Technology is rife with acronyms, and they're prevalent in the cybersecurity field, especially where technology and government collide. We've covered HIPAA, of course, and EMR v. EHR, PHI and ePHI, SMTP relays, MX records, DNSSEC, VPNs and APIs. And we report on agencies like the DHS, FBI, NSA, CISA and the NCSC. But the three letters we've probably used most often are TLS, which stands for Transport Layer Security. But what does that mean?
Today's main privacy protocol
Digital information is usually secured through encryption, scrambled via complex mathematics to be made unreadable and inaccessible without the correct key, or passphrase. TLS is the most common method to secure communications among computers or over networks. It's a cryptographic protocol that's perhaps best known for adding the "S" to HTTPS, ensuring your connections to websites are encrypted and secure. It's the successor to Secure Sockets Layer, or SSL, which is still often mentioned in the same breath. SSL was developed by Netscape Communications, maker of one of the first web browsers, and was in wide use in the mid-1990s. The TLS standard was first proposed in 1999 by the Internet Engineering Task Force (IETF), and is still in use today.
How does TLS work?
In order to encrypt information in transit, both sender and receiver must use the same keys to scramble and unscramble the data. The sending computer offers what is called a handshake, proposing that TLS be used to secure the connection with the receiving machine. If the receiving machine supports TLS, both computers trade encryption keys and exchange data. If the receiving machine does not support TLS, the handshake fails, in which case alternative methods to secure data need to be used to maintain encryption.
Keeping up with TLS updates
Cybersecurity involves a never-ending cycle of security upgrades and security exploits, with hackers working constantly to circumvent and defeat data protection measures. As we mentioned, TLS came after SSL, and while TLS has now been around for more than 20 years, it has been updated several times. The NSA recently recommended that security professionals stop using TLS 1.0 (from 1999) and TLS 1.1 (from 2006), and instead use only TLS 1.2, released in 2008, or TLS 1.3, which came out in 2018. Notably, even though TLS 1.2 is still considered current, it is a standard that is still more than 12 years old.
Following NSA guidelines, Paubox no longer supports TLS 1.0 and TLS 1.1 on its platform, and as announced last year at the Paubox SECURE @ Home conference, Paubox now uses TLS 1.3 encryption for all of its solutions, including Paubox Email Suite, Paubox Marketing, and Paubox Email API. When you send encrypted email via Paubox, our platform automatically chooses TLS 1.3 as the default encryption choice, an upgrade that helps maintain our position as the market leader for HIPAA compliant email.
Is HIPAA compliance possible without TLS?
But what happens when an email recipient doesn't support encryption? Paubox has patented its unique approach to email security and encryption, particularly when sending email to addresses that don't support TLS. If a TLS connection cannot be established, Paubox stops your message from being delivered in plain text. Instead, recipients get an email telling them to click on a link to view the message and reply via a secure HTTPS website. In today's healthcare environment, guaranteed TLS encryption is essential for email security. You can use our free Secure Email Checker to check if your email system supports TLS.