Let’s review email systems and how they can be secured for ePHI and other sensitive data.

Alston Article on Email Security


Leigh from Florida sent us an email asking for us to explain some more specifics about email. She had been listening to Episode 8: HIPAA Myths Part 2 which mentioned it but she had specific questions how can email be secured. This couldn’t be covered in a quick 5 minute HIPAA answer episode so we are doing a whole episode.

  • How does email work – for “real people” to understand
    • Compare to the post office since that is the way it was originally modeled to match
  • Why that isn’t secure at all, really
  • Misconceptions
    • I use a password so it is secure
    • I use https so it is secure
    • I use TLS so it is secure
    • I use updated Outlook with Hosted Exchange so that should be secure
  • Secure email via
    • End to end encryption tools – each party knows the key
    • Messaging system – you get an email telling you to log in to get the secure email
    • Hosted services that allow for specific types of messaging
      • Hosted exchange
      • Plug-in apps
    • Secured internal only messaging systems
      • Very specific set up to secure the mail database on your internal server
      • Controls you have in place to prevent email to other domains outside the secure system (usually software required)
      • Some systems are automatic encryption / others require you to hit a button on the mail to send it secured.
  • Secure messaging systems for internal discussions that don’t use email
    • whole new way of communications in forums / chats instead of email
  • Texting also matters but that is a different episode we can touch on it here
  • A word about spear phishing – excellent example this week from a client