Email Security – Navigating Through the Process of Validation and Compliance with Healthcare Business Stakeholders

Email communications with business stakeholders in the healthcare industry are critical due to stringent regulatory timelines that mandate specific compliance requirements. At the same time, managing information security amidst an ever-evolving threat landscape is paramount. In healthcare, ensuring email security has become increasingly challenging and mission-critical.

The most critical risk for our industry is the potential disclosure of information that is confidential, sensitive, private, and labelled as either Personally Identifiable Information (PII) or Personal Health Information (PHI). Sponsors and their Clinical Research Organization (CRO) partners are accountable and responsible for this during the lifecycle of a drug development program.

According to several reports from Barracuda and TechTarget, data shows that: 

  • most (69%) of ransomware attacks began with an email,
  • email is the most common starting point for ransomware attacks,
  • email remains the No.1 threat vector and is the preferred method of attack for cyber criminals, and
  • phishing attacks increased by a whopping 1,265% in 2023, thanks in part to the growth of generative AI (GenAI), according to “The State of Phishing 2023” report from SlashNext.

Addressing Email Security Challenges Head On

To address these challenges, several email authentication methods are recommended and widely used by major email service providers such as Google and Yahoo to block messages that do not meet their additional security standards. These methods help protect against email and domain spoofing and ensure email security.

Additionally, they help prevent spammers, phishers, and other unauthenticated parties from sending emails on behalf of a domain they do not own. This includes the following methods:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication Reporting and Conformance (DMARC)

Sender Policy Framework (SPF)

SPF is a way for a domain to list all the servers that the sent emails come from. This is something like a publicly-available employee directory that can help confirm whether or not an employee works for a company.

SPF records list all the IP addresses of all of the servers that are allowed to send emails from the domain.

DomainKeys Identified Mail (DKIM)

DKIM enables domain owners to automatically “sign” emails from their domain. Specifically, DKIM uses public key cryptography. This is how it works:

  • A DKIM record stores the domain’s public key, and mail servers receiving emails from the domain can check this record to obtain the public key.
  • The private key is kept secret by the sender, who signs the email’s header with this key.
  • Mail servers receiving the email will be able to verify that the sender’s private key was used by applying the public key. This will also ensure that the email was not tampered with during transit.

Domain-based Message Authentication Reporting and Conformance (DMARC)

DMARC indicates a receiving email server what actions to take after evaluating the SPF and DKIM results. A domain’s DMARC policy can be set up in different ways – it can instruct the mail servers to quarantine emails that fail SPF or DKIM (or both), to reject such emails, or to deliver them.

Configuring and maintaining SPF and DMARC are not as challenging as they seem. If these are configured to be too restrictive, legitimate emails will be dropped or marked as spam. If it’s too relaxed, it carries the risk of your domain being misused for email spoofing. In fact, these authentication mechanisms (DMARC/SPF/DKIM) have been around for many years now, and yet there is still very few active DMARC records.

With the above in mind, it is crucial to balance the business needs of ensuring email communication from every stakeholder (e.g., clinical trial sites, DSMB members, clinical investigators, etc.) while maintaining email security to prevent email and domain spoofing.

The key to achieving this balance is to integrate email security compliance into the pharmaceutical supplier management processes during vendor and service provider onboarding. This includes coordinating with IT teams to set up and test email authentication mechanisms. Additionally, there should be an ongoing process to verify that new email domains from any Sponsors, vendors, or suppliers are added to these authentication mechanisms to maintain robust email security.

For questions related to this article, please click here and we will connect you with a expert.

Authored by: Seetharaman Sankaran, Associate Director, IT, Quality and Compliance.

Suggested For You

perspectives

December 17th, 2024

Oncology Drug Development: Webinar Learnings on the Use of Expedited Pathways and Oncology Center of Excellence Programs

perspectives

December 11th, 2024

Why Emerging Biotech Companies are Increasingly Turning to Specialized Data CROs

perspectives

November 26th, 2024

Finding GRASEland: Navigating the New Regulatory Path for Grandfathered OTC Drugs 

perspectives

November 21st, 2024

Essential Nonclinical Strategies for Cell and Gene Therapy (CGT) Success

perspectives

November 12th, 2024

REMS Logic Modeling: Applying FDA Guidance from November 2024 CDER Webinar

perspectives

November 6th, 2024

How to Successfully Manage Rescue Studies and Turn Around Clinical Trials Facing Failure

perspectives

October 29th, 2024

Why Outsourcing QC of Regulatory and Medical Writing Documents is a Competitive Advantage for Large Pharma Companies

perspectives

October 22nd, 2024

Choosing the Right Clinical Trial Design: A Crucial Step in Protocol Development

perspectives

October 15th, 2024

Putting the Action in Diversity Action Plans and the Real-Time Data Visualization Technology Needed to Ensure It Happens

perspectives

October 8th, 2024

Diversity Action Plan Guidance Part I: Implications for Sponsors

perspectives

September 30th, 2024

Meet the Leaders Driving MMS’s European Growth

perspectives

September 30th, 2024

The Future of Data Management and Biostatistics: Trends and Technologies Shaping the Industry