How to Implement encrypted email with minimal requirements on the recipient end

I have a medical office that needs to send encrypted email to comply with HIPAA requirements. I don't want to get sidetracked with all of the HIPAA compliance stuff, I just want to give them what they requested, which is a way to send encrypted emails WITH MINIMAL REQUIREMENTS FOR RECIPIENTS TO RECEIVE AND VIEW SAID EMAILS. That's their emphasis, not mine :-) I looked at free service from sendinc.com, but that requires recipients to create an account. Using the security built into Outlook with a certificate for example, I believe requires the recipient to also have a certificate, which won't work, assuming I have that right. I know this is possible because my own insurance company sends me encrypted emails which I can open without any fuss. I probably had to do something up front to allow this, but I don't recall what it was. The client's environment is Outlook 2007 using godaddy.com domain based pop/imap email. Ideas? Thanks!
LVL 1
tcianfloneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Sorry, but how should that work? The recipient will have to exchange keys with you and get his mail client/mail server to work with your key. There is no minimal way.
0
Sean JacksonInformation Security AnalystCommented:
To send encrypted emails, yes, you will need to have a certificate, and so will your recipient.  You need to have exchanged these certificates one with another before you can send encrypted email. You can purchase such certificates from any good Certificate Authority, but you can also create your own using PGP tools.  

Once you have a certificate associated with your email, and you're using a mail client that supports encrypted mail, you can digitally sign all your emails going out. If you have someone you're communicating with and they're also using a certificate to sign their emails, you could begin sending encrypted email back and forth.

Note: I don't think Outlook supports PGP-created certificates. You might have to buy yours.

An alternative to initiating this back and forth certificate exchange would be to create a secure area that your recipients can log into and view emails there. I don't know if this would meet your requirements, but that could be a way of communicating to them securely, behind your SSL encryption.
0
tcianfloneAuthor Commented:
The office will be sending personal medical info (x-rays as an attachment, for example) to individual patients. Patients will be using all different types of email environments, and the office does not want to deal with what would essentially be tech support calls from patients who can't open emails. There's no way all of his patients are going to be setting up security certificates, so I am looking for a solution that solves this problem. Sean Jackson's idea where there is a secure logon site for patients to view their personal stuff might be the only way to do this. I'll keep the question open for another day or so to see what other ideas there are. Thanks.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Dave HoweSoftware and Hardware EngineerCommented:
A lot depends on how much money you are willing to spend :)

There is a system of encryption that doesn't require ANY prior key generation at the recipient end, and this is called "oracle based encryption" (delphic oracle, not the company Oracle :)

Microsoft offer this as part of their Office365 suite; cisco offer it as CRES (and require an Ironport appliance), PGP inc offer their Universal Gateway (the only commercial offering that doesn't have a backdoor for the USG, but again, requires an appliance) and the cheapest variant is Zixmail - the Voltage variant is growing in popularity, but isn't as long established (and hence, tested) as most of the others.  There is (afaik) no open source replacement.

All have in common that a new recipient must go and sign up for a username/password on receipt of an encrypted mail, just as if they were registering for a webmail solution. The decryption then takes place via a web gui (again, like webmail) - but you can send email to them without them having had to do that in advance, which is the advantage.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
Dave, the oracle based encryption will need a server component in the cloud, right? So the key exchange is done through the cloud - that will not be desirable for many.
Or am I wrong?
0
Dave HoweSoftware and Hardware EngineerCommented:
@McKnife: No, this has been around long before there was a "cloud" - for online solutions (such as cisco CRES) there is a key oracle in a vendor datacenter which, if a user doesn't have a key yet, will generate one for them and wait for them to come sign up - it then gets the user to set up a username and password for access to the key.

The strength of this is that you can have one key (and one user/password) regardless of who sends you mail. with pgp universal gateway, the key is generated on an on-premise device owned by the sender, and the recipient must go and perform the same user/pass setup on that device.  This means that each sender controls the keys, and a single user may have many universal gateway accounts (and keys) - one per sender.

downside of the vendor oracle is, of course, that anyone with a suitable warrant (or a criminal bent plus sufficient leverage to get what they want from a vendor employee) can get access to the key too.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.