Solved

How is Voltage secure HIPPA mail secure?

Posted on 2016-09-07
6
77 Views
Last Modified: 2016-09-08
Aetna "encrypts" email so it is HIPPA compliant (using https://www.voltage.com/)

Basically: they send you an email with an encrypted .HTML attachment.  

You double-click the attachment and view the message as webmail on the aetna.com site.

I forwarded such a message to my hotmail account and could just double-click the attachment and view it fine.

I then forwarded it to my gmail account, and opened the message on my laptop (wifi network), and likewise can just click the attachment to open the message.

So, how is this secure?

It never asks for a password and seemingly doesn't use certificates (I'm in IT and not the destination HR user)

Any ideas?

Why couldn't they have just sent a link to the particular message on aetna.com?  Why all this hocus pocus encryption stuff to not even bother asking for a login userid/password?

Seems crazy!
0
Comment
Question by:mike2401
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41788757
Read this for some entry level background on email encryption: http://wp.me/pUCB5-8q
You may not need to know all that, but I'm providing it as a way to get on the same page with you.

Voltage utilizes a fairly simple key exchange method for allowing access to the emails you send. The message is sent as a secure attachment that, when opened, checks your web browser for the correct key that is stored in a cookie, add-in, or some other client-side method. If the key for the message is found, it is seamlessly opened without prompting for credentials. If not, a login prompt is presented. If the recipient has never attempted to open a secured message before, they are prompted to register their email and a password to receive the proper key.

What I suspect is happening here is this; You are opening the message attachment on the same system you used to send the message. If you sent the message using the Outlook add-in for Voltage or the website set up to send messages directly using voltage, the key to unlock the message is already on your system and it doesn't matter which email address you open it with, the correct key will always be found and the message will open properly.

To test this theory, send another secure message to an email address you haven't tested yet, but open it on a completely different computer that you know you haven't used to open or create a secure email with. If it them prompts you to enter a username and password or register with the voltage service, then you'll know that the above theory is correct and the certificate you need was already on your computer, found, and used to open the HTML file. If it doesn't prompt you when you do this, I would communicate the issue with Voltage support.

As to why all this has to happen, it comes down to the fact that we can't guarantee that all receiving parties have enabled Opportunistic TLS on their mail servers. Even in the case that the message doesn't require a username and password on the new computer, the message is still being encrypted *in transit* in a way that prevents casual packet sniffing from examining the message data. This is, in effect, all that HIPAA requires from an email encryption standpoint.
0
 

Author Comment

by:mike2401
ID: 41789815
Wow Adam, that's an amazing answer, thank you!

I'm reading the link now!

Mike
0
 

Author Comment

by:mike2401
ID: 41789816
I'm going to quick close the call so you get all 500 points, even though I might have a follow-up question after I do the experiment.

Mike
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 

Author Closing Comment

by:mike2401
ID: 41789818
Amazing answer!
0
 

Author Comment

by:mike2401
ID: 41789880
If the cookie/certif is on the client pc, and I'm opening the message on an entirely different pc, I'm still not understanding how it would just open.

BTW, I have seen health portal type emails exactly as you described where the first time the user PICKS a password.  This always struck me as crazy as it doesn't seem like a good way to authenticate the FIRST message is being opened by the proper person.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 41790250
Yeah. I've never really liked those methods for handling email "encryption" because they have huge weaknesses and they violate the normal recommendations that users never open attachments or follow links in Emails. But they do technically resolve the compliance requirements for encryption in transit, and they are way easier for the end users to use than S/MIME. Another solution is to require TLS encryption in outgoing emails, but every time I try to enable that option on an email server I invariably get mountains of bitching users getting NDRs because they sent a message to someone whose mail server doesn't support Opportunistic TLS (freaking idiot Linux mail server admins, for the most part).

I haven't really worked with Voltage myself, so I can't say exactly how it functions, and their documentation is really bad (surprising, I know). But when the only requirement is that the message be encrypted in transit, it does meet that requirement no matter what. You would have to have a full man-in-the-middle setup going to be able to read the message, and that's usually quite difficult to accomplish without having enough access to read everything in the mailbox anyway.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question