Cloud based email security solutions have become extremely popular in recent years. These email security solutions help healthcare organizations achieve compliance with the HIPAA Security Rule by blocking threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI). They perform many of the same functions as on-premises email security products but have several advantages.
One of the most important factors influencing the decision whether to opt for on-premises or cloud based email security is cost. If you want to have an on-premises email security solution, you must pay for the product up front, and set up the infrastructure to support it, which may involve purchasing new hardware. You will then need to install the software, configure the solution, and commit resources to managing and maintaining both the hardware and software. The hardware used to support the email security solution will also need to be periodically replaced. The time and money that needs to be committed to on-premises email security are considerable.
With a cloud based email security solution, there is no hardware to purchase or set up, as the hardware and infrastructure are provided by your software-as-a-service (SaaS) provider. The SaaS company will maintain the hardware, update the hardware as necessary, replace it as it approaches end-of-life, and will also handle all of the software updates. Minimal technical knowledge is required to get started, as SaaS providers handle all of the technical aspects. Getting started involves changing your MX records to point to the SaaS provider and you are good to go. The solution can be accessed from anywhere with an Internet connection using a web-based interface, which makes configuring the solution to your needs and managing email security much more straightforward. Cloud based email security is by far the easiest email security option to implement.
Further, the cost of email security becomes an operational expense, and some SaaS companies even offer monthly billing to make it more affordable. The pricing is transparent, organizations know what they need to pay, and there are no hidden costs or surprises. Initially, cloud based email security is by far the cheapest option, although there will be ongoing spending required; however, when you factor in the time savings, over time you are likely to find cloud email security more cost-effective. Another key benefit is the scalability of the cloud. When the needs of the business change and more or less capacity is required, the service can be right-sized to meet the needs of the business.
There are some disadvantages for healthcare organizations with cloud-based services. Emails naturally pass through the servers of the SaaS provider, and if those emails contain ePHI, the SaaS company will be a business associate and will therefore be required to sign a business associate agreement and agree to comply with the HIPAA Rules. Not all SaaS companies will be prepared to sign a BAA. You must also bear in mind that a SaaS company may operate data centers in different countries, where protections may be lower. You will also be relying on the security measures that the SaaS company has in place. You must carefully evaluate those security measures and ensure they provide sufficient protection to comply with the HIPAA Rules.
On-premises and cloud email security solutions are used to block spam emails and prevent email-borne threats from reaching inboxes. With cloud solutions, all filtering takes place on the service provider’s servers, so threats never reach the internal network. Cloud based email security solutions typically offer advanced threat protection, so will block spam emails and incorporate next-generation security features to block sophisticated email attacks.
While signature-based malware detection is important, malware now has a short lifespan. By the time the signature of a malware variant has been added to the email security solution, a new variant of the malware has likely been released. Many cloud email security solutions also include a sandbox, where email attachments are sent, and their behavior is analyzed. Email sandboxing allows email security solutions to identify malicious behaviors and detect and block zero-day malware threats. In healthcare, which is extensively targeted by threat actors, this additional layer of protection against malware is important.
Email security solutions will detect and block most mass phishing campaigns, but may struggle to protect against more targeted, spear phishing attacks. These attacks often involve emails that have been specially crafted for an attack on an organization, and detecting these malicious emails is more difficult. SaaS companies have incorporated predictive methods of detecting novel phishing attacks by using AI and machine learning components. These components analyze emails and determine the probability that an email is malicious. Tolerance thresholds can then be set based on the level of risk. These capabilities will improve protection against zero-day phishing attacks.
Most phishing emails include hyperlinks to websites hosting phishing kits where credentials are captured. Threat actors mask their malicious URLs in many ways, such as adding links to legitimate cloud services such as SharePoint, Dropbox, and Google Drive, which are hard for email security solutions to differentiate from the genuine use of those services. You should choose a cloud email security solution that offers advanced protection against malicious URLs in emails – one that rewrites URLs and follows them, including any redirects, and assesses the landing page for malicious content.
Cloud email security solutions often include other useful features such as inbuilt email archiving to ensure email continuity, even in the event of a mail server outage. Email archives ensure that no emails are ever lost. Many SaaS providers will provide an SLA that promises 100% uptime, with many SaaS solutions also having data loss prevention (DLP) capabilities that can identify and block accidental data leaks by scanning all outbound messages, then automatically quarantining any that are found to be malicious or contain sensitive information such as ePHI. Some solutions also incorporate email encryption and will automatically encrypt emails containing sensitive data to ensure that only the intended recipient can access the message. These features can help healthcare organizations achieve Security Rule compliance.
Cloud based email security is much easier to set up, takes less time, is usually a more cost-effective choice than on-premises email security solutions, and can provide many more layers of protection than on-premises solutions. They can be as secure – if not more secure – than on-premises email security. If you are not sure about whether on-premises or cloud based email security is best, SaaS providers should be able to offer advice on the best implementation. That may involve a hybrid approach, where internal emails are not filtered in the cloud, with the cloud based service used for external emails only.