Sophos's email policy enforcement helps healthcare organizations comply with patient confidentiality regulations

May 03, 2005 Sophos Press Release

Lynnfield, MA - Sophos, a world leader in network security, continues to help organizations protect against malicious threats, enforce policies and achieve overall compliance with the Health Insurance Portability and Accountability Act (HIPAA), legislation that mandates patient confidentiality. Healthcare organizations that have selected Sophos include Byram Healthcare Centers, Poudre Valley Health System, Rothman Institute and Virginia Mason Medical Center. Sophos's success within this sector and other vertical markets such as academic and federal government is a direct result of its comprehensive integrated virus and spam detection and rich policy environment that supports complex security and/or regulatory compliance requirements.

The HIPAA Privacy and Security Compliance deadline was April 21, 2005. The results of a recent survey by The American Health Information Management Association (AHIMA) to determine if healthcare organizations were compliant or close to achieving compliancy clearly demonstrated that there were still challenges ahead for many organizations. The January 2005 survey showed that approximately 17% of all responders advised that they were completely compliant; 43% said that they were 85-95% compliant; 26% felt they were about 50% compliant, and 12% revealed that they were less than 50%compliant. The HIPAA rules set noncompliance penalties of up to $25,000 per violation. Furthermore, non-compliance can also do substantial damage to an organization's credibility and competitive position.

"It's vital that healthcare organizations take precautionary measures to ensure the highest level of security when it comes to protecting their networks against malicious threats," said Richard M. Entrup, Chief Information Officer at Byram Healthcare Centers. "Byram has taken HIPAA very seriously. Our focus needs to not only extend to protecting our internal network assets but also our customer base and patients. Sophos has been a significant piece of the overall strategy in helping us achieve compliancy." Byram has more than 450 employees, operates 14 offices throughout the United States and serves more than 250,000 customers.

Sophos's gateway security solution, PureMessage, offers an extended policy module that integrates a broad range of threat detection capabilities into a single policy framework, allowing threats to be stopped at the gateway and minimizing their impact on the enterprise network. It enables comprehensive message management, ensuring that both inbound and outbound email messages comply with corporate policies and meet regulatory compliance mandates. PureMessage enables administrators to manage the transmission of private or confidential information, maintain records of communication and monitor all email traffic.

Organizations within the healthcare sector must protect patient information or medical information at all times since doctors, insurance providers and other essential parties frequently transfer patient files electronically. By developing and enforcing corporate policies, sensitive information is safeguarded from being sent to or seen by the wrong party. PureMessage policy enforcement capabilities manage privacy and confidential information by scanning attachments, looking for keywords and modifying headers to route messages through secure systems, thereby prohibiting the distribution of inappropriate content and attachments.

With the current state of blended threats, which can combine worms, viruses, Trojans and/or spam, the challenge to achieve compliancy is even more exacerbated for many organizations. HIPAA mandates organizations to prevent new, unknown email-aware worms from entering organizations. Sophos's Genotype™ technology, a method of using forensic analysis to identify suspicious patterns and characteristics unique to either a virus family or a spam campaign, ultimately reduces exposure to new unidentified threats and unwanted content, enabling organizations to meet regulations.

"The last thing we want to do is compromise or disclose our patients' private information, so we need to be compliant with legislation like HIPAA. There are mandates that define how we interact with insurance companies, and securing email is crucial to that. Without Sophos PureMessage, we would be putting our business and our patients at risk," said Michael Spohnholtz, senior technology consultant at Virginia Mason Medical Center. Virginia Mason is an internationally recognized group practice of more than 400 physicians and 336 beds, offering both primary and specialized acute care. With nearly 4000 email users, VMMC processes more than 1.5 million email messages each month.

"The next challenge for organizations around email regulatory compliance is to manage the process efficiently over the long term," said Marc Borbas, email security analyst at Sophos. "This highlights a need for reliable, proactive security at the gateway, coupled with powerful tools that allow companies to automatically enforce the right email policies.

To learn more about how Sophos's customers like Virginia Mason Medical Center combat viruses, spam, other email-borne threats and how they utilize Sophos's email policy enforcement capabilities to ensure best practices for legislative compliance, please visit the Virginia Mason Medical Center case study.