Ahh, email. Remember back in the day when you had to buy stamps? Remember that darn snail mail scale in the office? Wait you still buy stamps or use that scale? If so, it’s probably saving you from unnecessary risk when sending out documents containing private information. After all it’s a federal crime when someone intentionally yanks a letter that is addressed to someone else, from someplace other than their own physical mailbox. That’s right, so hands off my coupons!
E-mail is a different story… It’s digital and you don’t have to reach into someone’s Post Office Box or home mail box to view it.
Here’s a question that doesn’t come up enough in my line of work.
“How can I secure my emails?”
Yup, hardly anyone asks about protecting information they send back and forth through email. You know, that fantastic instantaneous magic service that let’s us send and receive documents, important text, and unimportant text without having to buy a single stamp. E-mail is awesome and it’s truly changed the way we communicate. Sure, social media is reshaping the landscape even more, but small companies and large scale corporations still rely heavily on email correspondence to conduct business with customers, clients, employees, government agencies, and other entities they interact with. And it works pretty darn good!
Here’s the problem
Lots of those emails zipping across the globe are not encrypted making them insecure. Unfortunately, e-mails can be intercepted, forwarded to others, and read by peeps who are not the intended recipient. No big deal as long as whats in the message doesn’t need to remain private and both you and the recipient wouldn’t care if others viewed it. However, some e-mails do contain important and private information that needs to stay private, and that can lead to issues if it isn’t secured in some way to prevent anyone other than the intended recipient from viewing it.
The best practice is usually NOT to send Private Information, Personally Identifiable Information or Individually Identifiable Health Information in an email. But, it does happen. So, why aren’t more folks asking me about securing emails? Occasionally, not often, it’s because staff at those companies already employ services which secure their communication. Many times it’s that they don’t send personal identifiable information in the form of e-mail, but far too often they do and just aren’t familiar with how to secure it, believe the process is too inconvenient, or cost has detoured them.
What constitutes Personal Identifiable Information?
Personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Thank you wikipedia!
What is Individually Identifiable Health Information?
HIPAA defines “individually identifiable health information” as information that is a subset of health information, including demographic information collected from an individual, and:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
a. That identifies the individual; or
b. With respect to which there is reasonable basis to believe the information can be used to identify the individual.
The Federal Trade Commission suggests that those who store and work with this type of information electronically should :
Encrypt sensitive information that you send to third parties over public networks (like the internet), and encrypt sensitive information that is stored on your computer network, laptops, or portable storage devices used by your employees. Consider also encrypting email transmissions within your business.
The site HHS.gov for HIPAA says:
The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c) For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.
Okay, Now what?
When in doubt encrypt it. Another good practice is to encrypt all e-mails that may contain private information to avoid the potential of you being the cause of unintentional disclosure to the wrong party. Sounds complicated though doesn’t it? Well, it used to be, but no more.
Protonmail to the rescue.
Now, it’s easy. The brains at MIT and CERN have created a secure e-mail system which resides in Switzerland, and it works well, plus it’s free for a single basic account. Score!
I recently discovered protonmail while searching for a viable solution to help home users as well as small businesses send out encrypted documents. So, I checked it out by setting up an account and using it. I was pleasantly surprised at how easy it was to navigate the interface and work with. If your familiar with other webmail services you’ll be right at home composing, sending and receiving emails.
Here’s how it works.
Those who use a protonmail e-mail account can communicate with others using a protonmail e-mail account securely by default. All the emails sent between protonmail users are encrypted before being stored on the server. The only one who gets to view the information is the recipient and the sender. This is all great, but the really cool thing about the service is when you have to send someone a secure e-mail and they don’t have a protonmail account. Let’s face it 9.99 times out of 10 that’s going to be the case because everyone else is using google’s GMAIL, Microsoft’s LIVE or OUTLOOK, Apple’s iCloud, Zoho Mail, Yandex or a host of other services including email provided through web hosting accounts.
In this case your work flow is easy peasy and goes a little something like this:
Step 1 – Sign up for a protonmail account!
Step 2 – Login to your new protonmail account and click the COMPOSE button to start creating an email.
Step 3 – Compose your message 🙂
Step 4 – Add any attachments you would like to send by clicking the little paperclip button on the lower left.
Step 5 – Click the padlock button on the lower left to add a password to the e-mail and prevent anyone but the recipient from accessing it. This is important, without that password the email gets sent out as a normal unencrypted message. It’s up to you how to let the recipient know what that password is. I’d simply make a phone call and let them know.
Step 6 – Add the self destruct countdown! I love this feature. Remember Get Smart? Or perhaps Mission Impossible? Yeah, this is where you set the amount of time the message will live before it gets erased forever. Do this by clicking the clock button in the lower left and setting the counter in hours, days, or weeks. This is great for time sensitive material and if the recipient doesn’t access it within that window of time, it’s gone.
Step 7 – Verify you have put in the correct e-mail address, have attached the correct files, ADDED A PASSWORD ( super important! ) and have set an expiration time. If so all three buttons in the lower left will have changed color. Last but not least click SEND. Your done!
On the other end the recipient will receive an email from protonmail.com letting them know that they have a secure message waiting for them. Along with this message is the Password Hint you had the opportunity to type in and also it lets them know when the message will expire. All they need to do is click the View Secure Message link and the default web browser will open and bring them to a page to type in that password you gave them.
They type in the password and click DECRYPT. That’s it!
Now, they can access the message directly while it lives only on the protonmail secure server. They can even reply and upload attachments to send back to you. And, it’s all encrypted. How easy is that? Seriously, there is no reason to send private information over insecure e-mail channels anymore.
And no, I’m not getting paid to promote protonmail. Over and out…