A robust email protection system is crucial to stop email phishing attacks that often lead to ransomware. The Health Industry Cybersecurity Practices (HICP) document describes best practices for email protection. However, leaders would typically assume that adopting these practices is not cost-effective. We will look at one cloud-based email service which challenges that assumption.
An email phishing attack is the most common entryway for ransomware attacks. The attackers use phishing to collect login credentials for accessing sensitive data or deploying malware that leads to ransomware. Therefore, besides having awareness training, we need to equip the users with additional tools to minimize the chance of successful phishing attacks.
Finding an affordable and convenient tool that can meet practices described by HICP is vital for broad adoption.
Looking at HICP practice requirements
HICP discusses the email protection system as the first practice. This practice covers email system configuration, user education, and simulation testing.
The first category is email system configuration. HICP suggests avoiding consumer email systems, enabling anti-virus, multi-factor authentication, email encryption, secure browser settings, tagging emails from external senders, and creating an individual account.
The second category is user education. HICP suggests training users be aware of various suspicious emails, handling sensitive PHI information, and using the encryption module.
The third category is for simulation. HICP recommends running a regular campaign to test staff awareness of phishing attacks, from easy to advanced.
Together, these categories minimize the chance of attackers exploiting email systems. Compromised email may sound simple, but it often has a significant impact on the organization.
An organization will need to use its resources (people, process, and technology) to cover these areas. Leaders should often evaluate their technology stack to ensure that what they have can address today’s attacks.
We will consider one available product in the market that can address these requirements: Microsoft 365 Business Premium.
Looking at Microsoft 365 Business Premium (M365BP)
M365BP bundles services that meet the needs of small and medium businesses.
Besides the typical productivity apps (Word, Excel, PowerPoint), it also provides email security services described by HICP.
Let’s evaluate this product against the HICP requirements outlined previously.
M365BP includes the following services:
- Multi-Factor Authentication  is included in M365BP. It also has conditional access policies, which is an important feature to enable zero-trust principles later.
- Anti-spam and Anti-malware  is included. Microsoft has three security services: Exchange Online Protection (EOP) as the base, and can be upgraded to Defender for Office Plan 1 and Plan 2. Specifically, anti-spam, anti-malware, and anti-phishing are included in the base package (Exchange Online Protection).
- Tagging external email  feature can be enabled via PowerShell as this example below shows:
- Email encryption  is included with a feature that Microsoft calls “Office 365 Message Encryption”.
- Interestingly, Microsoft also offers attack simulation with an add-on service called Microsoft Defender for Office 365 Plan 2 .
Please note that these services are available for Exchange Online (instead of an on-premise Exchange server). It is hard to justify of having on-premise mail server for small-medium organizations. Cloud-based email services is preferred.
Looking at the cost for a small practice with an FTE physician
Think again if you feel HICP email protection service is out of reach for small-medium businesses.
M365BP brings enterprise features within reach for small-medium businesses.
The MSRP for M365BP is $20/user/month. To add attack simulation as part of the service, please add $5/user/month (Microsoft Defender for Office 365 Plan 2). These add up to $25/user/month or $300/user/year.
On average, an FTE physician would have 3.04 support staff. If we were to round it to 4 accounts (1 FTE + 3 Staff), their total monthly cost is $100/month or $1200/year plus tax. This number is well within the small practice budget discussed in the previous post.
For email protection to be effective, owning the tools is not enough. The next step is to enable and configure these features to work correctly.
When we feel confident that the tools are working correctly, the next step is to address the people and process part of the equation to ensure that the users know how and when to use it.
As part of the process, please ensure to document these steps. This process is necessary so that you can produce evidence for HICP adoption. This evidence will become handy during the audit should a breach were still to occur. As noted in the previous post, Public Law 116-321 would provide incentives for organizations that can produce evidence of HICP adoption for 12 months or longer.
HICP outlines best practices to protect email systems as it is often the entryway towards ransomware.
With a $25/user/month (plus tax) price tag for Microsoft 365 Business Premium and attack simulation add-on, it is affordable for small and medium organizations to adopt HICP for email system protection. In addition, I expect other cloud providers will provide similar services in the near future.
The technology required to implement the HICP email protection system is now within reach for small and medium organizations. Therefore, technology is no longer a barrier for small and medium organizations to adopt HICP for email protection.
Do you know of other email protection services that address all HICP requirements? Please comment below.