Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

6 min read

What is StartTLS?

What is StartTLS?

Email serves as a vital channel for sharing sensitive patient information, coordinating care, and even transmitting lab results. However, the sensitive nature of healthcare data makes it a prime target for cybercriminals. This elevates the need for robust email security measures, one of which is StartTLS.

StartTLS is a protocol command that is instrumental in safeguarding email communications. It serves as a mechanism to upgrade an insecure email connection to a secure one, employing encryption protocols like Transport Layer Security (TLS) or Secure Sockets Layer (SSL). Given HIPAA's stringent regulations, understanding and implementing strong encryption protocols is an absolute must for compliance. 


What is StartTLS?

StartTLS is a protocol command used in email communication to upgrade an initially insecure connection to a secure one. It does so by using encryption protocols like Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). When an email client, such as Microsoft Outlook or Gmail, communicates with an email server, it can use the StartTLS command to request that all subsequent communication be encrypted.

This is particularly crucial in healthcare settings where emails often contain sensitive patient information, lab results, or confidential consultations. Utilizing StartTLS ensures that this data is encrypted during transmission, making it extremely difficult for unauthorized parties to intercept or manipulate the information.

Moreover, StartTLS is compatible with commonly used email protocols like Simple Mail Transfer Protocol (SMTP) and Internet Mail Access Protocol (IMAP), making it a versatile choice for various email systems within healthcare organizations.

Note: In this context, a "protocol" is basically a set of rules and guidelines that dictate how data is transmitted over the internet.


How does StartTLS work?

Understanding the mechanics of StartTLS can provide healthcare professionals with valuable insights into how email security is achieved, especially when dealing with sensitive patient data. So, how does StartTLS work?

  1. Initial Connection: When an email client initiates communication with an email server, the connection starts as unencrypted. This is the stage where StartTLS comes into play.
  2. Protocol Handshake: The email client sends a command, often "EHLO," to the server to indicate that it would like to use Extended SMTP, a more advanced version of the Simple Mail Transfer Protocol (SMTP).
  3. StartTLS Request: The client then sends the "STARTTLS" command to the email server, asking if StartTLS is supported.
  4. Server Response: If the server supports StartTLS, it will respond with a message like "go ahead," signaling that the connection can be upgraded to a secure one.
  5. Encryption: At this point, both the client and server negotiate the encryption settings, and the connection becomes secure. All subsequent email communication is encrypted, ensuring the confidentiality and integrity of the data being transmitted.
  6. Data Transmission: Once the secure connection is established, the email client can proceed to send emails, which will be encrypted during transit.

This process is particularly important in healthcare, where the secure transmission of electronic Protected Health Information (ePHI) is not just a best practice but a legal requirement under HIPAA. By using StartTLS, healthcare organizations can ensure that their email communications are in compliance with these regulations, thereby reducing the risk of data breaches and unauthorized access to sensitive information.



The choice between using TLS and its predecessor, SSL, is a matter of compliance and security. So, what's the difference between TLS and SSL, and which should you use?

  1. Historical context: SSL was the original encryption protocol for securing web and email communications. However, it has been largely replaced by its more secure successor, TLS.
  2. Security levels: TLS offers enhanced security features compared to SSL. SSL versions like SSLv2 and SSLv3 have been deprecated due to vulnerabilities, making TLS the more secure option.
  3. Version compatibility: Both the email client and server need to agree on which version to use. For instance, if the client supports TLSv1.3 but the server only supports up to TLSv1.2, both parties will need to use TLSv1.2 for secure communication.
  4. HIPAA compliance: Given the stringent requirements of HIPAA for securing electronic Protected Health Information (ePHI), using the latest version of TLS is generally recommended for healthcare organizations to ensure compliance.
  5. Recommendation: While StartTLS can work with both TLS and SSL, the current best practice, especially in healthcare settings, is to use TLS. This ensures a higher level of security and better aligns with compliance requirements.


Which port should you use?

When implementing StartTLS in a healthcare setting, the right port for email transmission can impact compliance and security.

Note: In computing, a "port" is a virtual endpoint for communications in a network. Think of it as a specific "door" through which data enters or leaves a computer.

So, which port should you use for StartTLS?

  1. Port 587: This is the most commonly used port for StartTLS and is often required for sending secure email. It's the recommended choice for most healthcare organizations.
  2. Port 25: Originally designed for mail transfer rather than submission, this port is less commonly used for StartTLS. Some Internet Service Providers (ISPs) may block email sent through this port, making it less reliable.
  3. Port 465: This is the second most commonly used port for StartTLS. However, it's worth noting that this port was originally assigned for SSL and has been re-purposed for StartTLS.
  4. Port 2525: An alternative to port 587, this port can also be used for StartTLS but is less commonly supported by email servers.
  5. Compliance considerations: HIPAA doesn't specify which port must be used, but it does require that ePHI be transmitted securely. Therefore, choosing a port that is widely accepted for secure email transmission is crucial for compliance.
  6. Using a HIPAA compliant email service: If managing ports and encryption settings seems daunting, healthcare organizations can opt for a HIPAA compliant email service like Paubox. Such services take care of the technical details, ensuring that your email communications are secure and compliant without requiring you to worry about port configurations.
  7. Recommendation: For healthcare organizations that prefer to manage their own email systems, port 587 is generally the safest and most reliable option for implementing StartTLS. A HIPAA compliant email service like Paubox can be an excellent alternative for those looking for a hassle-free solution.


