Solved

How to Implement encrypted email with minimal requirements on the recipient end

Posted on 2014-11-01
6
217 Views
Last Modified: 2014-11-04
I have a medical office that needs to send encrypted email to comply with HIPAA requirements. I don't want to get sidetracked with all of the HIPAA compliance stuff, I just want to give them what they requested, which is a way to send encrypted emails WITH MINIMAL REQUIREMENTS FOR RECIPIENTS TO RECEIVE AND VIEW SAID EMAILS. That's their emphasis, not mine :-) I looked at free service from sendinc.com, but that requires recipients to create an account. Using the security built into Outlook with a certificate for example, I believe requires the recipient to also have a certificate, which won't work, assuming I have that right. I know this is possible because my own insurance company sends me encrypted emails which I can open without any fuss. I probably had to do something up front to allow this, but I don't recall what it was. The client's environment is Outlook 2007 using godaddy.com domain based pop/imap email. Ideas? Thanks!
0
Comment
Question by:tcianflone
6 Comments
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Sorry, but how should that work? The recipient will have to exchange keys with you and get his mail client/mail server to work with your key. There is no minimal way.
0
 
LVL 5

Expert Comment

by:Sean Jackson
Comment Utility
To send encrypted emails, yes, you will need to have a certificate, and so will your recipient.  You need to have exchanged these certificates one with another before you can send encrypted email. You can purchase such certificates from any good Certificate Authority, but you can also create your own using PGP tools.  

Once you have a certificate associated with your email, and you're using a mail client that supports encrypted mail, you can digitally sign all your emails going out. If you have someone you're communicating with and they're also using a certificate to sign their emails, you could begin sending encrypted email back and forth.

Note: I don't think Outlook supports PGP-created certificates. You might have to buy yours.

An alternative to initiating this back and forth certificate exchange would be to create a secure area that your recipients can log into and view emails there. I don't know if this would meet your requirements, but that could be a way of communicating to them securely, behind your SSL encryption.
0
 
LVL 1

Author Comment

by:tcianflone
Comment Utility
The office will be sending personal medical info (x-rays as an attachment, for example) to individual patients. Patients will be using all different types of email environments, and the office does not want to deal with what would essentially be tech support calls from patients who can't open emails. There's no way all of his patients are going to be setting up security certificates, so I am looking for a solution that solves this problem. Sean Jackson's idea where there is a secure logon site for patients to view their personal stuff might be the only way to do this. I'll keep the question open for another day or so to see what other ideas there are. Thanks.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
Comment Utility
A lot depends on how much money you are willing to spend :)

There is a system of encryption that doesn't require ANY prior key generation at the recipient end, and this is called "oracle based encryption" (delphic oracle, not the company Oracle :)

Microsoft offer this as part of their Office365 suite; cisco offer it as CRES (and require an Ironport appliance), PGP inc offer their Universal Gateway (the only commercial offering that doesn't have a backdoor for the USG, but again, requires an appliance) and the cheapest variant is Zixmail - the Voltage variant is growing in popularity, but isn't as long established (and hence, tested) as most of the others.  There is (afaik) no open source replacement.

All have in common that a new recipient must go and sign up for a username/password on receipt of an encrypted mail, just as if they were registering for a webmail solution. The decryption then takes place via a web gui (again, like webmail) - but you can send email to them without them having had to do that in advance, which is the advantage.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Dave, the oracle based encryption will need a server component in the cloud, right? So the key exchange is done through the cloud - that will not be desirable for many.
Or am I wrong?
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
@McKnife: No, this has been around long before there was a "cloud" - for online solutions (such as cisco CRES) there is a key oracle in a vendor datacenter which, if a user doesn't have a key yet, will generate one for them and wait for them to come sign up - it then gets the user to set up a username and password for access to the key.

The strength of this is that you can have one key (and one user/password) regardless of who sends you mail. with pgp universal gateway, the key is generated on an on-premise device owned by the sender, and the recipient must go and perform the same user/pass setup on that device.  This means that each sender controls the keys, and a single user may have many universal gateway accounts (and keys) - one per sender.

downside of the vendor oracle is, of course, that anyone with a suitable warrant (or a criminal bent plus sufficient leverage to get what they want from a vendor employee) can get access to the key too.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
The purpose of this video is to demonstrate how to set up an account with Mailchimp. This will be demonstrated using a Windows 8 PC. Tools Used are: Mailchimp.com Go to Mailchimp.com : Enter an Email, Username, and Password. Click Create My Acco…
This Micro Tutorial will demonstrate the easy use of Gmail embedding images in your email so the recipient of your email can view them in context.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now