A recent IT e-mail security survey conducted by MailFrontier confirmed what the company had been hearing anecdotally: Customers want a complete integrated e-mail solution. Buying one best-of-breed solution after another to address e-mail security was adding levels of complexity, so that organizations were also getting a management headache, according to Anne Bonaparte, president and CEO of MailFrontier, an e-mail security company that protects organizations against spam, viruses, phishing, and other forms of inbound and outbound e-mail threats.

Forty-four percent of respondents reported that viruses were the most damaging security threat to companies. Eighty-seven percent of respondents said that it was very important to address e-mail security problems through one vendor. More than 70 percent of respondents said that solution management/administration (ease-of-use) was the most important aspect of addressing an organization's e-mail security problems. "This is verification from the market on how organizations define e-mail security, and whether they are looking to consolidate their security purchases into one box and the reasons why," Bonaparte said. "It also showed us which e-mail security threats were keeping people awake at night."

Current e-mail security
While more than 62 percent of the respondents said that their enterprise had not been a victim of a zombie attack (i.e., an attack from an internally compromised computer), 90 percent said that they were still concerned about such attacks. Fifty-six percent of the respondents said that phishing scams are a security threat to their organization's networks. And more than 32 percent of respondents said that they have seen a 50-100 percent increase in phishing activity on their organization's network.

The current e-mail security landscape is such that most organizations have purchased best-of-breed point solutions -- typically architecture-mapped boxes -- for inbound virus and spam protection, another box for content screening and a box for compliance. "That's fairly typical of what we see in the health care vertical market," Bonaparte said. "And, one person is responsible for managing the boxes and keeping the organization protected. Ease of use was the number one driver for why organizations wanted to consolidate. We had thought that it might be price, but ease of use is driving organizations to move toward consolidation."

Bonaparte said that she was surprised by the responses to phishing and consolidation questions. "We did the survey because I had heard about e-mail consolidation trends, and 62 percent of respondents confirmed that they are looking to consolidate e-mail security. The timeframe was eye-opening, with 40 percent of respondents saying that they would consolidate e-mail security in the next six months, and an additional 56 percent saying they would do it within the next 6 to 12 months. That's a total of 96 percent within the next year, which is almost unbelievable," she said.

Bonaparte noted a sense of urgency facing information security officers. "It points to the level of pain that information security officers are facing, particularly in health care organizations. The security officer needs to simplify to provide better protection, and he or she recognizes that need. And, so, it's exciting that organizations can now buy one solution that can protect on both inbound and outbound e-mails," she said.

Phishing is having the biggest impact on corporate data and an organization's workforce, Bonaparte noted. Why is it moving to the corporate entity? "Because it's about following the money: The dollars are in the corporations. The benefit of getting my trading cards vs. getting into my hospital's information record, if you can use the same tool (through phishing) is that you hold more people hostage. Put Social Security numbers together with credit card numbers and you have a complete picture of a person. So, money is the driver. And, therefore we're no longer dealing with the solo phisher: It's now more organized, criminal groups now. And, they're not just looking at Citibank or other financial institutions; they are also looking at smaller organizations, because they have fewer protections in place," she said.

Virginia Hospital Center
One organization that has taken every effort to secure its e-mail systems is Virginia Hospital Center in Arlington, Va.

Director of IT Mark Rein told ADVANCE recently that his organization had had a significant number of calls to help desk related to spam. "And we were looking to resolve that issue," he said.

Virginia Hospital Center had its virus protection under control, but was concerned about the amount of spam it received (more than 100 e-mails each hour). "Every call to the help desk has a monetary value associated with it, because you are taking someone off his/her regular day-to-day activities. We were looking for technology that could control the e-mail content presented to the help desk," Rein said. "We test-drove several products and found that some of them did not work well in a medical/healthcare-based environment. Protection against spam e-mail did not always work here, because a number of anatomical terms are considered part of day-to-day work."

MailFrontier's technology allows Virginia Hospital Center users to customize how aggressively their e-mail should be scanned and provides more than 98 percent accuracy, Rein said. The MailFrontier tool works in conjunction with a keyword-blocking tool, e-Safe, for the organization's first line of support against viruses.

David Crutchfield, vice president and CIO at Virginia Hospital Center, told ADVANCE that what makes the technology work well is the user's ability to block e-mail from specified groups. "Other products we considered weren't easy-to-use, intuitive tools that could be pushed out to the users. The blocking and screening tools run like other appliances behind the scenes. Some products we looked at ended up blocking stuff that shouldn't have been blocked. MailFrontier offered a flexible, intuitive tool, putting control of the technology into the hands of individual users," Crutchfield said.

Rein said that the hospital uses a rules-based approach that blocks e-mails larger than 50 MB, and any Zip file that is encrypted. "If you are one of our trading partners, you are granted certain permissions. MailFrontier allows us to do that type of blocking and allows certain senders in," he said.

Controlling attacks
Virginia Hospital Center, much like other hospitals and businesses, suffers from phishing attacks and directory harvest attacks, where attackers try to figure out the identity of users. "We've tried to educate our user base, and now with MailFrontier, we're catching more than 99 percent of e-mail fraud. In March we had 408 phishing incidents and in April the hospital had more than 600," Rein said.

Crutchfield said that the most significant benefits have come from disk storage space reductions and improved productivity because users no longer have to sift through tons of junk e-mails. "With health care's limited resources on the technical side, you can't add tools like this and have to pick up a big support burden with it," he said.

Rein said that the MailFrontier installation required one of the engineers to download the software and put it on a relatively inexpensive Hewlett-Packard server. "The junior engineer assigned to this project had the technology up and running in less than three hours," Rein said. "The most time-consuming aspect was installing the operating system onto the server. The actual MailFrontier product took 45 minutes to install, and 10 minutes to get to the base-level configurations. It was as simple as installing other appliances."

Crutchfield said the hospital rolled out the technology to pilot groups first to make sure there were no software issues. "We then started doing education and user training through department and steering committee meetings. People picked up on the technology rather quickly," he said.

Looking ahead
The response has been positive, Crutchfield said. "The IS steering committee receives regular monthly reports, and they are thrilled with the results. We have realized a monthly savings of between $80,000 and $100,000. The CEO and CFO have asked me where we get the benefits. The savings come in terms of salaries, storage space reductions and lowered hardware requirements, as well," he said.

Rein said a positive customer service experience early on helped Virginia Hospital Center select MailFrontier. "When something breaks and you pick up the phone, and someone in the customer care department has an answer to fix the problem, you have probably picked the right company," he said. "When we get a product here now, we try to break it and test the vendor's customer support. We have found that a lot of companies do not have a very well-defined, trained customer support organization. If after-the-sale support is lacking, the product has no use no matter how great it was during the testing phases," he said. "That was 50 percent of our criteria for purchasing MailFrontier. Another 20 percent was how well it fit into our health care/medical environment and how well it would adapt to the vocabularies we have in our facility. The remaining 30 percent revolved around how expensive it was to deploy and maintain. Of all the vendors, including the appliance-based vendors, MailFrontier was the best solution."

Mr. Mitchell is managing editor of ADVANCE for Health Information Executives.