Solved

How is Voltage secure HIPPA mail secure?

Posted on 2016-09-07
6
52 Views
Last Modified: 2016-09-08
Aetna "encrypts" email so it is HIPPA compliant (using https://www.voltage.com/)

Basically: they send you an email with an encrypted .HTML attachment.  

You double-click the attachment and view the message as webmail on the aetna.com site.

I forwarded such a message to my hotmail account and could just double-click the attachment and view it fine.

I then forwarded it to my gmail account, and opened the message on my laptop (wifi network), and likewise can just click the attachment to open the message.

So, how is this secure?

It never asks for a password and seemingly doesn't use certificates (I'm in IT and not the destination HR user)

Any ideas?

Why couldn't they have just sent a link to the particular message on aetna.com?  Why all this hocus pocus encryption stuff to not even bother asking for a login userid/password?

Seems crazy!
0
Comment
Question by:mike2401
  • 4
  • 2
6 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41788757
Read this for some entry level background on email encryption: http://wp.me/pUCB5-8q
You may not need to know all that, but I'm providing it as a way to get on the same page with you.

Voltage utilizes a fairly simple key exchange method for allowing access to the emails you send. The message is sent as a secure attachment that, when opened, checks your web browser for the correct key that is stored in a cookie, add-in, or some other client-side method. If the key for the message is found, it is seamlessly opened without prompting for credentials. If not, a login prompt is presented. If the recipient has never attempted to open a secured message before, they are prompted to register their email and a password to receive the proper key.

What I suspect is happening here is this; You are opening the message attachment on the same system you used to send the message. If you sent the message using the Outlook add-in for Voltage or the website set up to send messages directly using voltage, the key to unlock the message is already on your system and it doesn't matter which email address you open it with, the correct key will always be found and the message will open properly.

To test this theory, send another secure message to an email address you haven't tested yet, but open it on a completely different computer that you know you haven't used to open or create a secure email with. If it them prompts you to enter a username and password or register with the voltage service, then you'll know that the above theory is correct and the certificate you need was already on your computer, found, and used to open the HTML file. If it doesn't prompt you when you do this, I would communicate the issue with Voltage support.

As to why all this has to happen, it comes down to the fact that we can't guarantee that all receiving parties have enabled Opportunistic TLS on their mail servers. Even in the case that the message doesn't require a username and password on the new computer, the message is still being encrypted *in transit* in a way that prevents casual packet sniffing from examining the message data. This is, in effect, all that HIPAA requires from an email encryption standpoint.
0
 

Author Comment

by:mike2401
ID: 41789815
Wow Adam, that's an amazing answer, thank you!

I'm reading the link now!

Mike
0
 

Author Comment

by:mike2401
ID: 41789816
I'm going to quick close the call so you get all 500 points, even though I might have a follow-up question after I do the experiment.

Mike
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Closing Comment

by:mike2401
ID: 41789818
Amazing answer!
0
 

Author Comment

by:mike2401
ID: 41789880
If the cookie/certif is on the client pc, and I'm opening the message on an entirely different pc, I'm still not understanding how it would just open.

BTW, I have seen health portal type emails exactly as you described where the first time the user PICKS a password.  This always struck me as crazy as it doesn't seem like a good way to authenticate the FIRST message is being opened by the proper person.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41790250
Yeah. I've never really liked those methods for handling email "encryption" because they have huge weaknesses and they violate the normal recommendations that users never open attachments or follow links in Emails. But they do technically resolve the compliance requirements for encryption in transit, and they are way easier for the end users to use than S/MIME. Another solution is to require TLS encryption in outgoing emails, but every time I try to enable that option on an email server I invariably get mountains of bitching users getting NDRs because they sent a message to someone whose mail server doesn't support Opportunistic TLS (freaking idiot Linux mail server admins, for the most part).

I haven't really worked with Voltage myself, so I can't say exactly how it functions, and their documentation is really bad (surprising, I know). But when the only requirement is that the message be encrypted in transit, it does meet that requirement no matter what. You would have to have a full man-in-the-middle setup going to be able to read the message, and that's usually quite difficult to accomplish without having enough access to read everything in the mailbox anyway.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now