Email Security – Navigating Through the Process of Validation and Compliance with Healthcare Business Stakeholders

Email communications with business stakeholders in the healthcare industry are critical due to stringent regulatory timelines that mandate specific compliance requirements. At the same time, managing information security amidst an ever-evolving threat landscape is paramount. In healthcare, ensuring email security has become increasingly challenging and mission-critical.

The most critical risk for our industry is the potential disclosure of information that is confidential, sensitive, private, and labelled as either Personally Identifiable Information (PII) or Personal Health Information (PHI). Sponsors and their Clinical Research Organization (CRO) partners are accountable and responsible for this during the lifecycle of a drug development program.

According to several reports from Barracuda and TechTarget, data shows that: 

• most (69%) of ransomware attacks began with an email,
• email is the most common starting point for ransomware attacks,
• email remains the No.1 threat vector and is the preferred method of attack for cyber criminals, and
• phishing attacks increased by a whopping 1,265% in 2023, thanks in part to the growth of generative AI (GenAI), according to “The State of Phishing 2023” report from SlashNext.

Addressing Email Security Challenges Head On

To address these challenges, several email authentication methods are recommended and widely used by major email service providers such as Google and Yahoo to block messages that do not meet their additional security standards. These methods help protect against email and domain spoofing and ensure email security.

Additionally, they help prevent spammers, phishers, and other unauthenticated parties from sending emails on behalf of a domain they do not own. This includes the following methods:

• Sender Policy Framework (SPF)
• DomainKeys Identified Mail (DKIM)
• Domain-based Message Authentication Reporting and Conformance (DMARC)

Sender Policy Framework (SPF)

SPF is a way for a domain to list all the servers that the sent emails come from. This is something like a publicly-available employee directory that can help confirm whether or not an employee works for a company.

SPF records list all the IP addresses of all of the servers that are allowed to send emails from the domain.

DomainKeys Identified Mail (DKIM)

DKIM enables domain owners to automatically “sign” emails from their domain. Specifically, DKIM uses public key cryptography. This is how it works:

• A DKIM record stores the domain’s public key, and mail servers receiving emails from the domain can check this record to obtain the public key.
• The private key is kept secret by the sender, who signs the email’s header with this key.
• Mail servers receiving the email will be able to verify that the sender’s private key was used by applying the public key. This will also ensure that the email was not tampered with during transit.

Domain-based Message Authentication Reporting and Conformance (DMARC)

DMARC indicates a receiving email server what actions to take after evaluating the SPF and DKIM results. A domain’s DMARC policy can be set up in different ways – it can instruct the mail servers to quarantine emails that fail SPF or DKIM (or both), to reject such emails, or to deliver them.

Configuring and maintaining SPF and DMARC are not as challenging as they seem. If these are configured to be too restrictive, legitimate emails will be dropped or marked as spam. If it’s too relaxed, it carries the risk of your domain being misused for email spoofing. In fact, these authentication mechanisms (DMARC/SPF/DKIM) have been around for many years now, and yet there is still very few active DMARC records.

With the above in mind, it is crucial to balance the business needs of ensuring email communication from every stakeholder (e.g., clinical trial sites, DSMB members, clinical investigators, etc.) while maintaining email security to prevent email and domain spoofing.

The key to achieving this balance is to integrate email security compliance into the pharmaceutical supplier management processes during vendor and service provider onboarding. This includes coordinating with IT teams to set up and test email authentication mechanisms. Additionally, there should be an ongoing process to verify that new email domains from any Sponsors, vendors, or suppliers are added to these authentication mechanisms to maintain robust email security.

For questions related to this article, please click here and we will connect you with a expert.

Authored by: Seetharaman Sankaran, Associate Director, IT, Quality and Compliance.