Even before HIPAA and its strict requirements regarding electronic personal health information (ePHI), the inherent openness and insecurity of email systems were a concern. Designed at the outset to be simple and accessible, email security is now a constant worry, and strategies to secure email are in high demand. There are several business best practices for email to prevent data loss, and email encryption protocols like transport layer security (TLS) are an industry standard. As you search for email encryption options, you may come across the term S/MIME.
What is S/MIME?
S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and is itself an extension of MIME. MIME was introduced in 1992. It was one of the first efforts to expand the capabilities of email beyond plain text, allowing for different character sets and file attachments—things we all take for granted today. S/MIME is a standard and common method of securing email messages. Its roots reach back to 2002, with development largely attributed to RSA Security, one of the first computer and network security companies. Because S/MIME has been around for so long, it is supported by essentially all email applications and services. Installing and managing it can be complex, however.
What are the requirements of S/MIME?S/MIME is based on public key cryptography. This form of encryption is widely understood by computer scientists, but is difficult to explain to the average person. Key components include certificate authorities, certificates, public and private keys, key escrow and exchange systems and signatures. For example, while Google's commercial email service supports S/MIME, using it requires a third-party security certificate for the organization, as well as a certificate for each individual email address. And to establish a secure email connection, both sender and receiver will need to exchange encryption keys. If either party doesn't have S/MIME configured or doesn't have the other party's key, S/MIME will not work, and the email will not be delivered. System administrators can configure their email systems to require S/MIME, and ensure that everyone within the organization has the correct configuration. But once you start to exchange emails with outside parties, S/MIME support cannot be guaranteed. In short, using S/MIME requires careful and attentive management of several moving parts, and thus expertise that is not always available to smaller companies and organizations.
What happens if S/MIME fails?
If a S/MIME encrypted message is sent to a recipient that doesn't support S/MIME, it gets bounced back to the sender. When this happens, the sending system often falls back to TLS to secure and resend the message.
TLS is widely supported by email systems and operates more seamlessly for the average user than S/MIME. But until everyone is using an email provider that supports TLS, there is still the chance your message can be intercepted. That's why using a HIPAA compliant email provider like Paubox is important for covered entities to consider.
What does Google have to say about S/MIME?We contacted the technical support team at Google and asked them whether S/MIME can actually hinder productivity if recipients don't support it. “Yes, it will be counterproductive if the recipient does not support S/MIME," they replied. "This is why we recommend using it with specific situations with specific senders/recipients and not for everyday communication which TLS covers in terms of security.”
Can you use S/MIME with other forms of email security?S/MIME is tailored for end-to-end email security. It is not possible to have a third party inspecting email for malware and also have secure end-to-end communications because encryption will not only encrypt the messages, but also the malware. In other words, if email is not scanned for malware anywhere but at the endpoints, such as a company's gateway, encryption will defeat the detector and successfully deliver the malware.
S/MIME is a well-established and trusted method to secure email communications. From an administrative standpoint, however, configuring, maintaining, and supporting S/MIME can take more talent and resources than are available to a particular organization. When S/MIME fails, senders typically resort to TLS instead, so TLS-based secure email systems like Paubox are often a better option.
With no certificates, key exchanges, or web portals, Paubox makes HIPAA compliant email both simple and affordable.