Email Security: Why You’re Not as Safe as You Think

Nearly 350 billion emails are flying through the Internet every day.  That’s a ton of junk mail sure, but a lot of those emails contain your personal information such as personal health, banking and credit card numbers, addresses -you name it.  You’d be shocked to see just how much of your personal data is moving around on any given day.  You’d be even more surprised to see how much of it could be read by anyone who knew how to intercept it.

A lot of folks have just resigned themselves to their fate.  Email security? Your info is already out there and that’s that. Some of it like credit card info you provide, and a lot of your other personal information, is generated by doctors, insurance companies, and others beyond your control.  They use your personal data for their own purposes, and you can’t un-ring a bell, as they say, and just get it removed or secured easily once it is out there.

You do Have Rights

You do, however, have certain privacy protections under the law.  This is true in the US, and even more in Europe, where they have stronger privacy protections (more on that later).  Many countries have some sort of data protection laws on the books.  The main legal protection in the US comes from the 1996 Health Insurance Portability and Accountability Act, or HIPAA.  This was strengthened by 2009’s Health Information Technology for Economic and Clinical Health, or the HITECH Act.

HIPAA established your rights to have your medical records and medical insurance information kept from prying eyes.  The HITECH Act increased the penalties for HIPAA violations and incentivized doctors, hospitals, and clinics to shift from paper records to electronic record keeping.  Prior to the HITECH Act, about 10% of hospitals used electronic health records.  Today that number is over 95%.

You have other legal protections, from the Privacy Act of 1974 to 2000’s Children’s Online Privacy Protection Act (COPPA).  These generally regulate how the federal government protects data they collect on citizens and your rights regarding that data.  Non-public financial information is also protected from disclosure, and COPPA provides parents with rights over information gathered about their children.  There is also a smidgen of state laws that may afford you some extra protections depending on where you live. 

Those Laws ARE Enforced

The US Department of Health and Human Services includes an Office of Civil Rights which investigates reported HIPAA violations.  They only report on individual breaches affecting 500 or more records.  That includes almost 4500 breaches since 2009, totaling over 300 million healthcare records.  That’s nearly 95% of the population of the nation.  Most of the violations investigated by the OCR are the result of hacking.  The rate of those violations has been increasing, and now averages nearly two per day, and millions of dollars in fines are levied each year.

Where Enforcement Becomes a Gray Area

Of course, records can be exposed in a variety of ways.  They can be stored insecurely, accessed by contractors who lack clearance, or shared with the wrong people within a company.  It’s not always malicious, and often it’s not even done consciously.  Many HIPAA violations are caused by two benign thought factors -ignorance that the data needs to be protected, and mistakenly thinking that it is.

The frequency of these record exposures have plateaued in recent years as more healthcare facilities have rolled out electronic health records, but that has introduced some new challenges.  One of those is offices that continue to record patient information on paper before entering it into their record system.  Those papers are often not disposed of properly.  Another is laptops, tablets, and other portable devices which may be taken out of the office with medical records or unsecure access on them.  These incidents are prosecuted and fined -sometimes by states rather than HHS- but many don’t result in penalties.  The legal ramifications depend in part on malicious intent. 

The Last Holdouts

There are two sources of HIPAA violations and many other exposures of your personal information which stubbornly continue to be a problem.  Many people believe their emails to be encrypted when they aren’t, and many never think about the security of your information at all.  That may sound callous, but it’s not meant to be.  It’s simply the truth. 

Many employees are never trained in data security.  Are addresses sensitive?  What about customers’ names?  Balances?  Social Security Numbers?  Are they considered sensitive if the name isn’t attached?  What about different combinations of the data, say their address and payment history? All very important questions to ask.

What Information Do You Protect?

As an individual user, the answer to this question depends on where you are.  Users in the bulk of the US will have one set of answers.  Users in California, Virginia, and a few other states will have different requirements because of state laws.  European users will have a different set of requirements, the General Data Protection Regulation, or GDPR.  For instance, the GDPR doesn’t consider Social Security Numbers as sensitive since that’s a US program.  Your citizenship status is not considered sensitive except under Virginia’s law.  In Europe, your health status is protected information, but in the US, it’s only protected if attached to a name.  Information about your sex life is protected in Europe and California, but not elsewhere.  It’s a true patchwork system.

Fortunately, it falls on the employer to establish guidelines for sensitive information.  Then the employer has to train their employees how to know what needs to be encrypted and how to do so.

How Do You Protect It?

Next is the consideration of how you encrypt the information to send in an email.  That’s no small question, either.  The methods of sending encrypted emails range from dubious to aggravating, and honestly, there is no elegant solution.

In an ideal world, emails would be encrypted before leaving your computer, stay that way en route to your recipient, and then be stored on their computer in an encrypted form.  The email and any documents within it would not be able to be edited, printed, copied, or forwarded, and deleting them would not drop them into a trash folder.  These measures are to ensure hackers or viruses couldn’t access the encrypted information.  And of course, all of this would happen without the sender or receiver having to do anything special.  As they say, however, “That’s not how any of this works.”

The State of the Art… Such As It Is

At this point, there are several holes in this system.  If you use Outlook, Apple Mail, Gmail, or most common email interfaces (whether they’re on your desktop, phone, or web-based), they support Transport Layer Security (TLS).  This encrypts all outgoing emails from your computer.  Any time your email spends on a mail server waiting for the recipient to retrieve it, it is usually unencrypted.  That’s a problem.  TLS only encrypts while the email is on the move.  Once it arrives in the recipient’s mail program, the encryption is gone.

