ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    encrypted email options?

    Scheduled Pinned Locked Moved IT Discussion
    email encryptiono365m365
    63 Posts 10 Posters 7.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @VoIP_n00b
      last edited by

      @VoIP_n00b said in encrypted email options?:

      @scottalanmiller said in encrypted email options?:

      But secure email is the universal default today.

      🤔

      GMail, Zoho, O365, Yahoo... all business class, and all serious consumer, and nearly all totally crappy services today are encrypted by default. It's almost exclusively "punish end users for being total idiots and never listening to anyone" systems like Cox "freebie email for cable subscribers" that there is absolutely no excuse for anyone to ever have used, let alone to still use, that once in a while don't encrypt. And really, that's the least of the problems there.

      1 Reply Last reply Reply Quote 1
      • ObsolesceO
        Obsolesce @Dashrender
        last edited by

        @Dashrender well there you have it. The solution is to do nothing, because your email is already secure and encrypted LOL!

        1 Reply Last reply Reply Quote 0
        • 1
          1337 @scottalanmiller
          last edited by

          @scottalanmiller said in encrypted email options?:

          That's secure email. That it's transparent makes it even more powerful. My point has been for years - all standard email is fully secure.

          Well, it doesn't prevent your email provider from reading your emails. Google and their ilk will use your emails to profile you and whomever you email. So when your doctor sends an email about your cancer treatment, you are going to start seeing ads about that on every site.

          You'll get a much higher degree of security when you have real encrypted email and especially so when the email provider doesn't have your private key to decrypt. But then any web mail solution is out.

          OpenPGP for instance requires both a private key and a passphrase to be able to decrypt emails. Works great with native emails clients that support OpenPGP. But I wouldn't want to be the guy supporting that for general end users.

          ObsolesceO IRJI scottalanmillerS 3 Replies Last reply Reply Quote 1
          • ObsolesceO
            Obsolesce @1337
            last edited by

            @Pete-S said in encrypted email options?:

            @scottalanmiller said in encrypted email options?:

            That's secure email. That it's transparent makes it even more powerful. My point has been for years - all standard email is fully secure.

            Well, it doesn't prevent your email provider from reading your emails. Google and their ilk will use your emails to profile you and whomever you email. So when your doctor sends an email about your cancer treatment, you are going to start seeing ads about that on every site.

            You'll get a much higher degree of security when you have real encrypted email and especially so when the email provider doesn't have your private key to decrypt. But then any web mail solution is out.

            OpenPGP for instance requires both a private key and a passphrase to be able to decrypt emails. Works great with native emails clients that support OpenPGP. But I wouldn't want to be the guy supporting that for general end users.

            Yeah, it doesn't prevent an attacker from reading emails that manage to get your email credentials.

            1 Reply Last reply Reply Quote 0
            • IRJI
              IRJ @1337
              last edited by

              @Pete-S said in encrypted email options?:

              @scottalanmiller said in encrypted email options?:

              That's secure email. That it's transparent makes it even more powerful. My point has been for years - all standard email is fully secure.

              You'll get a much higher degree of security when you have real encrypted email and especially so when the email provider doesn't have your private key to decrypt. But then any web mail solution is out.

              You can do BYOK (Bring your own key) with OME.

              It can use azure key vault storage. So you could even use a hardware module of your choosing that you host and connect to azure.

              1 Reply Last reply Reply Quote 2
              • T
                thecreaitvone91
                last edited by

                OME is what we use, we have rules setup to encrypt if you put [encrypt] in the subject line.

                1 Reply Last reply Reply Quote 1
                • scottalanmillerS
                  scottalanmiller @1337
                  last edited by

                  @Pete-S said in encrypted email options?:

                  @scottalanmiller said in encrypted email options?:

                  That's secure email. That it's transparent makes it even more powerful. My point has been for years - all standard email is fully secure.

                  Well, it doesn't prevent your email provider from reading your emails. Google and their ilk will use your emails to profile you and whomever you email. So when your doctor sends an email about your cancer treatment, you are going to start seeing ads about that on every site.

