Identifying IOCs in HIPAA compliant email systems

According to a webinar by the Cybersecurity and Infrastructure Agency (CISA), "An indicator of compromise (IOC) is a clue that can be used to indicate an intrusion or compromise of a host in a network."

Research published in Key Requirements for the Detection and Sharing of Behavioral Indicators of Compromise explains that IOCs are pieces of digital forensic evidence that point to network breaches. The breach might be the result of malware, compromised credentials, insider threats or other malicious behavior. By the time a security team discovers an IOC, it's likely that a breach has already occurred, which means that data could have been compromised. Even so, an IOC can still help the security team eliminate the threat and limit the damage.

Email-related IOCs healthcare organizations should monitor

According to Microsoft, in IOC security, IT monitors the environment for the following clues that an attack is in progress:

• Network traffic anomalies: In most organizations, there are consistent patterns to network traffic passing in and out of the digital environment. When that changes, such as if there is more data leaving the organization or if there is activity coming from an unusual location in the network, it may be a sign of an attack.
• Unusual sign-in attempts: Security professionals can detect a compromised account by paying attention to sign-ins at odd times of day or from unusual geographies, such as a country where an organization doesn't have an office. It's also important to take note of multiple failed sign-ins from the same account.
• Privilege account irregularities: Many attackers, whether they're insiders or outsiders, are interested in accessing administrative accounts and acquiring sensitive data. A typical behavior associated with these accounts, such as someone attempting to escalate their privileges, may be a sign of a breach.
• Changes to systems configurations: Malware is often programmed to make changes to systems configurations, such as enabling remote access or disabling security software. By monitoring for these unexpected configuration changes, security professionals can identify a breach before too much damage has occurred.
• Unexpected software installations or updates: Many attacks begin with the installation of software, such as malware or ransomware, that is designed to make files inaccessible or to give attackers access to the network. By monitoring for unplanned software installations and updates, organizations can catch these IOCs quickly.
• Numerous requests for the same file: Multiple requests for a single file may indicate that a bad actor is attempting to steal it and has tried several methods to access it.
• Unusual domain name systems requests: Some bad actors use an attack method called command and control. They install malware on an organization's server that creates a connection to a server that they own. They then send commands from their server to the infected machine to try to steal data or disrupt operations. Unusual Domain Name Systems (DNS) requests help IT detect these attacks.

Real-world case study: Charleston Area Medical Center data breach

The breach

In October 2024, Charleston Area Medical Center (CAMC) experienced a data breach due to an email phishing attack. This incident compromised sensitive personal information of certain individuals, including patients and employees.

What happened

In October 2024, Charleston Area Medical Center (CAMC) experienced a data breach due to a phishing attack. An unauthorized party accessed an employee's email inbox between October 2 and October 3, 2024, compromising sensitive information such as names, dates of birth, email addresses, phone numbers, Social Security numbers, driver's license numbers, health information, and health insurance details. CAMC promptly terminated unauthorized access and initiated an investigation with cybersecurity experts. On February 14, 2025, the organization began sending data breach notification letters to affected individuals.

Missed indicators

• Unusual email activity: The phishing attack may have been preceded by unusual email activity, such as unexpected emails from unfamiliar sources or requests for sensitive information.
• Delayed detection: The breach was not detected immediately, allowing unauthorized access to persist and compromise sensitive information. As noted in Key Requirements for the Detection and Sharing of Behavioral Indicators of Compromise, basic IOCs have limited usefulness when dealing with advanced threats, as they can be easily changed by threat actors and evaded with little effort.
  
  

Lessons

• Implement secure email solutions: HIPAA compliant email services can enhance communication security and reduce the risk of phishing attacks. Paubox offers encrypted email solutions that integrate with existing email platforms, allowing for compliance without additional steps for users
• Enhance monitoring and detection: Have continuous monitoring and prompt detection of anomalies
• Regular security assessments: Conducting regular security assessments can help identify and mitigate vulnerabilities before they are exploited

Implementing IOC monitoring in HIPAA compliant email

1. Email security technologies

• Email gateway solutions: Paubox's Email Suite uses multi-layer security filters to scrutinize incoming emails for threats, including phishing attacks, malware, and spam.
• Advanced protection against impersonation and spoofing attack: Paubox security features, such as ExecProtect, are designed to detect and block impersonation scams and display name spoofing attacks.
• Data loss prevention (DLP) systems: Paubox's Email Suite includes data loss prevention capabilities.
  
  

2. Logging and monitoring best practices

• Maintain logs of all email access, including successful and failed login attempts
• Implement alerts for email rule changes, especially forwarding rules
• Monitor for unusual search queries against email databases
• Track email volume metrics by user, time of day, and recipient domain

According to Key Requirements for the Detection and Sharing of Behavioral Indicators of Compromise, long-term retention is essential for successful behavioral IOC detection, as organizations must analyze data from multiple sources and establish relationships between them to identify sophisticated attack patterns.

3. Response protocol development

• Create escalation procedures for suspicious email activities
• Develop containment strategies that can be implemented immediately upon IOC detection
• Establish communication templates for potential breach notifications
• Document the chain of custody for email forensic evidence

Read also: Inbound Email Security

FAQs

How do behavioral IOCs differ from traditional signature-based IOCs?

Behavioral IOCs focus on patterns of activity over time rather than static artifacts, making them more effective against adaptive and evasive threats.

Can IOC monitoring alone prevent email-based breaches in healthcare organizations?

IOC monitoring is a detection mechanism, not a prevention strategy, and must be combined with security controls, user training, and incident response planning.

How does HIPAA influence how IOCs are collected and analyzed?

HIPAA requires that IOC monitoring involving ePHI aligns with minimum necessary access, audit controls, and documented risk management processes.

What role does employee security awareness play in reducing email-related IOCs?

Well-trained staff can reduce the volume of IOCs by recognizing phishing attempts early and reporting suspicious emails before compromise occurs.

How long should healthcare organizations retain email logs for effective IOC analysis?

Log retention should be long enough to support behavioral analysis and forensic investigations while remaining consistent with HIPAA and organizational data retention policies.