WINDOWS-BASED MAIL SERVERS

Because Windows-based e-mail Servers, such as Microsoft Exchange Server are based on the same O/S as the above web servers, the recommended security configurations are much the same.

In the March 2002 issue of Healthcare Information Security-Newsletter , Jahen Moreh lists the 4 most popular methods for securing e-mail ¹¹ :

• Public Key encryption-such as PGP, which is not widely used, but is one of the most secure methods. Encryption should be easy to use or automatic

• Password-based security- both sender & recipient use same password to encrypt and decrypt, but passwords must be complex and secure

• Web-based security-there is no content in any e-mail message, only a link to a secure web-site where the recipient logs in to get messages

• Key-server security-recipient gets an encrypted message, then retrieves a key from a server by password and decrypts the message

Additional security assessment of a web server can be done by running penetration software such as 'Nmap', 'Nessus', 'Enum', 'Netcat' or others; password cracking software such as 'John the Ripper' or other such programs. Get written permission first, enable audit logs and check for signs of attempted or successful intrusion.

Because mail servers are where incoming e-mail attachments are delivered, anti-virus software must be installed and constantly updated to prevent network infection. Additionally, outgoing e-mail messages from medical center staff may frequently include 'PHI', so it is vital that these servers are secure and reviewed often to apply appropriate updates.