Opportunistic vs. Enforced TLS

In the healthcare sector, the approach to email encryption can vary based on organizational needs and compliance requirements. Two commonly used methods for setting up email encryption are Opportunistic TLS and Enforced TLS. 

  1. Opportunistic TLS: This approach allows the email client to deliver on the highest encryption level that the recipient server accepts. If the recipient server does not support TLS, the email will be sent in an unencrypted, plain text form. While this method is flexible, it may not be the best fit for healthcare settings where the secure transmission of sensitive data is non-negotiable.
  2. Enforced TLS: This method requires that all email communication be sent over a secure, encrypted connection. If the recipient server does not support TLS, the email will not be sent. This approach is more secure but may result in some emails being undeliverable if the recipient server is not configured for TLS.
  3. Compliance considerations: HIPAA mandates the secure transmission of electronic Protected Health Information (ePHI). Therefore, Enforced TLS is generally the recommended approach for healthcare organizations to ensure compliance and the highest level of security.
  4. Using a HIPAA compliant email service: Services like Paubox offer Enforced TLS as a standard feature, relieving healthcare organizations from the technical complexities of setting up and managing secure email communication. Paubox also has a fallback option if the recipient server does not support TLS. 
  5. The fallback solution: If a recipient's email system does not provide adequate levels of TLS encryption, Paubox detects this and uploads the message to the Paubox Secure Message Center. This is done automatically.
  6. Recommendation: Given the sensitive nature of healthcare data and the stringent requirements of HIPAA, Enforced TLS is usually the better choice for healthcare organizations.


Other TLS Use Cases

While we've focused on using StartTLS in the context of email security for healthcare organizations, TLS has broader applications. Here are some other areas where TLS is commonly used:

  1. Web browsing: TLS is the technology behind the "https" in web addresses, ensuring secure communication between web browsers and servers.
  2. File transfers: TLS is often used in File Transfer Protocol Secure (FTPS) to encrypt files during transfer, which is particularly important when dealing with sensitive healthcare data.
  3. Virtual Private Networks (VPNs): Many VPN services use TLS to secure the data tunnel between the user and the VPN server.
  4. APIs: Application Programming Interfaces (APIs) that handle sensitive data often use TLS for secure data transmission.
  5. IoT devices: With the increasing use of Internet of Things (IoT) devices in healthcare, like remote patient monitoring systems, TLS is often employed to secure data transmissions.
  6. Telemedicine: As telehealth services become more prevalent, TLS secures video and data transmissions between healthcare providers and patients.

Whether securing patient records, telemedicine sessions, or API calls, TLS plays a role in safeguarding digital interactions in the healthcare landscape.


Why is StartTLS important?

  1. Data integrity: StartTLS ensures that the data being transmitted remains unaltered, maintaining the integrity of sensitive healthcare information.
  2. Confidentiality: By encrypting email communications, StartTLS helps to keep confidential patient data secure, preventing unauthorized access.
  3. Compliance: HIPAA and other healthcare regulations mandate the secure transmission of electronic Protected Health Information (ePHI). Using StartTLS is a significant step toward meeting these compliance requirements.
  4. Patient trust: Secure email communication is not just a technical requirement but also a factor contributing to building and maintaining patient trust.
  5. Risk mitigation: Implementing StartTLS can significantly reduce the risk of data breaches, which can have severe financial and reputational consequences for healthcare organizations.
  6. Ease of implementation: With HIPAA compliant email services like Paubox, implementing StartTLS is straightforward, relieving healthcare providers from the complexities of setting up secure email systems.
  7. Universal compatibility: StartTLS is compatible with most email systems and can be implemented without requiring specialized hardware or software.


Drawbacks to look out for

  • Not end-to-end encrypted: StartTLS encrypts the data during transmission but does not provide end-to-end encryption. This means that the data could potentially be accessed on the email server. To remain HIPAA compliant, ensure that emails are also encrypted at rest.
  • Configuration complexity: Incorrectly configuring StartTLS can lead to vulnerabilities. 
  • Compliance risks: Using Opportunistic TLS, as opposed to Enforced TLS, can pose a compliance risk, especially when dealing with HIPAA regulations.
  • Third-party solutions: While services like Paubox offer a simplified approach to implementing StartTLS, organizations that manage their own email systems must be vigilant about keeping their configurations up to date to mitigate these drawbacks.


How to test StartTLS

  1. Consult your IT team: The first step is to consult your IT department or service provider to ensure that StartTLS is enabled on your email server.
  2. Use testing tools: Various online tools are available to test if StartTLS is working correctly. These tools can provide a detailed report on the security settings of your email server.
  3. Check email headers: After sending a test email, you can examine the email headers to confirm that the message was encrypted using StartTLS.
  4. Compliance audits: Regularly conducting compliance audits can help ensure your email system remains secure and compliant with healthcare regulations like HIPAA.
  5. Consider a HIPAA compliant email service: For a hassle-free solution, healthcare organizations can opt for a HIPAA compliant email service like Paubox.

Learn moreHow to verify an email is encrypted

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.