A CIOs Guide to Secure Bulk Emailing Healthcare Employees

A CIOs Guide to Secure Bulk Emailing Healthcare EmployeesA CIOs Guide to Secure Bulk Emailing Healthcare Employees

With the continued pervasiveness of remote work, team member engagement is more important than ever.  One of the ways to reach out to a lot of team members at once is email.  Team members, now more than ever, are empowered to use cloud-based or third-party services to send these messages.  The problem is that many of them don’t make it to the intended mailbox and end up in Junk Mail, never to return.  Worse, the emails can be spoofed, and ransomware or malware deployed instead.  The intended messages don’t get across, and in many cases, the feedback they seek is not collected.  This is why a number of email campaigns, even from major companies, advise their users to check their Junk Mail.  When you ask users to do that, what’s the point of filtering?

Today’s article is meant to change that.  Email is complicated because of the rules you have to follow to get it right, and attackers use that and our lowered attention spans to their advantage.  We’re going to lay out what processes you need to have and how to message it so you can do a better job of leading a strategic technology organization, not answering questions on why an important email ended up as junk mail.  We also want you to not have to answer the question of how that ransomware got in, ransacked the network, and was used to exfiltrate patient data.

Why Are We Doing This?

There has been a steady rise in very good phishing emails, especially ones that look like employee engagement surveys or leadership communications.  It’s incredibly important to make sure that your users get the ones that they are supposed to, not the ones that steal identities and patient data.  It’s also important to not just blindly allow all emails from a sender, and to set the right security standards for the ones they receive.  We also need to get the right level of communication out to the workforce due to the amount of phishing test emails some of us send.  While these emails serve a benefit, some members of the workforce do become overly paranoid and report everything.

There are several techniques you can use to make sure that the emails you need get to the inboxes of your users, not malware or spam.  The first is the overall project and communication plan to use when you need to send out bulk emails.  Second is to make sure that your bulk senders use DMARC to help secure their bulk email environment.  Third is to configure Microsoft 365 Mail Flow Rules or their equivalent to accept emails from only those specific addresses.  Fourth, using references to the employee portal, not links, to get people to click on the links.  Finally, we need to use a targeted strategic communication plan to notify people when the event occurs, and to contact the Service Desk if an issue occurs.

Project Plan

The most important step is the overall project and communication plan.  Bulk emails are still an area where many organizations have not developed centralized processes.  These need to be organized as a small project.  The start of the plan is to make sure that the service desk has intake, knowledge base articles, and workflows to route these requests to the appropriate manager.  Next, leadership communication needs to be disseminated to notify all managers and leaders that bulk email requests need to go through the Service Desk.  You need to have assigned resources to develop a plan for the next few steps.  You can’t assume someone will pick up the ball, or that people will self-organize.  This has to be an assigned role, not “other duties as assigned” by a CIO that wants to look good to their peers.

DMARC is a Must

We then need to have a step to communicate with the bulk email senders.  Any organization sending bulk emails these days needs to be using DMARC.  This stands for Domain-based Message Authentication, Reporting, and Compliance.  It utilizes Sender Policy Framework (SPF) and DomainKeys Identified Message (DKIM) to properly identify senders of email messages.  Email providers such as Google, Microsoft, and Amazon already use this.  These are technical controls to ensure the authenticity of messages.  However, companies that use turnkey bulk emailing packages or do not have experience with sending many emails may not know what this is. 

There are organizations that will make excuses why they won’t use this or give the classic one of “No other health system has asked for this”.  If they do, talk to your email team or service provider about alternative ways to send the message.  This is 2020, and your users are getting hit with thousands of phishing and malware-laden messages.  Patients have died because of ransomware attacks.  Don’t compromise your patients’ security by lowering yours because someone wants to send an email to impress senior leadership.  We are asking our users to be extra vigilant with their emails to prevent phishing attacks.  We need to be more vigilant with ourselves to be credible champions of security for our patients and authentic leaders of our teams.

