslog alerting
  • Built-in O365 integration

The SonicWall SecureFirst MSSP program will help you implement the email security solution quickly, reduce time to market and take advantage of this great market opportunity. Some of what the MSSP program includes:

  • Service description templates
  • MSS pricing option
  • MSS specific setup and operation guides

MSSPs have a major opportunity here to educate their market on the differences between hygiene and security. And SonicWall’s MSSPs are doing exactly that.

A case in point: According to Erich Berger of Secure Designs Inc., a SonicWall SecureFirst MSSP Partner: “Within an hour of being installed it saved one particular customer from an Emotet infostealer malware variant.”

SonicWall Email Security Wins Coveted 2018 CRN Annual Report Card (ARC) Award

Once again, SonicWall Email Security has been recognized at the top of its class for protecting the No. 1 threat vector: email. The solution was named the overall winner by sweeping the 2018 CRN Annual Report Card (ARC) email security category.

The solution has won three prestigious security awards to date in 2018. This is a testament toward the innovation and effort the SonicWall team has invested the last 18 months in key focus areas: advanced threat protection, administrative ease, product support and channel enablement.

“An ARC award is one of the industry’s most prestigious honors. It symbolizes a vendor’s dedication to delivering high quality and innovative product and program offerings to their channel partners,” said Bob Skelley, CEO, The Channel Company. “CRN’s Annual Report Card provides solution providers with the rare opportunity to offer their invaluable insight on vendors’ products and services, as well as their partner programs. As a result, the technology suppliers are equipped with actionable feedback to bolster their efforts to remain the best-of-the-best.”

The Annual Report Card summarizes results from a comprehensive survey that details solution provider satisfaction across product innovation, support and partnership for hardware, services and software vendors. The vendors with the highest ratings are named to the prestigious Annual Report Card list of winners and celebrated as best-in-class by their partners.

The results also provide the IT vendor community with valuable feedback — directly from their solution providers — that can be used to refine product offerings, enhance support and improve communication with partners.

This year’s group of honorees was selected from the results of an in-depth, invitation-only survey by The Channel Company’s research team. More than 3,000 solution providers were asked to evaluate their satisfaction with more than 65 vendor partners in 24 major product categories.

SonicWall Email Security is a multi-layer solution that protects organizations against advanced email threats such as targeted phishing attacks, ransomware and business email compromise. The key capabilities include:

  • Real-time threat intelligence feeds from over 1 million security sensors deployed globally and delivered through the SonicWall Capture Cloud Platform.
  • Dynamic scanning of suspicious email attachments and embedded URLs using the award-winning, multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox service with Real-Time Deep Memory Inspection (RTDMITM).
  • Anti-phishing technology uses a combination of methodologies such as machine learning, heuristics, reputation and content analysis.
  • Powerful antispam and antivirus engines to protect against known malware and spam.

The solution can be deployed as hardened physical appliances, robust virtual appliances or a resilient cloud email security service. And whether an organization uses on-premises email servers or cloud services, such as Microsoft Office 365 or Google G Suite, SonicWall’s solution delivers best-in-class threat protection through seamless and simple integrations.

Given that email continues to be a top attack vector in the cyber arms race, SonicWall is committed to enhancing the solution to better protect its users from advanced email threats.

The 2018 Annual Report Card results can be viewed online at www.crn.com/arc.

Report: Low Confidence in Stopping Business Email Compromise (BEC), CEO Fraud

Email is the primary tool for business communications and it’s used across the globe by organizations of all sizes. So, it’s no surprise that email is also today’s No. 1 threat vector for cyberattacks.

The cyber threat landscape has evolved to a great extent. Today, email attacks are highly targeted and cybercriminals engage in extensive social engineering activities to learn information about their targets in order to craft personalized emails.

Such targeted and sophisticated phishing attacks have a higher success rate than mass campaigns. Users implicitly trust a familiar name or email with personal information. These email may contain malicious attachments, weaponized URLs to deliver malicious payloads, phishing websites with fake login pages to steal login credentials, or malware-less email that seeks confidential information or a wire transfer.

With the changing threat landscape, coupled with the lack of human and financial resources to keep pace, organizations find themselves as susceptible targets for email-based attacks, such as spear-phishing and CEO fraud/business email compromise (BEC).

To that end, SonicWall recently worked with the Osterman Research and surveyed organizations to understand:

  • What are the top concerns for IT security decision-makers?
  • Why are cyberattacks succeeding?
  • How do you evaluate your current security posture?

