In a nutshell: Is Virtru's email recall feature worth it?

Virtru’s email recall feature revokes access when an email is sent to the wrong recipient. After weighing the feature's pros and cons in the article, Is Virtru's email recall feature worth it?, we determined that it might not be worth it for organizations looking to promote HIPAA compliance.

How the Virtru email recall feature works

The Virtru email recall feature works by first having a user send an encrypted email through Virtru. Should the sender need to retract the email, they navigate to their sent items, select the option to revoke access, and confirm this action. If the recipient tries to access the email after revocation, they're notified that access to the content has been removed, effectively preventing them from viewing the sensitive information.

The reason why Virtru’s email recall is not a benefit to your organization

Virtru has an extensive installation and activation process, requiring multiple steps and leading to confusion and inconvenience. This is followed by the need to manually activate encryption for each email, which disrupts the natural flow of composing emails. User complaints include: 

1. Customization complexity: Customizing security settings, such as disabling forwarding or setting expiration dates, adds additional decisions and clicks, complicating the email composition process.
2. Software lags and compatibility issues: Users experience lags with Virtru's software, and compatibility issues with their email systems can sometimes prevent successful recall attempts or even initial access to encrypted messages.
3. Difficulties with recipient access: Recipients without a Virtru account sometimes face difficulties opening encrypted emails, leading to communication barriers.
4. Email client crashes: Some users report that the Virtru extension causes their email client to crash multiple times a day, requiring frequent logouts and logins.
5. Clunky integration with email clients: Users find Virtru's integration with email clients like Outlook clunky, as it sometimes necessitates opening a separate web page to read emails.
6. Issues with encrypted emails opening: Recipients and senders alike face issues with opening or accessing the encrypted emails, affecting the seamless exchange of important documents.
7. Training and onboarding challenges: Organizations encounter difficulties in training staff to use Virtru effectively, with the software's aggressive filters and auto-encryption features sometimes interrupting workflows.

These issue contribute to gaps in HIPAA compliance (and the potential of a violation) customers experinece despite the use of the email recall feature. The primary examples of potential breaches that can still occur while using the Virtru email recall feature include:

• Unauthorized access to PHI due to a failure to recall an email before it is read by an unintended recipient.
• Delays in the recall process allowing the unintended recipient time to access sensitive information.
• Incompatibility issues with the recipient's email system preventing the recall from being executed properly.
• Failures in the recall process due to user error or lack of follow-up to ensure the recall was successful.
• Situations where sensitive information is downloaded or forwarded by the recipient before the recall is initiated, leading to a breach of PHI.

How virtru makes the recipient experience difficult 

With the number of email users reaching 4.37 billion by the end of 2023, it offers the ability to reach more patients in a easily accessible way. Virtru however adds additional steps to this process: 

• Receive notification
• Click to open notification
• Access secure reader
• Authenticate identity
• View the message

The result of this longer and more difficult process has far reaching results for the healthcare organizations using Virtru. 

1. Decreased engagement: The complexity and additional steps required to access emails can lead to decreased engagement from recipients. 
2. Lower open rates: Recipients who find the steps daunting or who are not immediately able to access the content might choose to ignore or delay opening the emails, impacting the effectiveness of communication efforts.
3. Delayed responses: The additional steps and potential confusion in accessing encrypted emails can result in delayed responses.

See also: Do patients read healthcare emails?

The alternative options 

1. Gmail's 'Undo Send' feature: Gmail offers an 'Undo Send' feature that allows users to retract an email within a preset time frame, up to 30 seconds after sending. 
2. Microsoft Outlook's 'Recall This Message' feature: For users within the same Exchange server environment, Outlook's 'Recall This Message' feature can delete or replace an email message before it is read by the recipient.
3. Email approval process: Implementing an email approval process involves reviewing and approving emails by a designated individual, such as an email regulator or compliance officer, before they are sent.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

Is timing important for increasing email engagement in healthcare?

Send emails at times when patients are more likely to read them, such as weekday mornings. Avoid weekends or holidays when possible. Consider patient demographics and their likely schedules when planning your email campaigns.

Is it possible to prevent sending emails to unintended recipients?

Yes it is. Always double-check the recipient's email address before sending, use email software with features like delayed sending or confirmation prompts, and implement an email approval process for particularly sensitive communications.

What is an incident response plan?

An incident response plan is a predefined set of guidelines and procedures designed to identify, respond to, and recover from cybersecurity incidents or data breaches effectively.