A Healthy Solution

By Holly Gilbert Stowell

01 July 2014

Print Issue: July 2014

Susquehanna Health, a hospital network in Pennsylvania with more than 3,000 employees, serves 13,000 patients annually at four locations. When it comes to potential threats to its information security, the organization is focused on investing in the best resources and training its employees in good cyber hygiene. “One of things we’re doing is educating people,” says Paul Roma, network security engineer at Susquehanna. “We’re constantly sending out reminders and mass e-mails to people, and putting posts on our intranet. If we see some new campaign where 10 people got a new [spam] e-mail in their inbox… we’ll post something and let people know there’s a scam.”

E-mail is one of the largest security concerns for the organization’s IT department, Roma says, due to the growing number of attacks on companies that are launched through e-mail campaigns, like spear phishing and Web-based attacks through malicious links. In spear-phishing attacks, bad actors craft an e-mail that is tailored to the recipient to make it appear as if it’s coming from a legitimate source. When the user clicks on any links in the message or downloads an attachment, the hacker is potentially given an open door to the network.

“Security-wise, if you’re going to spend $20,000 on a firewall, you should spend the same or more money on your e-mail security,” says Roma, who points out that e-mail and Web-based attacks are primary threat vectors. “Someone’s not going to sit there and try to hack your firewall, they’re going to send you an e-mail and hope you click on the link.”

As a healthcare organization, Susquehanna Health has to adhere to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which mandates the adequate protection of electronic health information. This makes e-mail protection even more vital.

While most employees are diligent about identifying phishing attacks and avoiding clicking on potentially malicious links, Roma says there was still a “constant flood” of unwanted or unsafe messages coming into their accounts. “Our [e-mail security] solution wasn’t cutting it anymore,” he tells Security Management.

In late 2011, the company began looking into e-mail security solutions that would be better at catching unwanted e-mails while allowing legitimate messages through. The company chose ePrism Email Security from EdgeWave, which Roma says allows him to easily set rules for services, such as message filtering, antivirus blocking, and more.

After installing ePrism, Roma says he saw an immediate difference in the number of spam e-mails and phishing attacks being blocked. The system blocked more phishing e-mail in one hour than the previous system blocked in a week, he recalls.

The e-mail security software has more than 16 settings for message types that it will filter into appropriate categories, like quarantine, spam, and junk. Roma says that the filters have not once blocked a legitimate message by accident.

The ePrism product also offers a subject markup function that allows IT to add a tag to the subject line of the e-mail to warn users. “Anything that’s classified as junk, we added a tagline to add to the subject that says, ‘suspected junk mail.’ So even though it’s just junk and it’s probably not malicious, [we do it] just to alert the recipient.”

Roma says ePrism allows the organization to meet HIPAA security requirements. He adds that not only has the solution enhanced e-mail security, but it has also been a time saver for the IT department. He notes that he saves about eight to 10 hours a week by not having to go through and manually set rules like he did with the old solution. “It was definitely worth the investment,” he notes. “Between the hours saved and the protection provided, it’s just a no-brainer.”