Some of the key survey findings include:

  • Cyber threats are becoming more sophisticated as well-financed cybercriminal gangs develop improved variants of malware and social-engineering attacks. The perceived effectiveness of current security solutions is not improving – or is actually getting worse – for many organizations.
  • Most decision-makers have little confidence that their security infrastructure can adequately address infections on mobile devices, CEO fraud/BEC and preventing user’s personal devices from introducing malware into the corporate network.
  • To address the worsening threat landscape, security spending at mid-sized and large organizations will increase by an average of seven percent in 2018 compared to 2017.

The white paper also discusses the level of confidence that security professionals have in defending against these advanced threats. For example, 58 percent of those surveyed believe that their current solutions to eliminate malware before it reaches end users are either “very good” or “excellent,” and 55 percent believe that their ability to protect users from ransomware is this effective.

Unfortunately, things get worse from there: fewer than half of respondents believe their ability to block phishing attempts from end-users, eliminate account takeover attempts before they reach senior executives, and protect sensitive data is either “very good” or “excellent.”

Finally, some best practices that decision-makers must consider to protect against these advanced threats are:

  • Deploy a multi-layer approach for email security
  • View security holistically from cloud services to endpoint, with end-to-end monitoring
  • Train all users, including senior executives
  • Use adequate threat intelligence
  • Establish detailed and thorough policies

Get the In-Depth Osterman Report

Download the exclusive Osterman white paper, “Best Practices for Protection Against Phishing, Ransomware and Email Fraud,” compliments of SonicWall. The paper explores issues that security professionals face, how to evaluate your current security posture and best practices to consider implementing for sound email security.

Phishing Threats – How to Identify and Avoid Targeted Email Attacks

Phishing threats have been around for years. By now anyone can easily detect a fake email, right?

Wrong. How confident are you that you wouldn’t divulge your password, credit card info or online identity? Here is a quick refresher on phishing threats and what you can do to protect yourself.

What is Phishing?

As you may already know, phishing threats involve malicious emails that attempt to get you to disclose your personably identifiable information (PII) to compromise your personal identity or corporate data.

Hackers create emails that look like official communications from familiar companies. These are sent to millions of unsuspecting addresses in hopes that someone will follow the links and share sensitive information that the hackers can exploit. These phishing emails employ a variety of techniques.

How to Spot Phishing Attacks

The best way to protect yourself from phishing threats is to recognize and avoid these common phishing tactics:

  • Generic greetings: The opening lines of phishing emails are often very vague and general in nature.
  • Typos or Poor Grammar: A poorly written email is less likely to have come from a legitimate company. In addition, do not be tricked if the email happens to include a legitimate-looking logo.
  • Urgency: Phishing emails often sound alarmist, trying to scare you into taking action (and sharing your information) immediately.
  • Fake Links: Phishing emails routinely obscure the URL addresses, and instead take you to an unsecured site where your sensitive data is solicited. To see exactly where a link will take you, simply hover over it. If in doubt, don’t click it. Instead, open a new browser session and manually enter the address (i.e., don’t copy and paste) you want to visit.
  • Attachments: Delivered via email attachments, malware that is executed (i.e., the attachment is opened) allows a hacker to exploit vulnerabilities on your computer Never open an attachment unless you are sure it is legitimate, safe and expected. Be cautious with any unexpected invoices from companies you’re not familiar with, as attachments might contain malware that installs upon opening.
  • Spoofed Sender: Makes it easier for a hacker to impersonate someone you’d normally trust (e.g., coworker, bank, government agency)

Take the Phishing IQ Test

Interested in seeing how well you are at telling the difference between a legitimate website and one that is a phishing attempt? Take the SonicWall Phishing IQ Test to find out.

Is Your Email Security GDPR Ready?

On May 25th 2018, the European Union (EU) will introduce its General Data Protection Regulation (GDPR). The GDPR is a set of regulations meant to protect personal data of EU residents, and enforces data privacy rules on how organizations collect, store and use the information. Failure to comply with the EU GDPR regulation carries heavy penalties including fines of up to €20 Million or 4 percent of global turnover. This includes information exchanged over email. According to Infowatch global data leakage report, email is the second largest channel for data leaks.

