Office 365 Email Encryption for Regulation Compliance
From our last Experience The Possible event, the office manager of a local medical office asked about securing e-mail for health, employee, and payment information. Many pundits state that “technically” it is not a violation to e-mail Protected Health Information (PHI), especially if the patient has initiated communication using e-mail. However, all e-mail that is not encrypted via a secure portal may be intercepted or read by unauthorized parties which is a clear HIPAA violation. (HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C)
In fact, many organizations mistakenly believe e-mails are being “magically” encrypted and still rely on legacy technology like Transport Layer Security (TLS) and Secure Sockets Layer (SSL) which have various vulnerabilities:
- TLS only secures e-mail transmission from the sender’s device to the corporate mail server, but emails intended for external recipients are transferred via servers outside the organization where encryption cannot be guaranteed.
- Another known weakness of TLS is that systems can be configured with “optional TLS”, as opposed to “mandatory TLS”. Optional TLS configured servers forward messaged unencrypted and exposed to breach.
- SSL is based upon certificates which most organization fail to register or validate with a public third-party SSL certificate provider, thus invalidating certificate use and transmitting messaged unencrypted and exposed to breach.
- Many organizations also neglect to renew valid third-party SSL certificates which also renders messages unencrypted.
- Since neither technology offers end-to-end encryption, both are susceptible to interception using the man-in-the-middle attack. (https://msdn.microsoft.com/en-us/library/cc247407.aspx)
Since 2010, Microsoft has been the largest provider of encrypted e-mail in the world. The built-in Office 365 security features including encrypted e-mail offer the following advantages:
- Send encrypted email messages to anyone, regardless of the recipient’s email address.
- Eliminate the need for certificates and use a recipient’s email address as the public key.
- Enhance the security of subsequent email responses by encrypting each message in the thread.
- Email decrypted and read with confidence, without installing client software.
- Encryption process is transparent to the sender, who does not need to do anything other than write and send the message as usual.