                  You'll get a much higher degree of security when you have real encrypted email and especially so when the email provider doesn't have your private key to decrypt. But then any web mail solution is out.

                  OpenPGP for instance requires both a private key and a passphrase to be able to decrypt emails. Works great with native emails clients that support OpenPGP. But I wouldn't want to be the guy supporting that for general end users.

                  Of course, but that's a choice by the end user to choose a service that they opted into to share that information.

                  With Zix, for example, they have your key.

                  PGP/GPG options are definitely way, way more secure. And they use real email to do it. But no one likes them.

                  DashrenderD 1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said in encrypted email options?:

                    @Dashrender said in encrypted email options?:

                    OME - this works like most other secure email solutions out in the market today (I'm looking at you Zix), email contents are sent to a webportal, an email is sent to the recipient with a link to the webportal, they create a logon to the webport for now and future use of message retrieval.

                    This is the most common option... when this isn't what you want. You have to understand this is NOT email. So this is the same as "not doing what we were told to do." Now 99% of the time, the job is to treat end users as confused and do what they want, not what they say, but it's also important to know when you are doing that. This is no different, except it is automated, than moving people to DropBox or NextCloud, that's all that it is. It's cloud storage with a web interface, not email.

                    If your doctors asks you for secure email, the answer is "he's an idiot, just do this." If I ask you for secure email and you give me this, it's insubordination for intentionally avoiding the only requirement.

                    Exactly - You and I both know they don't want actually secure email - there is to much effort to make that work (see key discussion). They want the automated solution. But you try to explain that to most of them and they simply don't care, they just stop listening. Some might go so far as to say - you know how so and so's works? yeah I want that - which in 99% of cases is OME.

                    Now all that said - one local hospital system recently switched away from Zix. Their new provider verifies TLS, and if present at an allowable cypher, it just sends the message, otherwise, it portalizes it.

                    1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @Obsolesce
                      last edited by

                      @Obsolesce said in encrypted email options?:

                      @scottalanmiller said in encrypted email options?:

                      @Obsolesce said in encrypted email options?:

                      @Dashrender said in encrypted email options?:

                      @Obsolesce said in encrypted email options?:

                      @Dashrender said in encrypted email options?:

                      The use of secure email is primarily with outside persons and companies. No home user (patient) is ever going to setup PKI to get an email from us.

                      I only listed it because I figured someone would blast me for not listing it. It's a complete non starter in our case. It's also why I specifically mentioned the typically used with gov'ts.

                      Oh yeah that's a totally different case. You're only real option then if dealing with patients and all that is the one built into O365, that takes you to a portal to decrypt it.

                      Right - this is what we see 90% of the time. Lately though, one of our hospitals have changed to a different secure email provider - and in this case, they no longer bother with the portal as long as TLS works. This provides the simplest solution for home/patient users.
                      Scott and I have discussed this, and believe that it fits the requirements of HIPAA as well.

                      Thoughts?

                      I'm not familiar with that method, so I can't comment on it. I've never received an encrypted email that I didn't have to go to a portal/website link, or via S/MIME.

                      You likely get it 90% of the time. In Zoho it's just a little "secure" flag that shows up. Normal mail is already secure, but not generally enforced. But secure email is the universal default today.

                      Are you talking about something else? This "Secure Email" is not what we are referring to. Zoho "secure email" is just that it uses TLS in transit and is encrypted at rest on Zoho servers. This is all transparent and is the case with every major email service.

                      I think what is being asked here isn't obvious to you, but that the mail itself is encrypted, not just the transport of it. Basically in a way the OME and S/MIME ensures.

                      You'll need to show exactly where in Zoho you turn on this feature you speak of.

                      Nope, you'd be mistaken - I'm not asking for truly end user to end user secure email - almost no one ever wants that. They want the HIPAA requirement - that's all. Anything more, especially if it offers even one newton of additional friction to the process, is absolutely not wanted, though if it was friction free ( and I mean zero additional friction) they they would likely be willing to have it tacked on because why not?

