Applying continuous threat management to email communication audits

Continuous threat management, or continuous threat exposure management (CTEM), is a cybersecurity strategy designed to mitigate threats across an organization's digital footprint. The approach is based on the execution of a five stage process: planning, monitoring, validation, remediation, and response. 

According to a study on threat management, “CTEM is a modern security management process that was introduced by Gartner. Its development can be traced back to the need for more proactive and continuous security measures, as opposed to the reactive approaches of traditional Cybersecurity. The traditional way of managing vulnerabilities can be seen as a reactive approach where remedies are applied after a threat has been detected. Assessing security risks was not a continuous process — it was something that was assessed periodically.”

CTEM and its extensive processes assist in the HIPAA auditing process by providing a guideline for the identification of vulnerabilities in email systems like insecure networks. With efficient documentation of the CTEM process organizations also have an audit trail that can be used to prove measures to secure internal systems against unauthorized access.  

The value of a communication audit in healthcare organizations 

The audit process involves maintaining detailed logs of all activities related to electronic PHI, including access, modifications, deletions, and data movements. These logs must capture sufficient information to identify the individual or entity responsible for the action, the date and time of the activity, and the specific data affected. The logs must be stored securely and be tamper-proof to ensure their integrity and availability for review in case of security incidents or investigations

Communication methods used by healthcare organizations must also be audited to ensure compliance with HIPAA. It includes assessing HIPAA compliant email systems, messaging platforms, and other communication tools to verify that they adhere to HIPAA standards for secure data transmission and access controls.

The value of a continuous threat management system for email 

CTEM acts as a consistent way to monitor and assess an organizations security posture. The proactive stance is a way to shift cybersecurity away from traditional reactive security measures that might pick up threats too late. It does so by improving threat visibility by offering real-time insights into security gaps, allowing organizations to address vulnerabilities before they become entry points for attackers. CTEM also aids in efficient resource allocation by prioritizing vulnerabilities based on their actual risk. In email audits, this means that organizations can quickly respond to security incidents, such as unauthorized access attempts or malware infections, and minimizing their impact.

Applying continuous threat management in email audits 

1. Continuous monitoring: CTEM can continuously monitor email systems for vulnerabilities and threats, ensuring real-time detection and response.
2. Vulnerability management: CTEM identifies and prioritizes vulnerabilities in email systems based on severity and exploitability, focusing on the most critical risks first.
3. Incident response: CTEM integrates efficient incident response strategies to quickly contain and address security incidents related to email communications.
4. Threat intelligence: CTEM utilizes threat intelligence feeds to stay informed about emerging threats and trends affecting email security.
5. Security audits: Regular security audits are conducted to ensure compliance with cybersecurity standards and best practices in email communications.
6. Scoping and discovery: CTEM maps the entire attack surface of email systems to uncover potential entry points and identify misconfigurations.
7. Prioritization and validation: CTEM prioritizes vulnerabilities based on impact and validates their exploitability through simulations to refine remediation efforts.
8. Mobilization and remediation: CTEM coordinates remediation efforts by implementing patches, updates, and security controls to address identified vulnerabilities in email systems.

FAQs

Do healthcare providers need consent to send PHI by email? 

While consent is not always required, it is recommended to obtain written consent from patients before sending PHI via email.

What encryption methods are recommended for HIPAA-compliant emails?

Both TLS (for secure transmission) and S/MIME (for encrypting email content) are recommended.

Can free email services be used for HIPAA compliant communications? 

Generally, no. Free email services typically do not sign BAAs.