HIPAA Compliant email

If you are looking for a HIPAA compliant email solution for your business make sure you understand the pitfalls. There is certainly no shortage of HIPAA compliant email solutions on the market today. I’ve seen ads for systems that fall into the freeware category all the way to full MS Exchange mailbox integration. Cloud based computing is making hosted solution more popular than ever. These solutions tend to be easier to roll out and less expensive and less complicated for small and medium sized companies. If easy is what you are looking for secure email may work for you, but if security is your priority you may want to look elsewhere.


Many encrypted secure email solutions suffer from a very simple flaw that can cause your business great harm with a single misspelling. That is correct; a single misspelling has the potential to cause a data breech that you would be obligated by law to report. Ironically the word that could cause all this trouble is “secure”. How could this happen you say? It is very simple, let me explain. In an effort to make the process of sending secure email easy for the user base many popular HIPAA Compliant email systems rely on the end user to enter the subject as “secure” which triggers the email route through an encryption path rather than the regular unsecure email pathways. What if a secretary, or doctor, or clerical office worker misspells the subject or simply forgets to use the subject trigger word? The email goes out unprotected without any security to any/all recipients. If that unsecure contained PHI you just created a data breech that you are obligated by law to report.

Most employees use email every day for a variety of business related tasks that do not involve patient data or PHI in any form. They understand email is not secure and never to use it as such. In my option, adding a feature that provides the necessary security to the email, then leaving the possible data breech in the hands of the end user by way of a typo, is a recipe for disaster. Site to site VPN, file level encryption, SSL, and even the good old fax machine are better options.

March 12th, 2012 | Category: Secure email | Leave a comment

Encryption Requirements for HIPAA | Compliance MAP

Does your organization need a HIPAA compliance map for 2012?  Many small companies and even some large organizations are still behind in conforming their computer systems to include the required level of data security to comply with federal and state laws. 

Don’t let your organization be the next big story on the news.  Consider auditing your entire computer and network system in 2012.  All end of life applications and operating systems should be phased out, upgraded or replaced.  This includes Windows 2000 Servers which Microsoft stopped supporting on July 13, 2010.  End of life operating systems like WIN2k (the bread and butter server choice in many industries) generally present the largest challenge for organizations who have built entire systems around older technology.  Layered encryption and second level authentication should be considerations for any company that stores PHI or HIPAA protected data.

Windows 7 operating system Ultimate and Enterprise editions include BitLocker and when enabled it provides HIPAA compliant hard drive level of encryption.  Windows XP is the still the most common office desktop operating system.  Many companies have been slow to embrace Windows 7 because it presents some new challenges with regard to compatibility with legacy systems.  With Windows XP desktops it is necessary to deploy some form of drive level encryption to remain compliant.  Truecrypt Open source software is a popular choice for drive level encryption and PGP is widely used at the file level.  Consideration must be given to all levels of data availability.  Users should only be given access to the information they require to perform their job.  Creating windows security groups to limit file access isn’t enough.  A second level of authentication to protect PHI data is required.  System backups need to be fully encrypted and protected, and the list goes on.  Make a difference in 2012 by taking the steps to secure, document and monitor your network!

November 11th, 2011 | Category: PHI Encryption | Leave a comment
 
  Older Entries »