• E-mail
• Print
• RSS

What's the best way to encrypt e-mail?

HIPAA Weekly Advisor, August 1, 2005

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Before going this route, make sure you've identified significant risks in e-mail communications. Many security and compliance managers think they need to encrypt messages just because they've heard these messages are vulnerable or have had a vendor demonstrate how messages can be transmitted in clear text.

Look deeper into your e-mail communications. Do many different users or systems transmit ePHI to many different recipients? If so, it may make sense to deploy an e-mail firewall. You could also use another perimeter-based solution that encrypts messages automatically or notifies recipients that they have a sensitive message waiting that they can access by clicking on a secure link. The key here is to keep encryption choices and responsibilities out of the hands of your users, if possible.

Also, don't forget about instant messaging (IM). Even if you have a policy against it, there's a good chance employees still use it on your network. Again, with IM, it's not necessarily the clear text communication that's vulnerable-it's the potential for users to share local and network drives with their IM buddies, the insecure storage of log files, the forwarding of communications to unsecured mobile phones, and the potential abuse of remote control features in IM software.

The same goes for file transfer protocol or any other communications medium used for ePHI transmission. Keep in mind that ePHI in transit is not the biggest risk. Rather, it's ePHI at rest-the unsecured files and databases that we always hear about hackers and curious employees breaking in to.

Editor's note: Kevin Beaver of Principle Logic answered this question. This is not legal advice. Consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive