How the CISA email and web security guidance contribute to email practices

The Cybersecurity and Infrastructure Security Agency (CISA) provides comprehensive recommendations that align closely with the requirements of the Security Rule. It addresses the technical and procedural measures needed to protect healthcare data in especially vulnerable circumstances like email communications. 

The main points of CISA’s email and web security guidance

1. Phishing emails and unencrypted websites are common ways attackers exploit cybersecurity vulnerabilities.
2. CISA encourages state, local, tribal, territorial governments, and private entities to enhance their email and web security.
3. Organizations should adopt a minimum DMARC policy of "p=none".
4. HTTPS with HSTS should be implemented across all external-facing domains.
5. Weak encryption standards should be disabled for web and email.
6. Organizations should maintain ongoing visibility of DMARC findings and reports.
7. STARTTLS should be enabled on receiving mail servers to signal the capability to encrypt emails in transit.
8. SPF and DKIM allow a sending domain to "watermark" their emails, making unauthorized emails easier to detect.
9. A DMARC policy of "reject" provides the strongest protection against spoofed email.
10. HTTPS should be used to remedy vulnerabilities associated with HTTP connections.
11. HSTS ensures that browsers always use an HTTPS connection.
12. Organizations should remove support for known-weak cryptographic protocols and ciphers.
13. All internet-facing mail servers should offer STARTTLS.
14. Second-level organization domains should have valid SPF/DMARC records.
15. SSL v2, SSLv3, 3DES, and RC4 ciphers should be disabled on mail and web servers.
16. A central reporting location for all DMARC reports should be developed.
17. Organizations should protect non-sending email domains with DMARC.
18. Organizations need higher-level governance to guide their actions concerning these standards.
19. Organizations should be cautious when entering records on DNS as it is sensitive to errors.
20. Organizations, particularly smaller ones, may require support to implement DMARC.
21. Reading and understanding DMARC reports is extremely difficult without a tool.
22. Cybersecurity awareness is necessary for non-technical staff due to misunderstandings about DMARC.
23. Organizations should address challenges around "indirect email flows."
    
    

The common email vulnerabilities in the Healthcare and Public Health (HPH) sector the CISA seeks to combat

According to the CISA guidance, “Phishing emails and the use of unencrypted Hypertext Transfer Protocol (HTTP) remain persistent channels through which malicious actors can exploit vulnerabilities in an organization’s cybersecurity posture. Attackers may spoof a domain to send a phishing email that looks like a legitimate email.” Phishing emails are used to steal login credentials or deliver malware. CISA has observed that healthcare organizations are attractive targets for adversaries due to the high value of PHI they possess. 

How CISA guidance aligns with HIPAA Security Rule

The HIPAA Security Rule requires administrative, physical, and technical safeguards to secure electronic protected health information (ePHI). The CISA’s guidance aligns with these requirements by placing importance on measures like encryption, email authentication, and security awareness training. Measures like SPF, DKIM, and DMARC advised by the CISA address the Security Rule’s requirements for access controls and integrity. 

The CISA also stresses the need for a cybersecurity training program that provides steps toward compliance with the administrative safeguards. In this regard, the requirements are set by the Rule while the steps towards achieving compliance with them are established in the advice provided by entities like the HHS and CISA.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What makes healthcare organizations particularly vulnerable to email attacks? 

Healthcare organizations handle large volumes of sensitive patient data (ePHI), making them attractive targets for cybercriminals. Many healthcare employees use email to transmit private health information, but they may lack sufficient security awareness, making them vulnerable to phishing attacks and other email-borne threats.

What are the most common types of email-based attacks targeting healthcare? 

The most common attacks include phishing, spear-phishing, business email compromise (BEC), malware distribution, and ransomware attacks. Phishing is often used to steal credentials or deliver malware.

How can phishing attacks lead to healthcare data breaches? 

Phishing emails trick employees into revealing their login credentials or downloading malicious attachments.