                      1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @VoIP_n00b
                        last edited by

                        @VoIP_n00b said in encrypted email options?:

                        @scottalanmiller said in encrypted email options?:

                        But secure email is the universal default today.

                        🤔

                        Yeah - I don't know what this means either.
                        Secure mail ?? If by Secure mail you mean - emails traveling across the internet between mail servers, and even between servers and mail clients, then sure, the default is TLS and has been for many years - though sadly, many ISPs still have legacy old shit systems that don't support it (though Cox finally pulled their heads out of their asses and now support it - BUT - they have also cut off email as a provided service with ISP access - likely because of low use and expense of managing it... so far they are continuing to support current users of the platform, but I expect that to even die at some point...

                        1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said in encrypted email options?:

                          Are there cases where cloud storage with a web interface is a good idea and better than email for delivering files? Absolutely. Is there ever a time that we should pretend email isn't encrypted normally or that dropbox-style systems are just email? No.

                          email is secure end to end? what do you consider end to end? and again secured how, against whom? Now, as I already stated - it's likely TLS all the way from the client to the server to the other server to the client.. sure, so it's secure from the prying eyes of the internet, but not from admins on either sending or receiving systems - but I'm pretty sure that's not part of the requirement for HIPAA

                          Additionally I completely agree with you that there is no reason to lie to people - to "dumb down the technology" to call Zix's solution of a webportal "secure email." The problem is population education - who's job is it to educate normal users? I'm guessing you might say it's their employers - and I'll simply tell you they aren't willing to pay for that.

                          There's no reason that normal email can't just be used, it's secure. The issue that many places have is that they refuse to require this security and/or to understand IT and so feel, because of marketing, that they have to pay for something that isn't email to fix their "email", which obviously, makes no sense.

                          I have tried with the "require TLS" option in the past, and was required to turn it off because it prevented the ability for owners to email family who still used an email provider who didn't support TLS. Additionally - as mentioned above, now moving to O365, enabling this gives no feedback for 24 hours of failure with no option to shorten this timeout/failure issue.

                          1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said in encrypted email options?:

                            With Zix, for example, they have your key.

                            yep

                            PGP/GPG options are definitely way, way more secure. And they use real email to do it. But no one likes them.

                            Right, normal users, a cashier at the grocery store, will likely never setup a GPG key, support it, etc to get medical records via email from their doctor. that's to much work.

                            But they will create a logon to an EMR portal and a "secure email portal" to access/retrieve messages from their doctors. Of course, generally, they will use the same password they use everywhere else, but that's not my problem.

                            1 1 Reply Last reply Reply Quote 0
                            • 1
                              1337 @Dashrender
                              last edited by

                              @Dashrender said in encrypted email options?:

                              @scottalanmiller said in encrypted email options?:

                              With Zix, for example, they have your key.

                              yep

                              PGP/GPG options are definitely way, way more secure. And they use real email to do it. But no one likes them.

                              Right, normal users, a cashier at the grocery store, will likely never setup a GPG key, support it, etc to get medical records via email from their doctor. that's to much work.

                              But they will create a logon to an EMR portal and a "secure email portal" to access/retrieve messages from their doctors. Of course, generally, they will use the same password they use everywhere else, but that's not my problem.

                              I know cases where communication between health care professionals and patients is done through a website that requires 2FA for the patients. It has absolutely nothing to do at all with email except that patients can get email and sms notifications. Patients can view their journals as well. I'm sure it's custom built but maybe there are COTS systems that are made for exactly this.

                              DashrenderD 1 Reply Last reply Reply Quote 1
                              • DashrenderD
                                Dashrender @1337
                                last edited by

                                @Pete-S said in encrypted email options?:

                                @Dashrender said in encrypted email options?:

                                @scottalanmiller said in encrypted email options?:

                                With Zix, for example, they have your key.

                                yep

                                PGP/GPG options are definitely way, way more secure. And they use real email to do it. But no one likes them.

                                Right, normal users, a cashier at the grocery store, will likely never setup a GPG key, support it, etc to get medical records via email from their doctor. that's to much work.

