How threat actors use mailbox delegation to access your emails

Threat actors are drawn to healthcare emails due to the high value of sensitive information and the potential to create costly disruptions. This means that avenues such as mailbox delegation can become exploited means of receiving access to private information. 

What is mailbox delegation?

According to Microsoft, a delegated mailbox provides, “...the ability for others to create email messages or respond to meeting requests on your behalf. As the person granting permission, you determine the level of access that the delegate has to your folders.”

Mailbox delegation is a feature that allows an individual, known as a delegate, to access and manage another person's email account with specific permissions. The account owner grants these permissions to a trusted individual, enabling them to handle various email-related tasks efficiently. 

Delegates can read emails, send messages on behalf of the account owner, delete unwanted emails, and manage other mailbox functions like calendar appointments. For instance, an executive assistant can be authorized to organize their manager's inbox by sorting through messages, replying to routine emails, and scheduling or updating calendar events. 

The role of mailbox delegation in healthcare

Healthcare differs from other organizations in its functioning due to strict privacy regulations like HIPAA, which require careful handling of patient data. For instance, a nurse could be granted permission to manage a physician’s inbox to schedule appointments or share lab results with other departments. This access speeds up patient care, allowing doctors to focus on treatment rather than administration.

There are still downsides to consider, privacy being one of the main ones. Delegates need to be well-trained to prevent accidental exposure of sensitive patient information, and access control must also be carefully managed. Despite these challenges, mailbox delegation benefits healthcare organizations by reducing administrative burdens on medical staff and enabling smoother communication across teams.

The characteristics of effective mailbox delegation

According to an Acta Biomed study, the characteristics of an effective delegation strategy include, “...five rights for effective delegation which are described as follows; right task, right person, right time, right directions and communication, and right supervision and evaluation.”

These can further be explained as:

1. Right task: Assign only the tasks that a delegate can handle appropriately, such as sorting routine emails, managing calendar invites, or drafting messages on the account owner's behalf. Avoid assigning sensitive or highly confidential tasks unless the delegate is fully qualified.
2. Right person: Ensure that the selected delegate is trustworthy and has the skills needed for managing email. They should understand the role and its boundaries, particularly concerning sensitive data.
3. Right time: Delegate mailbox management at the appropriate time, ensuring it aligns with both the account owner's and delegate's workloads. Timing is necessary during high-demand periods, so prompt delegation can alleviate pressure and improve productivity.
4. Right directions and communication: Communicate expectations, provide instructions on responding to emails, filter messages, and handle confidential information. Foster open communication between the account owner and delegate for quick clarifications or escalation of complex matters.
5. Right supervision and evaluation: Supervise and periodically evaluate the delegate's performance. Review their email management practices to ensure compliance, provide constructive feedback, and adjust responsibilities or permissions as necessary.

See also: How HIPAA compliant email improves the patient experience

The common inefficiencies in mailbox delegation strategies

1. Role-based blind spots: Delegates, such as administrative staff, may lack clinical knowledge, leading them to overlook or mishandle emails containing medical jargon or specialist information, resulting in missed communication or errors in patient care coordination.
2. Fragmented messaging across departments: Delegation strategies often fail when handling interdepartmental communication, as separate departments may operate different systems or workflows, causing delays in sharing updates about patient care.
3. Unclear escalation procedures: Delegates might not have well-defined protocols for escalating certain types of messages, such as urgent referrals or abnormal test results, leading to delays in urgent patient care decisions.
4. Inconsistent security protocols: Healthcare organizations sometimes apply inconsistent security measures across teams or roles, meaning delegates could inadvertently share confidential information through unsecured channels or with unauthorized personnel.
5. Lack of specialty-specific guidelines: Delegates managing inboxes for specialists (e.g., oncologists, cardiologists) might need clear guidelines tailored to the specific needs and urgency of their specialty, resulting in efficient prioritization and missed opportunities for proactive care.

