Are you using secure email?
This post is focused on secure email but some aspects like SSL and encryption apply equally to data in general.
- With all the breaches in the headlines, it behooves us to secure our email.
- Breaches expose client data that can be used to access your accounts.
- Even if a hacker has your email account credentials, he may be unable to read encrypted email.
- Email can be accessed by the unscrupulous in a number of ways.
- Sending email without SSL is like sending your mail on postcards.
Think your data is safe?
Our focus is finding solutions that work for our clients with minimal intervention and/or setup.
- Office of Personnel Management (OPM)
- Ashley Madison Data Breach
- VTech Asia Data Breach
- Hospital and Health Insurance Data Breaches
- Jeep Hack
These high profile breaches are a reminder that our data is not as secure as we would like.
Anything shared on the Internet is vulnerable to various types of snooping and hacks.
Email is no exception.
With the information gleaned from breaches, hackers may have direct access to your accounts if they uncovered passwords that you use elsewhere.
That’s why we suggest unique strong passwords for every account.
Let’s investigate methods to secure our email.
How Difficult is it for Someone to Hack Your Data?
The best defense is to use encryption but that is not as convenient as we would like.
SSL email helps in most cases.
Otherwise your email is open to anyone that can sniff it out of the air.
That’s easier than you may think using attacks like Man in the Middle.
Hacking Methods Used
Once hackers have your information there are a number of ways to access your accounts.
- Phishing – acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication
- Man-in-the-middle attack (MITM) – attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
- Session stealing (cookie hijacking) – exploitation of a valid computer session (session key) to gain unauthorized access to information or services in a computer system. … theft of a magic cookie used to authenticate a user to a remote server.
- Keylogging (Keystroke logging/keyboard capturing) – recording (logging) the keys struck on a keyboard, typically covertly.
- Social Engineering – psychological manipulation of people into performing actions or divulging confidential information
- Hacking your computer – malware planted on your computer allows hackers complete access to your data
- If a hacker has access to your computer you need to have it cleaned.
Doesn’t SSL Secure My Email?
Using SSL for your email provides security between you and your email host.
Prior to SSL (Secure Socket Layer) emails were sent in plain text from your email client like Outlook to the host server.
Google’s chart below shows that most email to and from Gmail in the America’s uses SSL.
SSL is helpful but it doesn’t keep anyone with access to the server from reading your email or necessarily guarantee that it will be transported to the recipient via SSL.
Client-side SSL is a step in the right direction but encrypting you email is much more secure.
Using SSL and SSL Email Setup?
If you want to check whether you are using SSL you can use Comcast’s guide to interrogate various email clients.
If you need to setup an email account to use SSL you can contact your provider or Google setup “Provider Name” email.
“Provider Name” is the provider who sends you a bill each month.
Implementing Secure Email
We encrypted email for our clients back in the late 1980s but it was tedious to setup and use.
Consequently, secure email was not considered a priority and seldom used.
We need encryption to ensure that sensitive email is not compromised.
This requires some inconvenience on the clients but it’s the best way to secure our email.
HIPAA Compliant Email
With the advent of the HIPAA (Health Insurance Portability and Accountability Act) companies have become more security aware.
If you send sensitive email or work in the medical industry you may be required to secure your email or face penalties.
The Health Insurance Portability and Accountability Act (HIPAA), sets the standard for protecting sensitive patient data. Any organization dealing with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
Paubox article on HIPAA compliance
Is HIPAA Email Encrypted?
Some HIPAA email providers like GoDaddy do not necessarily encrypt email in transit.
There is some debate on whether or not HIPAA requires email to be encrypted.
GoDaddy encryption has an add-on for HIPAA email. It’s an all or nothing scenario so all your mailboxes either get encryption or they don’t.
Likewise encrypted email isn’t necessarily HIPAA compliant.
HIPAA compliance requires partners to sign a Business Associate Agreement (BAA).
HIPAA Compliant Hosts
GoDaddy and other hosts offer HIPAA compliant email.
GoDaddy was the least expensive of the providers we found using Exchange email.
HIPAA COMPLIANT EMAIL
HIPAA requires health care providers to ensure that their business associates will safeguard Protected Health Information (PHI). If you are interested in emailing with your patients, or sending any patient data through email, you need to be sure that your email is protected in a HIPAA-compliant manner.
Some vendors offer HIPAA compliant email with Exchange like features.
In some ways, these email services may surpass Exchange by encrypting email.
On the other hand, why not get a service that is like Exchange when you can have Exchange even if it isn’t encrypted.
You need encryption if you want to secure your email while in transit.
HIPAA email providers using Exchange email do not necessarily encrypt in transit.
There are, however, encryption add-ons.
Encryption uses PGP key pairs.
One key is shared with the public and the other is private.
Without the private key, your message is safe from prying eyes.
Part of the challenge of setting up and using PGP encryption is the generation and tracking keys.
The nomenclature is a bit confusing.
Key generators typically import private keys and export public keys.
Some key generators will export both public and private keys simultaneously.
GPG4Win’s Kleopatra Interface is a bit clunky but works fine once set up.
We did have issues with some public certificates generated in Kleopatra not working with Gravity Form PGP Extension.
Interestingly the Kleopatra generated public key did not work with Kleopatra but did work with Gmail Mailvelope extension.
Importing the Kleopatra public key into Mailvelope and exporting produced a working certificate for our server.
Mailvelope Chrome extension easy to install and use.
After running into issues with Kleopatra generated public certificates, we tried generating keys via Mailvelope.
Unfortunately, the certificates didn’t install well on Gravity Form PGP Extension.
Gravity Form PGP Extension requires a matching email address for a notification email and the Mailvelope public certificates displayed none.
Symantec Desktop Email Encryption
Symantec Desktop Email Encryption was the easiest solution to work with but expensive.
It works with Macs & Windows but not Linux.
Once setup outlook emails are decrypted automatically with no intervention of the user.
ProtonMail and Gmail send encrypted email these days but you lose that
feature when you send to an outside account.
Gmail is not HIPAA compliant.
Google Apps business email is HIPAA compliant.
If your website asks for sensitive information you should use SSL and encryption to protect that data.
Gravity Forms and their PGP Extension makes it easy to setup an encrypted form.
Gravity Form PGP Extension requires public keys and matching email for notifications to be send.
When you send encrypted email you must decrypt to read it.
The following table lists software that handles encryption/decryption.
Gpg4win is a free solution for Windows Outlook users.
- Import private key
- Certify you will be able to
- Decrypt messages
- Open message
- click decrypt
Mailvelope is a free and easy solution to implement for Gmail and Chrome.
This is the easiest solution if you are using Gmail and Chrome.
- Install extension
- Import private key
- Emails are automatically decrypted
- Use SSL Email at very least.
- Make sure your computer doesn’t have malware.
- Encrypt email if you and your correspondents want the most security.
- Use HIPAA email if you deal with Protected Health Information (PHI).