How to Implement encrypted email with minimal requirements on the recipient end

Posted on 2014-11-01
Last Modified: 2014-11-04
I have a medical office that needs to send encrypted email to comply with HIPAA requirements. I don't want to get sidetracked with all of the HIPAA compliance stuff, I just want to give them what they requested, which is a way to send encrypted emails WITH MINIMAL REQUIREMENTS FOR RECIPIENTS TO RECEIVE AND VIEW SAID EMAILS. That's their emphasis, not mine :-) I looked at free service from, but that requires recipients to create an account. Using the security built into Outlook with a certificate for example, I believe requires the recipient to also have a certificate, which won't work, assuming I have that right. I know this is possible because my own insurance company sends me encrypted emails which I can open without any fuss. I probably had to do something up front to allow this, but I don't recall what it was. The client's environment is Outlook 2007 using domain based pop/imap email. Ideas? Thanks!
Question by:tcianflone
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 54

Expert Comment

ID: 40417284
Sorry, but how should that work? The recipient will have to exchange keys with you and get his mail client/mail server to work with your key. There is no minimal way.

Expert Comment

by:Sean Jackson
ID: 40417289
To send encrypted emails, yes, you will need to have a certificate, and so will your recipient.  You need to have exchanged these certificates one with another before you can send encrypted email. You can purchase such certificates from any good Certificate Authority, but you can also create your own using PGP tools.  

Once you have a certificate associated with your email, and you're using a mail client that supports encrypted mail, you can digitally sign all your emails going out. If you have someone you're communicating with and they're also using a certificate to sign their emails, you could begin sending encrypted email back and forth.

Note: I don't think Outlook supports PGP-created certificates. You might have to buy yours.

An alternative to initiating this back and forth certificate exchange would be to create a secure area that your recipients can log into and view emails there. I don't know if this would meet your requirements, but that could be a way of communicating to them securely, behind your SSL encryption.

Author Comment

ID: 40417409
The office will be sending personal medical info (x-rays as an attachment, for example) to individual patients. Patients will be using all different types of email environments, and the office does not want to deal with what would essentially be tech support calls from patients who can't open emails. There's no way all of his patients are going to be setting up security certificates, so I am looking for a solution that solves this problem. Sean Jackson's idea where there is a secure logon site for patients to view their personal stuff might be the only way to do this. I'll keep the question open for another day or so to see what other ideas there are. Thanks.
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

LVL 33

Accepted Solution

Dave Howe earned 500 total points
ID: 40417430
A lot depends on how much money you are willing to spend :)

There is a system of encryption that doesn't require ANY prior key generation at the recipient end, and this is called "oracle based encryption" (delphic oracle, not the company Oracle :)

Microsoft offer this as part of their Office365 suite; cisco offer it as CRES (and require an Ironport appliance), PGP inc offer their Universal Gateway (the only commercial offering that doesn't have a backdoor for the USG, but again, requires an appliance) and the cheapest variant is Zixmail - the Voltage variant is growing in popularity, but isn't as long established (and hence, tested) as most of the others.  There is (afaik) no open source replacement.

All have in common that a new recipient must go and sign up for a username/password on receipt of an encrypted mail, just as if they were registering for a webmail solution. The decryption then takes place via a web gui (again, like webmail) - but you can send email to them without them having had to do that in advance, which is the advantage.
LVL 54

Expert Comment

ID: 40419351
Dave, the oracle based encryption will need a server component in the cloud, right? So the key exchange is done through the cloud - that will not be desirable for many.
Or am I wrong?
LVL 33

Expert Comment

by:Dave Howe
ID: 40422932
@McKnife: No, this has been around long before there was a "cloud" - for online solutions (such as cisco CRES) there is a key oracle in a vendor datacenter which, if a user doesn't have a key yet, will generate one for them and wait for them to come sign up - it then gets the user to set up a username and password for access to the key.

The strength of this is that you can have one key (and one user/password) regardless of who sends you mail. with pgp universal gateway, the key is generated on an on-premise device owned by the sender, and the recipient must go and perform the same user/pass setup on that device.  This means that each sender controls the keys, and a single user may have many universal gateway accounts (and keys) - one per sender.

downside of the vendor oracle is, of course, that anyone with a suitable warrant (or a criminal bent plus sufficient leverage to get what they want from a vendor employee) can get access to the key too.

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question