Episode 18: Email isn't secure, really, it isn't

Let's review email systems and how they can be secured for ePHI and other sensitive data.

Find Healthcare IT

HIPAA For MSPs

Kardon Compliance

Alston Article on Email Security

Leigh from Florida sent us an email asking for us to explain some more specifics about email. She had been listening to Episode 8: HIPAA Myths Part 2 which mentioned it but she had specific questions how can email be secured. This couldn't be covered in a quick 5 minute HIPAA answer episode so we are doing a whole episode. 

How does email work - for "real people" to understand

Compare to the post office since that is the way it was originally modeled to match

Why that isn't secure at all, really

http://www.healthcareitnews.com/news/hipaa-breach-letters-go-out-after-email-hack (article on email hacked and it had patient info in it)
open transmissions and many different servers

Misconceptions

I use a password so it is secure
I use https so it is secure
I use TLS so it is secure
I use updated Outlook with Hosted Exchange so that should be secure

Secure email via

End to end encryption tools - each party knows the key
Messaging system - you get an email telling you to log in to get the secure email
Hosted services that allow for specific types of messaging

Hosted exchange
Plug-in apps

Secured internal only messaging systems

Very specific set up to secure the mail database on your internal server
Controls you have in place to prevent email to other domains outside the secure system (usually software required)
Some systems are automatic encryption / others require you to hit a button on the mail to send it secured.

Secure messaging systems for internal discussions that don't use email

whole new way of communications in forums / chats instead of email

Texting also matters but that is a different episode we can touch on it here

A word about spear phishing - excellent example this week from a client