It is surprising to think that in 2015 there is still a misunderstanding how our emails are stored. It’s probably because we take this tool for granted. We have had it for a very long time and it’s just another communication mode for us. In Hillary’s case, it certainly raises some eyebrows how someone could keep any emails on a private home server.
Those of us in Information Technology know how it is possible set up a home email server. You certainly have to set up an IP address, application software, and the appropriate Internet service provider. Most executives are not going to be tech savvy enough to do this, so they would have to rely on an IT expert. Today however, we have an abundance of email programs that can be used in our homes from any web browser. The most commonly used is Gmail. Google is providing a host of applications that work together to provide a very customized user experience. Emails are stored on the cloud so there’s no issue of having emails stored on a personal computer. However, storing emails in a cloud comes with its own set of risks. Which include password management, control over encryption methodologies, and storage of sensitive data.
In the case of the State Department they are dealing with classified information. As a former military officer I equate this to protected health information. The level of protection and the safeguard responsibilities are the same. There are routine communications that we engage in every day, and for the most part are mundane and basic business operations. They don’t necessarily contain clinical information, patient identifier information, or any of those red flags that we are used to. But they may contain financial information pertaining to the business operations and maybe even have some strategic information about the direction of the organization. This type of information is obviously sensitive, not to mention any personnel issues that may involve legal discovery. So as we sift through the multitude of emails that we have coming into our inbox we can certainly conceptualize different levels of security. The military uses three basic levels of security. Unclassified, Secret, and Top-Secret. Of course each one of these classification levels have subcategories depending on the content. There might even be caveats for foreign nationals attending briefings as part of joint operations. They also have a “need to know” policy which simply put means; just because you have a security level does not mean you have access to everything under that level. In the case of healthcare we have never really classified our data in terms of sensitivity. We have protected health information (HIPAA) guidelines and we have information that our legal teams advise us on. Other than the standard disclaimer that most email messages contains at the bottom, we don’t have a header on the top designating it sensitivity level.
What is the risk? Using the Outlook software as an example, any user can create a rule to set up auto-forward for emails based on the sender, subject line, or keyword. That means if they don’t have access to their email outside of the work computer they can forward it to their personal email account. In the last 2 to 3 years we have also seen a proliferation of cloud-based storage. I’m not talking about a subscription-based storage, I am talking about storage that is readily available through Microsoft or Google. All home computers running the latest version of Microsoft have access to One Drive. Gmail users have automatic access to cloud storage when they create an account. So your employees can save emails and attachments right to their cloud storage for later review at home.
You never had to worry about this before so why should you worry about this now? Going back to Hillary’s example, here you have someone that was advised that her hard drive was fully deleted. She had peace of mind that when she got rid of her email server it no longer contained any information available on it. Of course any IT person worth their salt will tell you that there’s no such thing as a deleted hard drive information. It is always possible to retrieve data that has been deleted from a hard drive. The only way to make sure that information is deleted is to destroy the hard drive. Given the price of hard drives today, this is a very simple cost-effective solution.
How do you protect yourself? First you need a bottom-up security review. It actually begins with your server infrastructure including your email server settings. Obviously you should look at your firewalls and intrusion protection. Think you don’t have to worry about intrusion or hackers? You can see real-time hacking attempts as they occur at http://map.norsecorp.com/.
However, your biggest risk today is your own employees. You need to provide full training and education on handling corporate information. By corporate I mean all information clinical, financial and routine that is traveling through your network. You need to set the expectation up front as your employees are going through orientation. You also have to provide periodic reminders and poster material to keep the message alive. Of course this initiative has to have teeth. So you have to have the appropriate policies and procedures to give the employees guidelines on handling information. You also have to give supervisors the guidance on what to do when the policies are violated. Keeping in mind that the higher up in the organization you go, the higher the risk of information that could be breached.
Politics aside what Hillary has taught us is that we all have to be familiar with the appropriate handling of information. Having clear demarcation lines between work emails and home emails is just the first step. Think of HIPAA as just being the tip of the iceberg, what lies beneath is what can sink your organization.
