Let's review email systems and how they can be secured for ePHI and other sensitive data.

Find Healthcare IT

HIPAA For MSPs

Kardon Compliance

Alston Article on Email Security

Notes

Leigh from Florida sent us an email asking for us to explain some more specifics about email. She had been listening to Episode 8: HIPAA Myths Part 2 which mentioned it but she had specific questions how can email be secured. This couldn't be covered in a quick 5 minute HIPAA answer episode so we are doing a whole episode.

• How does email work - for "real people" to understand
  • Compare to the post office since that is the way it was originally modeled to match
• Why that isn't secure at all, really
  • http://www.healthcareitnews.com/news/hipaa-breach-letters-go-out-after-email-hack (article on email hacked and it had patient info in it)
  • open transmissions and many different servers
• Misconceptions
  • I use a password so it is secure
  • I use https so it is secure
  • I use TLS so it is secure
  • I use updated Outlook with Hosted Exchange so that should be secure
• Secure email via
  • End to end encryption tools - each party knows the key
  • Messaging system - you get an email telling you to log in to get the secure email
  • Hosted services that allow for specific types of messaging
    • Hosted exchange
    • Plug-in apps
  • Secured internal only messaging systems
    • Very specific set up to secure the mail database on your internal server
    • Controls you have in place to prevent email to other domains outside the secure system (usually software required)
    • Some systems are automatic encryption / others require you to hit a button on the mail to send it secured.

• Secure messaging systems for internal discussions that don't use email

  • whole new way of communications in forums / chats instead of email

• Texting also matters but that is a different episode we can touch on it here

• A word about spear phishing - excellent example this week from a client