See also: HIPAA Compliant Email: The Definitive Guide

Why do threat actors want to access healthcare emails

Threat actors seek access to healthcare emails primarily to exploit the wealth of sensitive information contained within these communications for financial gain.  A Heliyon journal article provided, “Most of today's threat actors still use phishing to exploit their victims. Threat actors continue to develop their tactics, methods, and procedures for the various phishing attacks to maximize the likelihood of successful exploitation.” 

Healthcare emails often include personal data such as names, birth dates, Social Security numbers, and medical histories, along with billing and insurance details. Cybercriminals can use this data to commit insurance fraud, billing scams, and identity theft or sell it on the dark web to others seeking to profit from stolen information.

Beyond this, access to healthcare emails provides threat actors with valuable insights into the organization's internal operations. They can use these insights to craft targeted phishing attacks, deceive staff into divulging credentials, reveal system vulnerabilities, or approve unauthorized transactions. Once inside the email system, hackers can monitor ongoing conversations and adapt their tactics to be more convincing.

Threat actors can plant ransomware or other malware by infiltrating healthcare emails. Ransomware encrypts patient files and medical data, disrupting operations and forcing organizations to pay a ransom to regain access. Given the urgency of healthcare services, healthcare institutions often feel pressured to pay quickly.

How threat actors take advantage of mailbox delegation to access emails

Threat actors exploit mailbox delegation by gaining unauthorized control of the credentials of a delegate—an individual who already has access to another person's email account. They often do this through social engineering techniques, such as spear-phishing or by exploiting weak passwords. Once they obtain these credentials, they can assume the identity of the legitimate delegate and access the primary email account's contents.

With delegated access, threat actors can read and download sensitive emails, including personal information, financial data, or internal strategies. They also send emails as if they are trusted delegates, enabling them to manipulate conversations and send false instructions that other staff members might follow, believing them to be genuine. For example, they might request unauthorized fund transfers, manipulate billing information, or ask for sensitive data.

With control over delegated permissions, they can modify account settings to hide their presence, making it difficult to detect unauthorized access. This allows them to conduct prolonged attacks, such as creating phishing emails targeting other staff members or external partners.

Threat actors can also delete or alter emails to remove traces of their activity and sow confusion among the healthcare staff. 

How to effectively implement mailbox delegation 

1. Access permissions based on email content classification: Classify emails into categories such as confidential, internal, and public. Assign delegates access only to the relevant category, ensuring sensitive emails are accessible solely to authorized personnel.
2. Delegate approval workflow: Create a workflow requiring supervisors or the primary account holder to approve any new delegate requests or changes to existing permissions. This adds an additional layer of scrutiny before granting access.
3. Just-in-time access: Use systems that grant access to the mailbox only when needed, revoking permissions immediately after the task is complete. This minimizes the risk of unauthorized use during idle periods.
4. Granular logging and review: Implement detailed logging to capture delegate activities, such as reading, forwarding, or deleting emails. Conduct regular reviews of these logs to detect unusual behavior or policy violations.
5. Phishing simulations and training: Conduct regular phishing simulations that specifically mimic threats delegates are likely to encounter. Offer immediate, practical training to those who fall for these simulated attacks to reduce future risks.
6. Delegated access expiration: Set expiration dates for delegated access, prompting periodic renewals. This ensures permissions are re-evaluated regularly and reduces the risk of outdated access lingering.
7. Dual delegation: Require dual delegation where two delegates need to approve actions, such as transferring sensitive data or making substantial administrative changes.
8. Customized reporting: Customize reports to focus on high-risk activities, such as delegates accessing emails from new locations or devices. Automate alerts for immediate investigation of such events.

See also: Top 12 HIPAA compliant email services

FAQs

How often should delegated access be reviewed?

Review delegated access permissions periodically, ideally every three to six months, to ensure permissions are up-to-date and relevant, and promptly revoke access for inactive delegates.

What is the best way to secure mobile devices used by delegates?

Enable encryption, enforce screen lock policies, and use mobile device management (MDM) to control and monitor access to delegated mailboxes.

What should delegates do if they receive a suspicious email in the delegated inbox?

They should avoid clicking on links or downloading attachments and report the email to the IT security team for further investigation.