MDaemon Technologies Blog

SecurityGateway’s Built-in Archiving & Compliance For Healthcare

By Brad Wyro

When it comes to email archiving, healthcare organizations must meet increasingly stringent regulations such as HIPAA, along with applicable privacy laws like CCPA/CPRA and, where relevant, PCI DSS for payment card data. This remains especially important in 2026, as the healthcare sector continues to experience the highest data breach costs of any industry - exceeding $10 million on average in recent findings. According to IBM’s Cost of a Data Breach Report 2024, healthcare organizations faced an average breach cost of $10.93 million, the highest across all sectors for the 13th consecutive year.

Healthcare breaches also take longer to identify and contain than in other industries. The same report found the average breach lifecycle was 277 days globally, with healthcare incidents typically lasting even longer - often approaching or exceeding 290 days, underscoring the need for strong data governance and retention practices.

Taking HIPAA as an example, the HIPAA Security Rule demands that any electronic protected health information (PHI) must be protected to ensure its confidentiality and integrity; however, PHI must also always be available when it is needed. Email archives preserve an original, tamper-proof copy of an email to preserve the integrity of email data. If your healthcare facility sets up its own email archiving solution, access and audit controls must be applied to ensure compliance. You must also carefully consider encryption if your organization will store the email archive within its own IT infrastructure.

Because every email solution for healthcare, whether it's on-premises or in the cloud, needs strong anti-spam/anti-malware filtering, it makes sense to combine archiving and security into a single product. To address this growing demand, archiving was added to SecurityGateway™ for Email Servers in version 6.0. These archiving and compliance features remain a core part of SecurityGateway today (now version 12).

SecurityGateway’s Integrated Archiving: Perfect for Healthcare

With SecurityGateway 6.1, the integrated archiving feature received a major upgrade with the following new features for legal compliance and cloud email integration:

Legal Hold

SecurityGateway's Legal Hold feature will prevent emails from being deleted from the archive, regardless of any other settings, user permissions, or retention periods.

Legal Hold in SecurityGateway for Email

Legal Hold - SecurityGateway for Email

Minimum Archive Retention Period

Healthcare organizations must retain archived email in line with applicable laws and regulations, which vary by record type and jurisdiction. In the United States, HIPAA requires certain policies, procedures, and related compliance documentation to be retained for 6 years, state medical-record laws may require longer retention; SOX Section 802 requires at least 5 years for audit and review work papers; IRS record-retention guidance depends on the tax issue involved; and PCI DSS guidance emphasizes minimizing retention and securely disposing of sensitive authentication data rather than setting a universal 1-year retention rule. For privacy frameworks, GDPR requires personal data to be kept no longer than necessary, while CCPA/CPRA guidance is best understood as requiring businesses to retain consumer-request records as part of their compliance program rather than imposing a blanket retention period on all records.

Note: A proposed update to the HIPAA Security Rule, published in early 2025, would strengthen cybersecurity requirements for ePHI, including provisions related to encryption and risk management. As of mid-2026, it had not yet been finalized. The proposal does not change HIPAA’s six-year documentation retention requirement, but healthcare organizations should continue to monitor its progress.

To meet these and other constantly evolving regulations, SecurityGateway administrators can assign a minimum retention period for all archived email messages. During this time, archived messages cannot be deleted regardless of any other settings or user permissions.

SecurityGateway Retention Policy

Message Retention - SecurityGateway for Email 

 

To learn more, watch our video overview of SecurityGateway's encryption, data leak prevention & archiving features.

 

Improved Cloud/Hosted Email Integration for Microsoft 365 & Microsoft Entra ID

SecurityGateway's automatic user creation feature helps reduce administrator workload by verifying whether an email sent to or from a local domain contains a valid email address, and then automatically adding the account once the email address has been verified. With SecurityGateway 6.1, this process became much easier for businesses using cloud email services, with an option to verify users by querying Microsoft 365 or Microsoft Entra ID (formerly Azure Active Directory).

SecurityGateway Microsoft 365 User Verification

Office 365 & Azure User Verification - Security Gateway for Email Servers
 

Other New Features

Other new features for Security Gateway include:

  • Allowlist & Blocklist Search: A search field was added to the Allowlist and Blocklist screens to help administrators find listed email addresses more easily.
  • Quarantine reports can be sorted by score. This makes it easier to identify false-positives, which will likely have lower scores.

For the complete list of updates, please see the SecurityGateway release notes.

If you aren’t yet protecting your healthcare-related email with SecurityGateway, visit the SecurityGateway product page for an overview of its features, or visit the Download page to download a free trial!

SecurityGateway Hosted/Cloud services are also available.

 

Tags: Product Updates, Email Archiving, Health Care Security

Brad Wyro

Written by Brad Wyro

Brad has worked in technical and marketing roles at MDaemon Technologies, where he contributes as Content Marketing Manager. Brad balances technical and creative information to develop easy to understand videos and content to educate prospects and customers.

BACK TO ALL ARTICLES

Subscribe to Email Updates