Email Security – Navigating Through the Process of Validation and Compliance with Healthcare Business Stakeholders

Email communications with business stakeholders in the healthcare industry are critical due to stringent regulatory timelines that mandate specific compliance requirements. At the same time, managing information security amidst an ever-evolving threat landscape is paramount. In healthcare, ensuring email security has become increasingly challenging and mission-critical.

The most critical risk for our industry is the potential disclosure of information that is confidential, sensitive, private, and labelled as either Personally Identifiable Information (PII) or Personal Health Information (PHI). Sponsors and their Clinical Research Organization (CRO) partners are accountable and responsible for this during the lifecycle of a drug development program.

According to several reports from Barracuda and TechTarget, data shows that: 

  • most (69%) of ransomware attacks began with an email,
  • email is the most common starting point for ransomware attacks,
  • email remains the No.1 threat vector and is the preferred method of attack for cyber criminals, and
  • phishing attacks increased by a whopping 1,265% in 2023, thanks in part to the growth of generative AI (GenAI), according to “The State of Phishing 2023” report from SlashNext.

Addressing Email Security Challenges Head On

To address these challenges, several email authentication methods are recommended and widely used by major email service providers such as Google and Yahoo to block messages that do not meet their additional security standards. These methods help protect against email and domain spoofing and ensure email security.

Additionally, they help prevent spammers, phishers, and other unauthenticated parties from sending emails on behalf of a domain they do not own. This includes the following methods:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication Reporting and Conformance (DMARC)

Sender Policy Framework (SPF)

SPF is a way for a domain to list all the servers that the sent emails come from. This is something like a publicly-available employee directory that can help confirm whether or not an employee works for a company.

SPF records list all the IP addresses of all of the servers that are allowed to send emails from the domain.

DomainKeys Identified Mail (DKIM)

DKIM enables domain owners to automatically “sign” emails from their domain. Specifically, DKIM uses public key cryptography. This is how it works:

  • A DKIM record stores the domain’s public key, and mail servers receiving emails from the domain can check this record to obtain the public key.
  • The private key is kept secret by the sender, who signs the email’s header with this key.
  • Mail servers receiving the email will be able to verify that the sender’s private key was used by applying the public key. This will also ensure that the email was not tampered with during transit.

Domain-based Message Authentication Reporting and Conformance (DMARC)

DMARC indicates a receiving email server what actions to take after evaluating the SPF and DKIM results. A domain’s DMARC policy can be set up in different ways – it can instruct the mail servers to quarantine emails that fail SPF or DKIM (or both), to reject such emails, or to deliver them.

Configuring and maintaining SPF and DMARC are not as challenging as they seem. If these are configured to be too restrictive, legitimate emails will be dropped or marked as spam. If it’s too relaxed, it carries the risk of your domain being misused for email spoofing. In fact, these authentication mechanisms (DMARC/SPF/DKIM) have been around for many years now, and yet there is still very few active DMARC records.

With the above in mind, it is crucial to balance the business needs of ensuring email communication from every stakeholder (e.g., clinical trial sites, DSMB members, clinical investigators, etc.) while maintaining email security to prevent email and domain spoofing.

The key to achieving this balance is to integrate email security compliance into the pharmaceutical supplier management processes during vendor and service provider onboarding. This includes coordinating with IT teams to set up and test email authentication mechanisms. Additionally, there should be an ongoing process to verify that new email domains from any Sponsors, vendors, or suppliers are added to these authentication mechanisms to maintain robust email security.

For questions related to this article, please click here and we will connect you with a expert.

Authored by: Seetharaman Sankaran, Associate Director, IT, Quality and Compliance.

Suggested For You

perspectives

September 30th, 2024

Meet the Leaders Driving MMS’s European Growth

perspectives

September 30th, 2024

The Future of Data Management and Biostatistics: Trends and Technologies Shaping the Industry

perspectives

September 24th, 2024

Embracing Quality Management Maturity (QMM) at the Cornerstone of the Pharmaceutical Industry

perspectives

September 11th, 2024

From Historical Precedent to Modern Approvals: Lessons Learned on OTC Drug Products for FDA OMORs

perspectives

August 27th, 2024

Optimizing Oncology Drug Development: FDA Expedited Pathways, Real-Time Review, and Global Programs

perspectives

August 20th, 2024

Clinical Study Protocols: A Comprehensive Guide to Best Practices From A Senior Medical Writer

perspectives

August 13th, 2024

How To Navigate The Nonclinical Evaluation Landscape Of Biopharmaceuticals

perspectives

August 5th, 2024

Ensuring Robust Data Privacy and Protection: An Overview of the MMS Framework

perspectives

July 30th, 2024

The Critical Role of Quality Control (QC) – Medical Writing and Beyond

perspectives

July 23rd, 2024

PSI 2024 Ignited Conversations on External Data Sources, Requirements for Estimands, and Bayesian Methodology for Statisticians in Pharma

perspectives

July 16th, 2024

Key Steps to Successful CMC Authoring of IND and IMPD Submissions

perspectives

July 9th, 2024

Managing RTOR Submissions: How to Run a Successful Race from the Top Line Starting Line