Some email providers like Microsoft and Google Workspace are HIPAA compliant.  If your company deals with sensitive information, they need to set up compliance with your mail provider.  This involves your company and the provider signing a Business Associate Agreement (BAA), as well as other steps.  Interestingly, while Apple provides encrypted storage, the company does not sign BAAs with customers and is therefore not HIPAA compliant.

Now, Let’s say your doctor sends you an email with some sensitive information.  Your doctor is HIPAA compliant, and everything is in order.  But you’re an individual, you’re not HIPAA compliant.  Your mail server probably isn’t.  That means your email lands on your mail server, where it’s unencrypted while stored.  It’s encrypted again when your mail program downloads it to your phone, then the TLS encryption ends.  That’s the problem with relying on TLS to protect sensitive information.  It only works up to a point.  This is why doctors are more likely to send you to a website to see your test results.

If Not TLS, Then What?

TLS has the benefit of being easy.  Office workers just send emails; they don’t have to do anything differently, and it requires no additional training.  But it’s only a partial solution.  There is a stronger encryption solution, but it has one significant problem -people don’t like it.

End-to-end encryption

This encryption scheme comes in two basic forms -enterprise for mid to large companies, and individual for everyone else.

The individual form requires you to download and install a program that adds commands to Outlook, Gmail, or whatever mail client you’re using.  The people you want to send sensitive information to also have to install the program on their computers.  It then walks you through creating a set of security keys.  You and your intended recipient exchange public keys (the software tells you how), and then you and that person can exchange sensitive information.  You just have to designate each email to be encrypted.

The enterprise version still requires a plugin to be installed on the computers in your office.  Then centralized software is installed on a server in the network.  Your IT department will create a set of rules used to decide what gets encrypted.  This may be a list of names of people whose mail should always be encrypted, or it may be something like enclosing the email subject line in brackets.  When the program sees you starting an email with a subject that matches the conditions, it automatically encrypts it. 

These programs will also watch your email content and designate them to be encrypted if they spot sensitive information in the body of the email.  The beauty of this type of email security is that your recipients don’t have to install anything.  That doesn’t mean they’re going to like it, though.

When you send an email via this system, the email goes to a special mail server, where it stays.  The recipient receives an email telling them they’ve received an encrypted email and gives them a link to click to read it.  They do not receive your email.  The link takes them to the security company’s website, where they can click on your email and read it there.  These emails are never unencrypted, and the data integrity is fully protected by preventing downloads, copies, and forwarding.

Now you see why people don’t like this solution.  It’s cumbersome.  Many people (to their credit) are suspicious when they receive an email with a link to click.  Companies that use these systems just have to accept a certain number of emails or calls from concerned customers or vendors who are unsure if the link is safe.

Outlook plugins don’t have the best record for stability and efficiency.  Outlook monitors for plugins causing startup delays and offers to disable any that seem to slow your system down too much.  If you choose an encryption system that relies on plugins, they can get disabled on individual computers and you might never know.  It’s up to the IT staff to monitor that situation.  If you’re a small business that relies on outside support, that in itself would constitute another flaw in your security solution.

There is a Third Way -a Few of Them, Actually

If you are an individual or a small business with very little email that calls for security, there are a few options you can consider.

Microsoft OneDrive

This is Microsoft’s cloud storage solution.  OneDrive files are stored in an encrypted format. Rather than emailing someone, if you have documents to send securely, you can save them to a OneDrive account.  You can then share them from OneDrive, designating the recipient’s email address.  You can assign them a password and even an expiration date for access if you wish. (You’ll have to send them the password somehow if you use that feature.)  OneDrive will then email them a link to the documents.  It’s cumbersome but cost-effective and secure.  You can prevent them from downloading or editing the file and restrict it from being shared further.

Encrypted Attachments

If your sensitive information is minimal and in the form of documents that need to be emailed, you do have the option to secure your Microsoft Office documents with a password.  Like the OneDrive solution, you’ll have to send the recipient the password somehow, but you can lock the documents before attaching and sending them.  This isn’t HIPAA compliant, as there are tools out there to bypass Microsoft document security.

Proton Mail

Proton Mail is the best-known of a small group of private email services.  You can create a free account (some other services charge), and you access your mailbox via their website.  You can send secure emails to other users on the same service that are encrypted end-to-end.  Your recipients also have to have an account on the same service.  The other major problem with this is that nothing notifies you of new mail.  You have to check the website to know if you have messages.

The Current State of Privacy

It seems silly, but this is the current state of encryption for email.  You would expect the people who develop the standards to have addressed this by now, but that hasn’t happened yet.  At some point, we will have a more seamless encryption system, but that isn’t happening in the immediate future.

There’s not one best answer.  The situation is too complicated for that.  The fact that there are multiple solutions is one issue.  Perhaps the larger issue is that they are not at all interchangeable.  None of them talks to the others without breaking security.  That could lead to you needing multiple solutions for multiple email recipients, or to receive from multiple senders. 

It’s a very good idea to ask your doctor’s office how they address sending sensitive information.  You at least want to know they have a system in place to keep your information private.  Then when you find yourself needing to send sensitive information, remember that you have a few options, each imperfect, and try to choose the one that will suit your situation best.

You Might Like – What is a VPN and why do you need one?