Some key elements of the regulation include:

  • GDPR applies to all organizations that process the personal data of subjects residing in the EU, regardless of the organization’s location.
  • Breach notification will become mandatory, and must be done within 72 hours of first having become aware of the breach.
  • EU residents have the right to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
  • The right to be forgotten entitles the residents to have the organization erase his/her personal data, and cease further dissemination of the data
  • Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

Here are certain implications of GDPR on an organization’s emails and email security:

  • Personal data is classified as any information that includes personal email addresses, phone numbers etc. that are commonly used for marketing.
  • Organizations in regulated industries such as retail, finance and healthcare have to deal with added layers of complexity to comply with competing regulations
  • To implement appropriate technical measures to comply with “privacy by design,” organizations must include email encryption and compliance capabilities to their email security infrastructure.

To comply with GDPR, key capabilities to consider while evaluating your email security include:

  • A comprehensive multi-layered approach that provides strong inbound and outbound protection
  • Sandboxing and quarantining of any unknown email attachments to prevent breaches
  • Strong encryption and DLP for compliance and regulatory requirements

Download our tech brief to learn more about SonicWall Email Security’s compliance and encryption service, and how it can help you comply with the EU GDPR.

New SonicWall Email Security 8.2 w. Cyren AV

The foundation of email threat protection has long been anti-virus technology and IP reputation databases. Threat research teams across the globe are hard at work analyzing email, identifying spam and malware, and building anti-virus and IP reputation database libraries to help combat threats. Experts agree that for best threat protection, email security solutions should not rely on a single anti-virus engine or reputation database, but should integrate multiple sources to maximize security effectiveness.

To deliver best-in-class email threat protection, SonicWall Email Security 8.2 includes multiple anti-virus technologies, including SonicWall Global Response Intelligent Defense (GRID) Anti-Virus, SonicWall Time Zero, and premium anti-virus technologies, including McAfee, Kaspersky, and now, Cyren Anti-Virus.

Cyren AV is now included with SonicWall Hosted Email Security and, for customers that prefer an on-prem solution, available with Email Security appliance and software release 8.2, when purchased with the Total Secure subscription service. The SonicWall Email Security offers seamless set-up for IT administrators and provides immediate results.

“Since replacing our Barracuda appliance with SonicWall, we achieved a 95 percent reduction in spam reaching user mailboxes,” saidGary Walker, network administrator, City of Alexandria.

With SonicWall Email Security solutions, our GRID Network performs rigorous testing and evaluation of millions of emails every day, and then reapplies this constantly updated analysis to provide exceptional spam-blocking results and anti-virus and anti-spyware protection.  SonicWall Time Zero Virus Protection uses predictive and responsive technologies to protect organizations from virus infections before anti-virus signature updates are available. Suspect emails are identified and immediately quarantined, safeguarding the network from the time a virus outbreak occurs until the time an anti-virus signature update is available. Moreover, premium anti-virus technology from industry-leading, anti-virus partners including McAfee, Kaspersky, and Cyren provides an additional layer of anti-virus protection, resulting in protection superior to that provided by solutions that rely on a single anti-virus technology. In addition to the multi-layer threat protection and ease of use, the SonicWall solution is affordable and provides low TCO.

“With SonicWall, we have easily saved $30,000, and will save an additional $15,000 each year,” said Walker.

Learn More about SonicWall Email Security

For more information about SonicWall Email Security, please visit our website, refer to the SonicWall Email Security 8.2 release notesor contact a SonicWall representative at 1.888.557.6642, or emailsales@sonicwall.com

Now Available: New SonicWall Email Security eLearning Course

SonicWall SES eLearning course has had a makeover! And how! With recent upgrades to the SonicWall SES product suite, it was only natural that the free, Web-based online training that SonicWall offers to various partner channels would also be revised.

Change needs to beget Changed Content!

The newly launched course contains up-to-date information on SonicWall ‘s SES product suite, challenging quizzes, engaging instructional strategies modeled with a constructivist approach, a new course template, colorful and animated screens and smaller course segments to accommodate busy schedules! The course harmonizes various knowledge levels and seeks to provide an enhanced learning experience around the SonicWall SES solution, to supplement the information provided by the product Admin Guide.

Knowledge rests not upon truth alone, but upon error also!

This free, self-paced training instructs you on how to deploy, configure, and maintain the SonicWall Email Security (SES) solution to meet email security and compliance requirements. The Web-based course prepares the students for their CSSA Level Certification exam. All 11 modules of this course are interspersed with challenging quizzes and knowledge checks modeled along Kirkpatrick’s evaluation principles and procedures to integrate learning, behavior, and results.