Configuring Microsoft 365 Correctly Without Shortcuts

If you, like many other organizations, run Microsoft 365 for email, you can set mail flow rules and safe sender lists.  Microsoft has provided an excellent document here on how to add safe senders to their product that passes DMARC approval.  They warn against specifically allowing domains based on name alone because that can open your users up to phishing attacks.  The attackers know how to use the names of companies that provide employee engagement and survey services to healthcare organizations.  They also know that most of them do not know how to configure email and will take the 30-second approach of just bulk-adding domain names.   This gives them an avenue to send you phishing emails that look legitimate, and puts your patients, team, and yourself at risk.  If you don’t run Microsoft 365, please contact your mail provider on how to add DMARC-compliant safe senders to an approved list. 

Also, if you send these internally, make sure that you have set appropriate sending threshold limits for the accounts that will be sending them, and that two-factor authentication is enabled for those accounts.  The risk of them being compromised and being used to send a lot more than just news is real, and you need to protect against that.

Links on the Portal

When your users see links in an email, most of them will assume a phishing attack.  This is partially due to work we’ve done by sending out phishing tests.  This is also because the tools that most major email programs have don’t do a good job identifying phishing links.  Email is now checked on mobile phones, which do not make it easy to check the legitimacy of an embedded email link like Outlook on the desktop does.  The attention span of a mobile user is also significantly less than that of a desktop one.  Most healthcare organizations also will not be able to afford some of the higher-end tools out there for identifying and protecting against phishing links within messages.  Instead of recommending yet another one of those, we’re going to be more practical.

Our recommendation is to not publish links in bulk emails whenever possible.  Take the links that would have been in the message and put them on your Intranet or Portal pages.  Unless there is no other way to publish the link, such as personalized links, we recommend referring users to a secured internal portal page to click on the links.  This reduces the risk of a user letting down their guard and clicking on a link made to look legitimate that delivers malware. 

Our users are facing fatigue from dealing with COVID, children at home, increased work schedule, the unrelenting news cycle, the constant negativity of social media, and alarm fatigue.  This leads to a lower ability of people to make accurate judgements.  Criminals will take advantage of this to slip phishing, malware, or ransomware emails into links that look official.  By removing the links whenever possible and placing them on a trusted site, you’ve mitigated the risk of this happening significantly.

Targeted Communication

Finally, you have to let the users know when these emails are coming out.  You need to put together a 1 page document for your users, starting with leadership, that clearly identifies:

  • The purpose of the email
  • When the email is coming out
  • Who will be sending it
  • What the subject line will be
  • Where to find the links to take action
  • What the expected completion date is
  • Who to contact with any questions

If you are able to articulate these in the messaging, you can greatly reduce the likelihood that the message will be ignored.  More importantly, you give your users the ability to report in suspicious emails and provide follow-through.  You also give a reason for doing this, concise actions to take, and timebox a completion date. 


With the steps you’ve hopefully followed here, you also provide a means by which these messages can be sent with a high degree of confidence and reduce the risk of a phishing mail being snuck in.  The important goals here are to make sure you have team members who are assigned to develop and execute plans, and who can follow through on these.  Having those plans, ensuring that bulk senders have DMARC, that Microsoft 365 or your provider of choice is able to securely identify them, putting links on the Portal or Intranet, and effectively communicating out the messaging behind why users need to follow up will increase your chances of success.  Most importantly, it will lower the risks posed by phishing or ransomware attacks against your organization by emails masquerading as legitimate ones and taking advantage of fatigue.

About the author

Mitch Parker, CISO

Mitch Parker, CISO

Mitchell Parker, MBA, CISSP, is the CISO, at IU Health. Mitch has eleven years’ experience in this role, having established effective organization-wide programs at multiple organizations. He is responsible for providing policy and governance oversight and research, third-party vendor guidance, proactive vulnerability research and threat modeling services, payment card and financial systems security, and security research to IU Health and IU School of Medicine. In this role, Mitch collaborates across the organization and with multiple third parties to improve the people, processes, and technologies used to facilitate security and privacy for the benefit of IU Health’s patients and team members.