Earlier this year we published a report detailing how Google Workspace allows obsolete versions of TLS to be used when sending email. The report also detailed a litany of scenarios in which Microsoft 365 customers send unencrypted email over the internet. Both are potential HIPAA violations.
Back in 2021, we led the way for email security in healthcare by eliminating support for obsolete TLS protocols on our platform.
In other words, steps we took over four years ago to secure email on the internet are still being ignored by Google and Microsoft.
We are therefore pleased to announce we've taken another step forward in HIPAA compliant email- we eliminated support for expired and self-signed SSL certificates.
This post explains what we did, what changed, and plans going forward.
In a nutshell, our patented approach for HIPAA compliant email is making sure obsolete or non-existent encryption protocols are never used.
In other words, if a Paubox customer sends an email to recipient whose mail system does not use TLS encryption, or if the system only supports obsolete versions of TLS, the email message and any attachments are automatically converted to the Paubox Secure Message Center (SMC).
Keeping with that logic, if a recipient's mail system has TLS encryption configured with a self-signed SSL certificate, we now automatically convert the message to the Paubox SMC.
If a recipient's mail system has an expired SSL cert, the message (and any attachments) is also converted to the Paubox SMC.
Here's a list of SSL certificate scenarios and how Paubox supports them:
There is no additional charge to take advantage of this rollout.
The work we do around HIPAA compliant email is important. As the internet continues its maturation, we continue to lead the way in future email security improvements.