Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

How to Implement encrypted email with minimal requirements on the recipient end

Posted on 2014-11-01
Last Modified: 2014-11-04
I have a medical office that needs to send encrypted email to comply with HIPAA requirements. I don't want to get sidetracked with all of the HIPAA compliance stuff, I just want to give them what they requested, which is a way to send encrypted emails WITH MINIMAL REQUIREMENTS FOR RECIPIENTS TO RECEIVE AND VIEW SAID EMAILS. That's their emphasis, not mine :-) I looked at free service from sendinc.com, but that requires recipients to create an account. Using the security built into Outlook with a certificate for example, I believe requires the recipient to also have a certificate, which won't work, assuming I have that right. I know this is possible because my own insurance company sends me encrypted emails which I can open without any fuss. I probably had to do something up front to allow this, but I don't recall what it was. The client's environment is Outlook 2007 using godaddy.com domain based pop/imap email. Ideas? Thanks!
Question by:tcianflone
LVL 54

Expert Comment

ID: 40417284
Sorry, but how should that work? The recipient will have to exchange keys with you and get his mail client/mail server to work with your key. There is no minimal way.

Expert Comment

by:Sean Jackson
ID: 40417289
To send encrypted emails, yes, you will need to have a certificate, and so will your recipient.  You need to have exchanged these certificates one with another before you can send encrypted email. You can purchase such certificates from any good Certificate Authority, but you can also create your own using PGP tools.  

Once you have a certificate associated with your email, and you're using a mail client that supports encrypted mail, you can digitally sign all your emails going out. If you have someone you're communicating with and they're also using a certificate to sign their emails, you could begin sending encrypted email back and forth.

Note: I don't think Outlook supports PGP-created certificates. You might have to buy yours.

An alternative to initiating this back and forth certificate exchange would be to create a secure area that your recipients can log into and view emails there. I don't know if this would meet your requirements, but that could be a way of communicating to them securely, behind your SSL encryption.

Author Comment

ID: 40417409
The office will be sending personal medical info (x-rays as an attachment, for example) to individual patients. Patients will be using all different types of email environments, and the office does not want to deal with what would essentially be tech support calls from patients who can't open emails. There's no way all of his patients are going to be setting up security certificates, so I am looking for a solution that solves this problem. Sean Jackson's idea where there is a secure logon site for patients to view their personal stuff might be the only way to do this. I'll keep the question open for another day or so to see what other ideas there are. Thanks.
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

LVL 33

Accepted Solution

Dave Howe earned 500 total points
ID: 40417430
A lot depends on how much money you are willing to spend :)

There is a system of encryption that doesn't require ANY prior key generation at the recipient end, and this is called "oracle based encryption" (delphic oracle, not the company Oracle :)

Microsoft offer this as part of their Office365 suite; cisco offer it as CRES (and require an Ironport appliance), PGP inc offer their Universal Gateway (the only commercial offering that doesn't have a backdoor for the USG, but again, requires an appliance) and the cheapest variant is Zixmail - the Voltage variant is growing in popularity, but isn't as long established (and hence, tested) as most of the others.  There is (afaik) no open source replacement.

All have in common that a new recipient must go and sign up for a username/password on receipt of an encrypted mail, just as if they were registering for a webmail solution. The decryption then takes place via a web gui (again, like webmail) - but you can send email to them without them having had to do that in advance, which is the advantage.
LVL 54

Expert Comment

ID: 40419351
Dave, the oracle based encryption will need a server component in the cloud, right? So the key exchange is done through the cloud - that will not be desirable for many.
Or am I wrong?
LVL 33

Expert Comment

by:Dave Howe
ID: 40422932
@McKnife: No, this has been around long before there was a "cloud" - for online solutions (such as cisco CRES) there is a key oracle in a vendor datacenter which, if a user doesn't have a key yet, will generate one for them and wait for them to come sign up - it then gets the user to set up a username and password for access to the key.

The strength of this is that you can have one key (and one user/password) regardless of who sends you mail. with pgp universal gateway, the key is generated on an on-premise device owned by the sender, and the recipient must go and perform the same user/pass setup on that device.  This means that each sender controls the keys, and a single user may have many universal gateway accounts (and keys) - one per sender.

downside of the vendor oracle is, of course, that anyone with a suitable warrant (or a criminal bent plus sufficient leverage to get what they want from a vendor employee) can get access to the key too.

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question