Preventing Breaches Involving Personal Email
A recently reported health data breach in Colorado offers a reminder that organizations must take precautions to prevent and detect data leakage involving current and former employees inappropriately using personal email.
… Organizations can take several steps to help address the issue of email-related breaches, says Keith Fricke, principal consultant at consulting firm tw-Security. That includes blocking all outbound access to external personal email from the hospital’s network and requiring staff to access their personal email on their personally owned phones by connecting to the hospital’s guest wireless network, he says.
Also, if a hospital has a “bring your own device” policy, mobile device management software can be configured to help prevent co-mingling of hospital email and personal email, he notes. “After-hours work should be done via secure remote access into the hospital’s network and not by sending copies of data to their personal email, assuming they don’t have remote access to their email when not at work,” Fricke adds.
The best course of action is to block access to personal email, requiring workers to access it from personally owned devices that are not capable of receiving hospital email, Fricke adds.
“If circumstances require permitting access to personal email, the hospital should be using SSL inspection and/or data leakage prevention technologies to examine web-based personal email for evidence of PHI,” he adds.