Email encryption protects the contents of your emails from outsiders. When an email is encrypted, it’s no longer readable until it’s unlocked and decrypted. Did you know that HIPAA requires that any email containing ePHI (electronic Protected Health Information) must be encrypted? Email messages must be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.
Email encryption protects the contents of your emails from outsiders. When an email is encrypted, it’s no longer readable until it’s unlocked and decrypted. Did you know that HIPAA requires that any email containing ePHI (electronic Protected Health Information) must be encrypted? Email messages must be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.
Email encryption protects the contents of your emails from outsiders. When an email is encrypted, it’s no longer readable until it’s unlocked and decrypted. Did you know that HIPAA requires that any email containing ePHI (electronic Protected Health Information) must be encrypted? Email messages must be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.
The National Institute of Standards and Technology (NIST) published SP 800-45 Version 2 explains the requirements for securing emails containing ePHI. NIST says that email messages can be protected by using cryptography in various ways, such as the following:
The first two methods, message signing and message body encryption, are often used together. For example, if a message needs to be encrypted to protect its confidentiality, it is usually digitally signed as well, so that the recipient can ensure the integrity of the message and verify the identity of the signer.
The third method is necessary when you and another organization want to protect emails regularly sent to each other. To do this you can use a virtual private network (VPN) to encrypt the communications between your mail servers over the Internet.
Unlike methods that can only encrypt a message body, a VPN can encrypt entire messages, including email header information such as senders, recipients, and subjects. However, a VPN solution alone cannot provide a message signing mechanism. And it can’t protect email messages along the entire route from sender to recipient.
All email addresses have a pair of keys associated with them. The keys are used to encrypt and decrypt emails. The public key is stored on a key server and is tied to your name and email address. Anyone can access it. A second key is your private key. This isn’t shared with others and is only known by you.
Email encryption utilizes public-key cryptography. When you send an email, it’s encrypted by the computer using the public key. This turns the email into complex, indecipherable, scrambled content that’s difficult to crack. Only someone with the proper corresponding private key can decrypt the email and read it.
Because it’s difficult for most people to encrypt their emails, dental offices and other businesses rely on their IT providers to provide this through an automatic encryption service.
This way, they don’t need to worry if their employees use email encryption. It’s automatically managed. The emails are set up to flow through a gateway appliance that’s configured to the firm’s security policies.
Email encryption services are popular with dental practices because they send and receive confidential and ePHI information:
Emails that aren’t encrypted are vulnerable to attackers looking to steal confidential, patient or financial information. They are looking for electronic health records (EHRs), Social Security numbers, login credentials and bank account numbers to sell on the Dark Web. If they obtain your login credentials, they can take control of your email, documents or financial accounts, or your company network.
Unless your emails are encrypted, hackers also have access to the attachments you send in emails, including private medical information. Email encryption also helps you verify the authenticity of a sender of a message. You and your employees will know if you’re being spoofed by a hacker who is trying to impersonate someone you know.
If you don’t, you must use an alternative method to protect your data at rest and in transit. This requires that you undergo a risk analysis to determine the level of risk to confidentiality, integrity, and availability of ePHI sent via email.
You then must develop a risk management plan, and document it for the HIPAA auditors from the Office of Civil Rights (OCR). They will want to see that you considered encryption and why you didn’t use it. Then they will want to know that you have implemented an alternative safeguarding measure that’s just as effective as encryption.
TLS provides a secure channel for data transmission and ensures that all content, emails, and attachments are encrypted during transit. This is referred to as Data-in-Motion Security.
But because TLS doesn’t provide security for data at rest (in storage), archived emails aren’t encrypted and are exposed to hackers. And sometimes, the TLS connections are terminated before the emails arrive at their final destination. There’s no way to guarantee that TLS alone ensures email security.
This is why you should consider using an email encryption service.
In the past, email encryption services were cumbersome to use. Both the sender and recipient had to exchange encryption keys before sending and receiving emails to one another. As a result, people didn’t want to take the time to do this, and employees simply ignored the dental practice’s policies. This led to breaches in security where sensitive and confidential data was exposed.
Today, we have secure and straightforward email encryption services that are cloud-based. Key management is automatic without any added overhead for either users or administrators. The first time a recipient receives an email, a unique key is generated. Emails (including attachments) are encrypted using the recipient’s key.
After the process of encryption is complete, a separate notification email containing a link to log into a secure message center is sent to the recipient. It’s accessed via a web browser using HTTPS (certified for security).
After the recipient logs in, their encrypted email messages are sent to them for viewing. At this point they can reply to the emails or download them for archiving on their computer, knowing that they are still encrypted and will be secure.
The encryption keys are stored securely in a central location. And key management is automatic without any additional work for your employees. These state-of-the-art data centers ensure the physical security of everything while strict access control provides that only authorized personnel have access to the message center. For additional protection, the data centers and the keys used to encrypt the data are stored in separate areas.
NOVA Computer Solutions provides Email Encryption Services. Our cloud-based approach to email encryption ensures the security of your emails and attachments. It utilizes an Advanced Encryption Service with a 256-bit cipher, commonly known as AES-256.
Our Email Encryption Service provides cloud-based outbound email encryption, with multiple policies that allow administrators to specify precisely which outbound emails to encrypt. Emails that match the policies can then be sent securely (via TLS) to our message center.
Ensure that your emails meet HIPAA requirements. For more information about our Email Encryption Services and how your dental office will benefit from them, contact the experts at NOVA Computer Solutions.
Contents