These knowledge checks have been deliberately left ungraded because their primary purpose is to help you revisit, analyze, or explore a concept based on any prior knowledge or experience in the email security domain. Detailed and analytical feedback is provided to you for most of the quizzes.

The new SonicWall SES course includes behaviorist-oriented, pre-instructional strategies, such as stimulating recall of prerequisites. It also follows a constructivist approach to non-graded quizzes and knowledge checks that provide opportunities for the learners to reflect upon and articulate what they learned using analytical or holistic rubrics.

There are things known, and there are things unknown. And in between are the doors!

The mainstay of the course is that the revised content came straight from the horse’s mouth, figuratively speaking! The subject matter expertise for the content originated not from the product engineers, but from the folks in the middle of all action, at the vanguards of the battle lines, at…, well, you get the idea! We are referring to none other than the omniscient Tech Support folks that provide solutions to any issues you might ever face with your SonicWall SES application. Their repertoire of case studies drawn from real-life customer stories and experiences was the source of much of the course content and helped make it as contextual and real-life as possible.

Knowledge is of two kinds; We know a subject ourselves, or we know where we can find information about it.

Let’s just summarize by stating that the new SonicWall Email Security course is dynamic, right-sized, collaborative, personalized, comprehensive and ““ best of all ““ free! So check it out and send us your feedback.

How to Enforce Email Compliance and Encryption to Satisfy Users

If you’re like the majority of internet users, you mostly access the internet from your mobile devices. And by the way, so do your customers. In fact, 2014 was the year that mobile traffic exceeded legacy PC traffic on the internet. Business success, now more than ever, requires that you provide a great, mobile user experience, Email continues to be a key communication tool for business. Although email communication has been a primary application for mobile devices for many years, secure email exchange, ensuring email is encrypted to protect sensitive data and to comply with industry and regulatory requirements, is typically optimized for a legacy PC user experience.

With the widespread use of smartphones and tablets in business today, email encryption solutions must provide a seamless user experience across all devices. Unfortunately, many legacy solutions and services were not designed to function well on these devices, leaving users frustrated or unable to access or manage encrypted messages and files on their smartphones and tablets. If your business is subject to industry compliance or regulatory compliance to protect sensitive data, or if you’re concerned about protecting company intellectual property, it’s increasingly important to deploy an email encryption service designed and optimized for use with mobile devices that provides the seamless user experience subscribers and recipients want and need.

If you’re interested in learning more about requirements for protecting sensitive data, including how to ensure the secure exchange of email containing sensitive customer data – and simplify compliance in the process.

Read this white paper for details about achieving regulatory and industry compliance when moving:

  • PII (Personally Identifiable Information)
  • PHI (Protected Health Information)
  • Proprietary data
  • Any other types of sensitive information

You’ll get a side-by-side look at specific HIPAA/HITECH and PCI-DSS compliance regulations, and how the SonicWall Email Encryption service helps you meet each of them, and provides a great user experience for both legacy PC and mobile users.

Secure Email Data for HIPAA Compliance: Protect Your Business

Protecting sensitive or confidential data is not just good business. For some, it’s legally required and subject to audit. For example, HIPAA regulations require organizations to take reasonable steps to ensure the confidentiality of all communications that contain patient or customer information. Health service providers and their business associates and contractors who touch or handle Protected Health Information (PHI) are subject to these rules.

Organizations such as physician’s offices, hospitals, health plans, self-insured employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities could all be considered covered entities and/or business associates or their subcontractors. In addition, mandatory reporting is required for HIPAA violations, even when the data is lost by a third party.

This increases the need for subcontractors to implement the same level of security typically found in larger organizations. The penalties for failure to conform to HIPAA regulations go far beyond the hundreds of thousands of dollars in fines. They include public humiliation, loss of reputation, brand damage, class-action lawsuits, and yes, even prison. But there are practical ways to avoid these penalties.

Here are some methods to secure your moving data:

1. Do an assessment.

If you do nothing else, at least do an assessment of where your PHI resides, how you get it and where you send it. Knowing where the data is that you need to protect, and how it travels, is the first step.

