How to Implement encrypted email with minimal requirements on the recipient end

Posted on 2014-11-01
Medium Priority
Last Modified: 2014-11-04
I have a medical office that needs to send encrypted email to comply with HIPAA requirements. I don't want to get sidetracked with all of the HIPAA compliance stuff, I just want to give them what they requested, which is a way to send encrypted emails WITH MINIMAL REQUIREMENTS FOR RECIPIENTS TO RECEIVE AND VIEW SAID EMAILS. That's their emphasis, not mine :-) I looked at free service from sendinc.com, but that requires recipients to create an account. Using the security built into Outlook with a certificate for example, I believe requires the recipient to also have a certificate, which won't work, assuming I have that right. I know this is possible because my own insurance company sends me encrypted emails which I can open without any fuss. I probably had to do something up front to allow this, but I don't recall what it was. The client's environment is Outlook 2007 using godaddy.com domain based pop/imap email. Ideas? Thanks!
Question by:tcianflone
LVL 58

Expert Comment

ID: 40417284
Sorry, but how should that work? The recipient will have to exchange keys with you and get his mail client/mail server to work with your key. There is no minimal way.

Expert Comment

by:Sean Jackson
ID: 40417289
To send encrypted emails, yes, you will need to have a certificate, and so will your recipient.  You need to have exchanged these certificates one with another before you can send encrypted email. You can purchase such certificates from any good Certificate Authority, but you can also create your own using PGP tools.  

Once you have a certificate associated with your email, and you're using a mail client that supports encrypted mail, you can digitally sign all your emails going out. If you have someone you're communicating with and they're also using a certificate to sign their emails, you could begin sending encrypted email back and forth.

Note: I don't think Outlook supports PGP-created certificates. You might have to buy yours.

An alternative to initiating this back and forth certificate exchange would be to create a secure area that your recipients can log into and view emails there. I don't know if this would meet your requirements, but that could be a way of communicating to them securely, behind your SSL encryption.

Author Comment

ID: 40417409
The office will be sending personal medical info (x-rays as an attachment, for example) to individual patients. Patients will be using all different types of email environments, and the office does not want to deal with what would essentially be tech support calls from patients who can't open emails. There's no way all of his patients are going to be setting up security certificates, so I am looking for a solution that solves this problem. Sean Jackson's idea where there is a secure logon site for patients to view their personal stuff might be the only way to do this. I'll keep the question open for another day or so to see what other ideas there are. Thanks.
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

LVL 33

Accepted Solution

Dave Howe earned 2000 total points
ID: 40417430
A lot depends on how much money you are willing to spend :)

There is a system of encryption that doesn't require ANY prior key generation at the recipient end, and this is called "oracle based encryption" (delphic oracle, not the company Oracle :)

Microsoft offer this as part of their Office365 suite; cisco offer it as CRES (and require an Ironport appliance), PGP inc offer their Universal Gateway (the only commercial offering that doesn't have a backdoor for the USG, but again, requires an appliance) and the cheapest variant is Zixmail - the Voltage variant is growing in popularity, but isn't as long established (and hence, tested) as most of the others.  There is (afaik) no open source replacement.

All have in common that a new recipient must go and sign up for a username/password on receipt of an encrypted mail, just as if they were registering for a webmail solution. The decryption then takes place via a web gui (again, like webmail) - but you can send email to them without them having had to do that in advance, which is the advantage.
LVL 58

Expert Comment

ID: 40419351
Dave, the oracle based encryption will need a server component in the cloud, right? So the key exchange is done through the cloud - that will not be desirable for many.
Or am I wrong?
LVL 33

Expert Comment

by:Dave Howe
ID: 40422932
@McKnife: No, this has been around long before there was a "cloud" - for online solutions (such as cisco CRES) there is a key oracle in a vendor datacenter which, if a user doesn't have a key yet, will generate one for them and wait for them to come sign up - it then gets the user to set up a username and password for access to the key.

The strength of this is that you can have one key (and one user/password) regardless of who sends you mail. with pgp universal gateway, the key is generated on an on-premise device owned by the sender, and the recipient must go and perform the same user/pass setup on that device.  This means that each sender controls the keys, and a single user may have many universal gateway accounts (and keys) - one per sender.

downside of the vendor oracle is, of course, that anyone with a suitable warrant (or a criminal bent plus sufficient leverage to get what they want from a vendor employee) can get access to the key too.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
Microsoft Jet database engine errors can crop up out of nowhere to disrupt the working of the Exchange server. Decoding why a particular error occurs goes a long way in determining the right solution for it.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question