Skip to content

Office 365 Email Encryption for Regulation Compliance


Regulation Compliance

Photo of the U.S. Supreme Court building with reflection in foreground fountain.

From our last Experience The Possible event, the office manager of a local medical office asked about securing e-mail for health, employee, and payment information. Many pundits state that “technically” it is not a violation to e-mail Protected Health Information (PHI), especially if the patient has initiated communication using e-mail. However, all e-mail that is not encrypted via a secure portal may be intercepted or read by unauthorized parties which is a clear HIPAA violation. (HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C)

In fact, many organizations mistakenly believe e-mails are being “magically” encrypted and still rely on legacy technology like Transport Layer Security (TLS) and Secure Sockets Layer (SSL) which have various vulnerabilities:

  1. TLS only secures e-mail transmission from the sender’s device to the corporate mail server, but emails intended for external recipients are transferred via servers outside the organization where encryption cannot be guaranteed.
  2. Another known weakness of TLS is that systems can be configured with “optional TLS”, as opposed to “mandatory TLS”. Optional TLS configured servers forward messaged unencrypted and exposed to breach.
  3. SSL is based upon certificates which most organization fail to register or validate with a public third-party SSL certificate provider, thus invalidating certificate use and transmitting messaged unencrypted and exposed to breach.
  4. Many organizations also neglect to renew valid third-party SSL certificates which also renders messages unencrypted.
  5. Since neither technology offers end-to-end encryption, both are susceptible to interception using the man-in-the-middle attack. (https://msdn.microsoft.com/en-us/library/cc247407.aspx)
Using Office 365 E3, we can quickly demonstrate how e-mail encryption works at a high level. There is some minor Office 365 email encryption setup beforehand, but the video below will show how to create a basic encryption rule and how to send encrypted e-mail.

Since 2010, Microsoft has been the largest provider of encrypted e-mail in the world. The built-in Office 365 security features including encrypted e-mail offer the following advantages:

  • Send encrypted email messages to anyone, regardless of the recipient’s email address.
  • Eliminate the need for certificates and use a recipient’s email address as the public key.
  • Enhance the security of subsequent email responses by encrypting each message in the thread.
  • Email decrypted and read with confidence, without installing client software.
  • Encryption process is transparent to the sender, who does not need to do anything other than write and send the message as usual.

https://technet.microsoft.com/en-us/library/dn569286.aspx

Enter your email address to follow this blog and receive notifications of new posts by email.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: