While it does provide a basic level of security, standard encryption alone typically does not cover all aspects of HIPAA's privacy and security rules. For complete compliance, healthcare providers must implement additional measures alongside standard encryption to maintain HIPAA compliant email standards.
What is standard email encryption?
Standard email encryption is a security process that transforms readable emails into scrambled, unintelligible text to protect the information from unauthorized access. This transformation uses encryption algorithms, which apply complex mathematical operations to the original text. Common methods in standard email encryption include transport layer security (TLS), used by popular emails to secure the email while it is in transit between servers where only the sender and the recipient can read the email content.
In the context of HIPAA compliance, not all versions of TLS are considered secure or acceptable. Following the guidance of cybersecurity authorities, healthcare organizations should employ TLS version 1.2 or higher for email encryption. TLS 1.2, introduced in 2008, and TLS 1.3, released in 2018, incorporate improved security features and encryption protocols. Earlier versions of TLS, such as TLS 1.0 and 1.1, are no longer supported by leading security-conscious platforms due to their vulnerabilities and potential for exploitation by cybercriminals.
By adopting TLS 1.2 or TLS 1.3 for email encryption, healthcare providers and associated entities can ensure a higher level of security for PHI in transit, aligning with HIPAA's stringent requirements for the protection of sensitive patient information.
See also: What is transport layer security (TLS)?
The need for inbound security in email encryption
Inbound email security actively safeguards sensitive patient information against threats such as phishing, malware, and other cyberattacks. Given the high value of their data, healthcare organizations become prime targets for cybercriminals, making inbound email security an indispensable part of their security strategy. Phishing attacks, in particular, exploit the human element, with 82% of breaches involving social engineering, errors, and misuse.
The healthcare sector, being the most cyber-attacked industry, faces unique challenges as cybercriminals devise sophisticated methods to dupe employees into compromising sensitive information. Cybercriminals target healthcare organizations to steal protected health information (PHI) for identity theft, and financial fraud, or to execute targeted attacks like spear-phishing and business email compromise (BEC). Ransomware and data breaches further exacerbate the threat landscape, disrupting patient care and risking patient data loss.
See also: What is inbound email security?
HIPAA compliance and email encryption: A comparison
While standard email encryption provides a foundational level of security primarily focused on encryption in transit and sometimes at rest, HIPAA requirements encompass a much broader range of security measures.
Encryption Techniques
Email encryption: Often employs encryption methods like TLS 1.2 and 1.3 to protect emails in transit.
HIPAA requirements: HIPAA doesn't specify particular encryption methods but requires them to be strong and in line with current industry standards.
Access control
Standard email encryption: Primarily focuses on encrypting the email content. It doesn't always include comprehensive access control mechanisms to restrict who can view the PHI.
HIPAA requirements: Requires strict access controls, ensuring that only authorized personnel can access PHI. This includes unique user identification, emergency access procedures, and automatic logoff features.
Audit controls
Standard email encryption: Typically lacks comprehensive audit controls that track access and alterations to PHI.
HIPAA requirements: Mandates detailed audit trails, documenting access to PHI, what changes were made, and by whom. This ensures a higher level of accountability and traceability.
Business associate agreement (BAA)
Standard email encryption: Email service providers may not be willing to sign a BAA, which is necessary for HIPAA compliance.
HIPAA requirements: Covered entities must have a BAA with any third-party service providers, including email encryption services, ensuring they adhere to HIPAA's privacy and security rules.
See also: HIPAA Compliant Email: The Definitive Guide
Risk analysis and management
Standard email encryption: This does not inherently include risk analysis or management tools.
HIPAA requirements: Requires regular risk assessments and implementation of security measures to reduce risks and vulnerabilities to a reasonable and appropriate level.
See also: How to perform a risk assessment
FAQs
What does HIPAA say about email communication?
HIPAA requires that email communication containing PHI must be secure and compliant with privacy and security standards, including encryption and access controls.
How can healthcare providers ensure their email practices are HIPAA compliant?
Healthcare providers can ensure HIPAA compliance in email practices by using encrypted email services, implementing strong access controls, and regularly training staff on HIPAA regulations and secure email protocols.
What is email phishing?
Email phishing is a cyber attack that uses disguised email as a weapon to trick the recipient into believing that the message is something they want or need — such as a request from their bank, for example, or a note from someone in their company — and to click a link or download an attachment.
Kirsten Peremore
