Disclosure of the personal health information (PHI) of patients via email without their consent or knowledge can be very alarming. We will cover the 4 risks of using encrypted email on sharing personal health information. Let us discuss them briefly in the following sequence.
- Email Encryption
- Types of Email Encryption
- TLS (Transport Layer Security
- End-to-end Email Encryption
Mistyping an email address on the part of the sender may cause disclosure of patients’ PHI. In some instances, emails with the patients’ PHI go directly to the recipient’s junk/spam messages or are subjected to theft or loss as they can be accessed on any device like a smartphone, laptop, or tablet. PHI on emails do not also have controls or audit trails, and they sometimes mix with other emails, like newsletters or inquiries from other patients, that make them difficult to retain or delete.
Email encryption became the solution to these problems. Email encryption secures the email contents from people who want to get access to users’ information. It converts the contents to code to protect against malicious threats and requires a private email key so that recipients can decrypt and read the message.
Types of Email Encryption
- TLS (Transport Layer Security)
It encrypts the email while it is in transit. This does not provide a sufficient level of protection because it only prevents the email from being read before its delivery.
- End-to-end Email Encryption
This certifies that the sender encrypts the email content, and only the intended recipient can decrypt it. It guarantees security in every step of the delivery process. This type of encryption implements two methods:
- PGP (Pretty Good Privacy)
PGP masks the email content before it is sent. It uses public-key cryptography. Each of the sender and recipient have a pair of keys to encrypt and decrypt the email. One is associated with the email address, and anyone can access it. The other is a private key that is kept secret.
- S/MIME (Secure/Multipurpose Internet Mail Extensions)
S/MIME encrypts and provides digital certificates or signatures to the email content. The encryption gives the same protection as PGP, while the digital signature authenticates the identity of the person or organization of the sender, prevents them from disowning the signature, and validates the integrity of data being sent, assuring that the received data are the exact data from the sender.
4 Risks of Using Encrypted Email on Sharing Personal Health Information
- Encrypted Email Contents Can Be Hacked.
For whatever purpose, we don’t know if an individual or an organization could be eavesdropping on the email contents of your health company, fellow practitioner, or your patient. Though you feel secure, since email contents with PHI can be encrypted, these data, without a doubt, can also be hacked.
With ample time and computing resources, hackers can decrypt and reveal the original email contents. Hackers add an encryption layer using their key to easily decrypt emails. They do this by stealing encryption keys, intercepting emails before their encryption, or stealing them after data decryption.
- Email Accounts Can Be Compromised.
A compromised email account is one accessed (physical or online) by someone other than the owner. That someone has your login details (username and password). Emails can be compromised through website attacks and hacks, and this is out of your control. However, creating weak passwords compromises your email account. This also happens when you use the same passwords for multiple services or share passwords with other people and devices.
Since the hackers compromised your account, they will be able to do all that you can do with it. They can even do the things you are not supposed to or do not want to do with your email account.
Even worse, hackers can target and infiltrate certificate authorities (in charge of issuing digital certificates) and manipulate certificate information. With it, they can create fraudulent websites and emails that pass certification tests.
- Email Sender, Subject, and Addressee Are Not Encrypted.
Encrypting your email mixes up your content upon delivery. However, the sender, the subject, and the addressee are not encrypted. The people will know that you sent messages and communicated with other parties at a given date and time, which may draw suspicion and unwanted attention. Thus, this may leak PHI and other data.
- Passwords Can Be Forgotten or Get Lost.
What if the encrypted email content about the patient’s PHI is of the essence? Anyone in the health sector will have a big problem when they cannot decrypt and explore encrypted email content when they lost or forgot their password. Using simpler keys and passwords, however, makes your data vulnerable, insecure, and accessible to anyone.
The use of digital certificates, on the other hand, needs proper management to keep up with their renewal when they are expiring. They can be pretty expensive when you seek third-party services. In turn, it can be time-consuming to authenticate digital certificates for recipients to decrypt and view encrypted email contents.
Though there are risks of using encrypted email on sharing personal health insurance, some resolutions may help out in mitigating and reducing these risks. Using HIPAA-compliant file sharing apps and services may help ease out your worries. HIPAA, Health Insurance Portability and Accountability Act of 1996, is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
On your end as an email account user, you may reduce risks by generating strong passwords that contain uppercase and lowercase letters, numbers, and special characters and avoid password sharing. Health companies and practitioners must ensure that sensitive PHI is not part of the subject lines in the email. You would also need proper management on digital certificates and the safekeeping of passwords.
This post has been sponsored by Searchant
Digital Health Buzz!
Digital Health Buzz! aims to be the destination of choice when it comes to what’s happening in the digital health world. We are not about news and views, but informative articles and thoughts to apply in your business.