Most small practices leverage outsourced third-party e-mail providers, rather than establishing a dedicated internal e-mail infrastructure. The e-mail protection practices in this section are presented in three parts:
- Email system configuration: the components and capabilities that should be included within your e-mail system
- Education: how to increase staff understanding and awareness of ways to protect your organization against e-mail–based cyberattacks such as phishing and ransomware
- Phishing simulations: ways to provide staff with training on and awareness of phishing e-mails
Sub-Practices for Small Organizations
1.S.A | E-mail System Configuration | NIST FRAMEWORK REF: PR.DS-2, PR.IP-1, PR.AC-7 |
Consider the following controls to enhance the security posture of your e-mail system. Check with your e-mail service provider to ensure that these controls are in place and enabled.
- Avoid “free” or “consumer” e-mail systems for your business; such systems are not approved to store, process, or transmit PHI. We recommend contracting with a service provider that caters to the health care or public health sector.
- Ensure that basic spam/antivirus software solutions are installed, active, and automatically updated wherever possible. Many spam filters can be configured to recognize and block suspicious e-mails before they reach employee inboxes.
- Deploy multifactor authentication (MFA) before enabling access to your e-mail system. MFA prevents hackers who have obtained a legitimate user’s credentials from accessing your system.
- Optimize security settings within your authorized internet browser(s), including blocking specific websites or types of websites, to minimize the likelihood that an employee will open a malicious website link. Most browsers assess the possibility that a site is malicious and send warning messages to users attempting to access potentially dangerous sites.
- Configure your e-mail system to tag messages as “EXTERNAL” that are sent from outside of your organization. Consider implementing a tag that advises the user to be cautious when opening such e-mails, for example, “Stop. Read. Think. This is an External E-mail.”
- Implement an e-mail encryption module that enables users to securely send e-mails to external recipients or to protect information that should only be seen by authorized individuals.
- Provision every employee with a unique user account that is tied to a unique e-mail address. These accounts and e-mail addresses should not be shared, and should be de-provisioned when the employee leaves the organization.
1.S.B | Education | NIST FRAMEWORK REF: PR.AT-1 |
Implement the following education and awareness activities to assist your employees and partners in protecting your organization against phishing attacks.
- Establish and maintain a training program for your workforce that includes a section on phishing attacks. All users in your organization should be able to recognize the phishing techniques in Table 3.
Table 3. Phishing Techniques
Phishing Technique | Description |
Check embedded links | Validate that the URL of the link matches the text of the link itself. This can be achieved by hovering (not clicking) your mouse cursor over the link to view the URL of the website to be accessed. |
Look for suspicious From: addresses | Check received e-mails for spoofed or misspelled From: addresses. For example, if your organization is “ACME” and you receive an e- mail from user@AMCE.com, do not open the e-mail without verifying that it is legitimate. |
Be cautious with “urgent” messages | If the e-mail message requires immediate action, especially if it includes a request to access your e-mail or any other account, do not open the e-mail or take any action without verifying that it is legitimate. |
Be cautious with “too good to be true” messages | If you receive an unexpected message about winning money or gift cards, do not open the e-mail or take any action without verifying that it is legitimate. |
- Leverage an encryption module within your e-mail system to minimize the risk of information being intercepted by hackers
- Be extra careful when sending and receiving e-mails that contain sensitive and private data, especially PHI.
1.S.C | Phishing Simulations | NIST FRAMEWKORK REF: PR.AT |
Steps for an effective anti-phishing campaign include:
- Implement regular (e.g., monthly or quarterly) anti-phishing campaigns with real-time training for your staff. Many third parties provide low-cost, cloud-based phishing simulation tools to train and test your workforce. Such tools often include pre-configured training that is easy to distribute and that your workforce can complete independently.
- Direct your IT specialist to send a phishing e-mail to everyone on your staff. Track how many of your employees “bite”, or open the e-mail. This enables you to target training to those who demonstrate need, . This technique will also allow you to understand how susceptible your organization is and to set a baseline that you can use to measure changes in awareness over time.
- Start your anti-phishing campaigns with easy-to-spot e-mails that your workforce learns to recognize. Slowly increase the sophistication of these simulations to improve the detection capability of your workforce.
- E-mail phishing attack
- Ransomware attack
- Insider, accidental or intentional data loss
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article