What is HIPAA Compliant Secure Email?

When you want to harden your email security approach for compliance with the HIPAA Security Rule, a simple step is to protect your passwords. Consider using password software to auto-generate your passwords for complete randomization. Plus, you want to make sure to bolster your password protection with multi-factor authentication (MFA). You could experience spoofing of SIM cards that exploit SMS authentication, so it is best to perform that authentication with an app.

Passwords are, of course, just one concern. The steps you can take to create a HIPAA-compliant email environment go beyond passwords to Exchange Online Protection, encryption, and more.

This is a guest post written by Adnan Raja, on behalf of Atlantic.

Exchange Online Protection

A key point made by Microsoft related to HIPAA compliance is how critical Exchange Online Protection (EOP) and data loss prevention (DLP) policies are in helping you set up specific HIPAA compliance rules. EOP is a filtering service hosted in the cloud that prevents the spread of malware and spam. EOP simplifies email management. Created with the Exchange Administration Center (EAC), DLP policies are transport actions, rules, and exceptions that are used for message filtration. Notably, DLP policies must be activated, so you can create and test prior to implementation.

Other Key Exchange HIPAA Compliance Steps

To make your email compliant (generally compliant, understanding that compliance steps must be taken by you beyond what the technology provides), there are several key steps you need to take:

  1. Encrypt
    When you are setting up your digital certificates to enable encryption, Microsoft provides advice in choosing the certificate and implementing that cryptographic setting:- Keep the number of certificates you use as low as possible. Typically a wildcard or SAN certificate is used to limit the number of certificates for a single site.
    – Minimize the number of hostnames.
    – External server or client connections should be from a commercial certificate authority (rather than self-signed); you can set up an Exchange server to accept any certificate but will need no adjustments with a commercial cert.
    – Test the certificate using the Exchange certificate wizard within the Exchange admin center.
  2. Develop Email Compliance Policy
    HIPAA compliance, like it or not, involves the creation of compliant policies and procedures; email use is no exception. This policy should make it clear exactly how the email system can and cannot be used; it should be validated by the legal and human resources departments, and all personnel should sign off on its terms. The policy should state exactly what is permitted and not. HR staff and the executive leadership should be in agreement on the priority of enforcing the policy if you want it to be taken seriously and ultimately effective.
  3. Subscribe to Email Archival Platform
    If the law requires you to retain all your emails within storage for a set stretch of time, you will want a systematized way to archive them seamlessly. The system should be carefully chosen to be certain they are well-designed for HIPAA compliance.
  4. Create Public Folder Controls
    An organization will typically either delegate control to business units or departments or strictly control all top-level public folders. The latter model is much better suited to HIPAA compliance. Consider changing these controls.
  5. Create Internet SMTP Controls
    Email often leads to violations because covered entities may not be monitoring their email very closely. Knowing where email is going is a key concern. You want to have auditing tools in place, along with Internet gateways that scan content and the implementation of auto-signatures.
  6. Be Aware of Everywhere Email may be Retained
    Email storage can be in any of four primary silos:- the archive;
    – backup media, in the form of offsite and onsite tapes records that may be sitting in storage with – content on them that should be cleared;
    – data that is online within production email servers; and
    – data that is offline in file systems such as wireless devices and phones, Blackberry, Outlook PST, etc.Remember the liability that exists within your old systems, in the remnants that still exist.It is critical that any healthcare system that contains PHI has robust defenses against all forms of malicious code or other assault.
  7. Utilize VPNs
    A virtual private network will ensure that your connection to the Exchange server is encrypted. The encryption allowed by a VPN means that your login access and anything sent to and from the server is encrypted.
  8. Focus on the PSTs
    If PSTs are permissible at your company, then you may not know where all of them are. It is possible that the PSTs might contain intellectual property or highly critical data? There might be security or compliance issues within them.
  9. Set Audits and Controls for Your Groups and Distribution Membership
    You want to set up technologies and practices that mean all your membership adjustments go through the same automated or manual approval process. The lists or groups that most often handle key information should be noted. There should be regular reporting and auditing of particularly critical lists.
  10. Set Up Control for Mailbox Delegation and Security
    There are two ways that delegation and security are adjusted for mailboxes: user-initiated and administrator-initiated. A user-initiated change could delegate a mailbox or folder within it to one or more delegates. Administrator-initiated changes can occur when an administrator abuses authority. You must have event logs and other operating-system-level evidence if you want to understand how a security event occurred that was administrator-initiated.

Your HIPAA-Compliant Environment

Email must be strictly controlled in order to have a secure environment that meets the restrictions of HIPAA compliance. Securing email is, unfortunately, not as simple as setting up encryption – although that is an important step. With the above considerations addressed, you have built an environment and process that can help you avoid violations while still being able to communicate as an organization must in a digital era.

[author title=”About the author” image=”/wp-content/uploads/2017/09/adnan-raja-profile-1-150×150.png”]Adnan Raja has been the Vice President of Marketing at Atlantic.Net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.[/author]