The uses of control analyses in email

A Journal of the American Medical Informatics Association qualitative analysis looking at email communication between patients and providers noted the growing popularity of email in the healthcare sector, “Enormous growth in the use of electronic mail (e-mail) and the Internet in the past decade has motivated increasing interest by consumers in using these technologies to explore health-related information and to communicate directly with their health care providers.1,2 As long ago as 1993, 90% of patients surveyed responded positively to the use of e-mail for communication.”

Control analysis provides a structured framework for continuously assessing the technical, procedural, and behavioral controls embedded in email policy. The benefit of control analysis lies in its ability to monitor and control email interruptions that affect employee cognitive resources and stress levels. 

Improper email management or unchecked email flow leads to resource depletion, emotional exhaustion, and job tension among workers. It allows organizations to design email policies that optimize email batching or restrict email checking frequency. It is necessary because constant email demands without controls can result in decreased employee well-being and even work-family conflicts. 

It also helps in enforcing authentication policies like SPF, DKIM, and DMARC, which help prevent spoofing and unauthorized use of organizational email domains. This reduces the risk of phishing and impersonation attacks, which are among the most common and damaging security threats via email.

What is a control analysis? 

Control analysis requires the scrutiny of the technical and nontechnical safeguards that are designed to reduce the likelihood of a threat exploiting system vulnerabilities. The analysis identifies whether the controls are functioning as intended and determines their adequacy in addressing the identified risks. 

NIST Special Publication 800-30 provides that to assess the degree of vulnerability, an overall likelihood rating is applied. This operates in the following way: “To derive an overall likelihood rating that indicates the probability that a potential vulnerability may be exercised within the construct of the associated threat environment, the implementation of current or planned controls must be considered.”

The analysis categorizes controls into two main types: preventive and detective. Preventive controls are the proactive mechanisms that stop a threat from materializing. Detective controls, on the other hand, focus on identifying and alerting when security violations occur, like intrusion detections or audit trails. The goal is not to prevent incidents but to detect them early enough that only minimal damage is caused. 

Can control analyses be applied to assess the efficacy of email policies in healthcare? 

A Dovepress Risk Management and Healthcare Policy study on information security risk management in Iranian hospitals noted, “Among the main activities of information security risk identification, only identification of assets, identification of threats, and control analysis were performed systematically.”

Control analysis complements the use of HIPAA compliant email platforms like Paubox to help uncover any gaps or weaknesses in both the procedural aspects of email policies. If the analysis, for example, reveals that employees are not sufficiently trained to recognize phishing attempts, the organization might consider updating its training program. 

If the policy suffers from inadequate encryption or fails to monitor outbound emails for protected health information (PHI), the organizations could improve these controls to reduce the risk of data breaches. Control analysis provides healthcare organizations with a systematic framework to assess and improve the security of their practices. 

How control analyses assist in enforcing email policy rules and content scanning

Control analysis provides the analytical framework that allows organizational administrators to enforce email policy rules rigorously by validating automated content scans and filtering mechanisms’ effectiveness. Modern email environments incorporate layered filtering technologies like spam filters, malware scanners, and phishing detection protocols. 

According to the Security Journal study assessing the prevention and mitigation measures that defend against phishing, “Although phishing emails have existed since the advent of the email communication system, significant increases in phishing campaigns amid the pandemic, observed by FinCEN and other federal agencies, such as the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), have indicated the need for strategic vigilance at the individual and organizational levels.”

Control analyses help evaluate the policies that direct these technologies, checking whether rules are correctly applied in scanning inbound and outbound emails for unsafe attachments, malicious URLs, inappropriate content, or suspicious sender behavior.

Email load and user stress are closely influenced by the function and volume of emails received. Control analyses assist in distinguishing between task-related emails, which typically require action and are prioritized in scanning, and communication-related or bulk emails. This differentiation guides rule enforcement so that scanning efforts can focus on high-risk content without unnecessarily impeding productive email traffic. Control analyses help ensure that policy rules prioritize scrutiny of emails that affect primary work tasks while filtering less necessary information, which may otherwise contribute to cognitive overload.

How to apply control analyses

1. Evaluate technical controls: Assess the effectiveness of technical controls like PHI by taking into account measures like email encryption, secure access, email filtering, anti phishing controls, and data loss prevention tools. 
2. Examine nontechnical conanti-phishinge the components of email security that relate to organizational policies. This portion of the analysis looks at email usage policies, employee training (frequency and depth of training programs), and incident response procedures. 
3. Apply preventive and detective control framework: Preventive controls include restricting access to email servers while detective controls consist of real time monitoring to detect unusual patterns. 
4. Conduct compliance checks and vulnerability assessments: Perform routine audits and vulnerability assessments on email systems to check if they are up to date and applied uniformly. 
5. Test the system: Conduct pen tests or simulated phishing attacks to see how well employees comply with email security practices. 
6. Assess gaps and make improvements: If control analysis reveals deficiencies like weak password enforcement or missing encryption take corrective actions. 
   
   

FAQs

What are technical safeguards?

They are the security measures built into the technology itself to protect PHI, particularly in electronic health records (EHRs). 

How are systems defined within healthcare organizations? 

It typically refers to the various technologies, software, and networks that manage, store, and transmit PHI. 

What is the HITECH Act?

The HITECH Act was passed as part of the American Recovery and Reinvestment Act of 2009 and promotes the adoption of health information technology across the health system.