If you’re even remotely connected to the healthcare industry, you have been, or will be, affected by the Health Insurance Portability and Accountability Act (HIPAA). This regulation mandates security and privacy in several areas, including the storage, access, and communication of sensitive or private healthcare information.

Firewalling, along with access controls that include authorization and authentication, are critical to HIPAA compliance, although email security is also a vital part of it. Healthcare organizations and covered entities, as well as patients themselves, often rely on email as an efficient way to communicate information. However, ordinary email may be inadequate.

It would be a mistake to neglect email in a HIPAA compliance initiative, and any incidence of exposed–or even potentially exposed–personal health information via email would result in a failed audit. HIPAA does not stop at stored medical records, it includes any sort of record, including email. There are two fronts to consider; immediate email security, and the security of archived email files, both of which are essential for compliance. Archived email files in a HIPAA-compliant firm should be subject to access controls (authorization and authentication). In day-to-day email, there is also a risk of deviating from compliance. If an email contains regulated information under HIPAA, then it also must be protected against unauthorized access. Since email goes over the unprotected Internet, encryption would be the only logical way to address this.

Continue reading HIPAA and email security

Kevin Nixon ran a fascinating article on encryption at Information Security Resources yesterday, disputing the need for end-to-end encryption, saying that it’s not such a great idea after all.

I’ve never used encryption for my email personally, though plenty of people do. And for some users, like the President when he’s using his BlackBerry, I’d have to say that it’s essential. But Kevin’s argument bears consideration, especially when applied to ordinary usage.

A couple of simple examples of end-to-end are VPNs, where encryption starts at a VPN client in a remote location, and ends at the VPN server in the main office. Also, SSL–which is used widely over the Web–provides another example: End-to-end starts at the user’s Web browser and ends at the Web server on the back end. The limitation here, according to Kevin, is that the traffic arrives at its destination before being evaluated. He makes a good point. The concept behind end-to-end encryption may be a good one, but it needs an extra step.

Continue reading Encrypted email not for everyone

Sending unsecured email is very risky and in some cases even against company policy. One of the best ways to secure your email is by use of encryption. The sender types up their email and then hits the secure button or encrypt button depending on the email client used and then hits the send button. What happens underneath is that the sender’s text message is encrypted with their private key and when the recipient receives the email message they then decrypt the message using the sender’s public key.

Another approach to sending email in a secure manner is to use the Secure Socket Layer (SSL) connection. Two applications such as a client and a server will use an encrypted channel to send and receive information to/from one another. The application sends data through the SSL channel which itself is using the default TCP/IP port 443. Data passes through the secure channel so that both sender and receiver can read and understand the transmitted data. The secured channel protects the data from being read by an unwanted third party.

Continue reading Secure Email Methods

The Nevada law that requires businesses to encrypt data that is transmitted to customers took effect this month, and is expected to have an impact far beyond the state’s borders. An article in today’s Wall Street Journal highlighted some of the challenges of the bill, to which all companies doing business with people in Arizona must comply.

Nevada is just the first of several states that are considering similar laws. Already, more than 40 states have breach notification laws, which require businesses to notify customers if their personal information is stolen or exposed. But beyond requiring notification, these laws do very little to prevent the attacks from occurring in the first place. There’s a big difference between telling someone, “your personal information was exposed,” and requiring action to prevent it from being exposed. The Nevada law is the first that takes this tactic, going much further than any notification law ever has.

Continue reading New law requiring email encryption takes effect