2. Add layers of security in case people make mistakes.

One of the most common causes of any kind of security breach is human error. Whether conscious, accidental, or simply due to laziness, human error can result in Personally Identifiable Information (PII) or Protected Health Information (PHI) being sent over the Internet as unencrypted text unless content filters are put in place to detect these messages and encode or reroute them safely. You need to:

  • Install smart filters that analyze both the email and its attachments
  • Correlate fields in both documents and attempt to match them to known patient databases
  • Encrypt messages before they’re sent over the Internet

3. Make sure the boundaries between systems are secure.

Communication security breaches commonly occur when data is transferred between two or more systems. It can happen whenever data is transferred between:

  • People within your organization’s firewall
  • People inside and outside your organization’s firewall
  • Your employees and your business associates (and their subcontractors)
  • Your employees and your customers/ patients
  • Two different systems

Whenever information passes between systems and people, the data needs to be secured at all times, even when in transit. You must also ensure the data that is sent to people outside your firewall is always sent in encrypted format, so that no one but its intended recipients can read it.

4. Make sure your internal communications are secure.

Employees who work from home present HIPAA boundary issues. It is critical that they securely transfer data from work to their home computers. Even though your business information will remain within your company it must still pass across the Internet securely. To prevent a mistake that compromises protected information, provide email encryption to any employee with access to PHI.

5. Make sure your business associate and subcontractor communications are secure.

Another boundary issue arises when employees interact with external business associates and subcontractors. It’s likely that they must regularly transfer sensitive information with these external contacts. And they may use different email systems than those in your office. Often, client or patient PII and/or PHI needs to be sent via email. Be sure to secure these emails with encryption that works with many different systems and devices, including mobile devices i.e., smartphones and tablets. Healthcare related institutions must use solutions that make it possible to communicate with anyone, anytime, anywhere, no matter what email system or device the other party uses. Likewise, you must demand the ability to securely transfer large files with all these same people.

6. Make sure your communications with telecommuters are secure.

Employees who telecommute comprise another set of boundary issues.

More medical professionals are working from home and often need to transfer large, important and time-sensitive files such as x-rays or mammograms as attachments through your email system. Because the files can be so large, they have the potential to bring your email system to a standstill.

Not only do you need to exchange these files securely, you need to send them in a way that does not overload or crash your email system. So you either must find the time, the budget, and the resources to set up file transfer sites for these large files or you can use encrypted email with a secure large file attachment capability. Either way, you must make absolutely sure that they comply with encryption guidelines.

7. Make sure when your patients communicate with you, everything they do is secure.

Your patients must often submit forms, ask questions of specific people and departments, or submit follow -up information about an ongoing illness or other matter. These communications often contain PHI. Until recently, these needs were served by paper-based processes, but now can be handled through secure electronic forms on your website. But how do you ensure that this data reaches the right department or employee to process it? And can this data be integrated into existing knowledge worker software to track its status? If the request contains sensitive information, is it received from the patient in a secure manner, or did the method of collecting data cause a privacy violation? And if any follow up is needed with the patient, can this be sent securely? With a messaging system in place that provides secure inbound and outbound service, uses email encryption and secure electronic forms, and provides workflow integration, you can streamline your operations and cost-effectively serve patients.

8. Make it easy to transfer even very large files securely.

FTP, or file transfer protocol, is the standard way to transfer files across the Internet. However, it transmits user login credentials and the contents of files in an unencrypted manner. So this is not the secure method needed for transferring. You need a secure messaging system that automatically routes large files, alerts the recipient that they are available, and that tells you when they’ve been opened and by whom.

9. Make sure you can demonstrate that your system is secure.

After an email message is sent, how do you know what happened to it? Did its intended recipient open it? Were its attachments opened? Is there proof that the message was received and was read? Should a question arise about who viewed a message or its attachments, can you prove who read them to an auditor? It’s increasingly obvious that a secure messaging system must be trackable and auditable. To make this possible, messages and their attachments, their metadata and the fingerprinting data must be both viewable and traceable. The fingerprint data must record permanently the IP addresses of the recipient’s computers, and the system’s time must be synchronized with an atomic clock so that message times are never a point of dispute. Such a system would allow your administrators and, if necessary, auditors to easily review and sort through volumes of message information, and quickly retrieve a particular message, as well as all the tracking and fingerprint information associated with it.

If you’re interested in learning more about requirements for protecting sensitive data, including how to ensure the secure exchange of email containing sensitive customer data and simplify compliance in the process.

Read this white paper for details about achieving regulatory and industry compliance when moving:

  • PII
  • PHI
  • Proprietary data
  • Any other types of sensitive information

You’ll get a side-by-side look at specific HIPAA/HITECH and PCI-DSS compliance regulations, and how the  SonicWall Email Encryption service helps you meet each of them.