                                But they will create a logon to an EMR portal and a "secure email portal" to access/retrieve messages from their doctors. Of course, generally, they will use the same password they use everywhere else, but that's not my problem.

                                I know cases where communication between health care professionals and patients is done through a website that requires 2FA for the patients. It has absolutely nothing to do at all with email except that patients can get email and sms notifications. Patients can view their journals as well. I'm sure it's custom built but maybe there are COTS systems that are made for exactly this.

                                COTS?

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in encrypted email options?:

                                  @Pete-S said in encrypted email options?:

                                  @Dashrender said in encrypted email options?:

                                  @scottalanmiller said in encrypted email options?:

                                  With Zix, for example, they have your key.

                                  yep

                                  PGP/GPG options are definitely way, way more secure. And they use real email to do it. But no one likes them.

                                  Right, normal users, a cashier at the grocery store, will likely never setup a GPG key, support it, etc to get medical records via email from their doctor. that's to much work.

                                  But they will create a logon to an EMR portal and a "secure email portal" to access/retrieve messages from their doctors. Of course, generally, they will use the same password they use everywhere else, but that's not my problem.

                                  I know cases where communication between health care professionals and patients is done through a website that requires 2FA for the patients. It has absolutely nothing to do at all with email except that patients can get email and sms notifications. Patients can view their journals as well. I'm sure it's custom built but maybe there are COTS systems that are made for exactly this.

                                  COTS?

                                  "Commercial, Off The Shelf"

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller
                                    last edited by

                                    It's generally used as COTS vs Bespoke.

                                    In between the two are things like SAP where it's premade, but can't be used until customized.

                                    1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender
                                      last edited by Dashrender

                                      I posted this question to my supervisors this morning:

                                      When you hear secure or encrypted email what do you envision? How do you envision that working?

                                      answer 1

                                      Secure or encrypted to me means that the content of the email is protected by a password and is not able to be opened by just anyone. I have several vendors that send me secure mail, so I am used to using it.

                                      answer 2

                                      I think of secure email as a means to send PHI or personal information without worrying that someone who shouldn’t see the information will be able to view it. Encrypted to me means that you need to sign in or have some sort of password to get into the email to view the contents. I may be way off base but….

                                      DashrenderD IRJI ObsolesceO 3 Replies Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @Dashrender
                                        last edited by

                                        answer 2

                                        I think of secure email as a means to send PHI or personal information without worrying that someone who shouldn’t see the information will be able to view it. Encrypted to me means that you need to sign in or have some sort of password to get into the email to view the contents. I may be way off base but….

                                        Interesting to see that someone considers secure and encrypted two different things.

                                        1 Reply Last reply Reply Quote 0
                                        • IRJI
                                          IRJ @Dashrender
                                          last edited by

                                          @Dashrender said in encrypted email options?:

                                          I posted this question to my supervisors this morning:

                                          When you hear secure or encrypted email what do you envision? How do you envision that working?

                                          answer 1

                                          Secure or encrypted to me means that the content of the email is protected by a password and is not able to be opened by just anyone. I have several vendors that send me secure mail, so I am used to using it.

                                          answer 2

                                          I think of secure email as a means to send PHI or personal information without worrying that someone who shouldn’t see the information will be able to view it. Encrypted to me means that you need to sign in or have some sort of password to get into the email to view the contents. I may be way off base but….

                                          Why does it matter what your non-IT supervisors think about the definition of encrypted email?

                                          I would say they have a decent grasp of the concept, and who cares if they know the exact definition. It's not their job to know it.

                                          DashrenderD 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender
                                            last edited by

                                            I asked a followup question:

                                            Could you be a little more in depth on how you envision it working – for say a patient, make a step by step list if you can.

                                            answer 1

                                            The secure mail would need to be initiated by TUC staff to send an email to patient, stating they have a secure message from TUC. Upon opening the message for the first time, they would be directed to create a password with whatever requirements we set up (number of characters, any special characters, Upper and lower case, etc.) Once password is approved by meeting criteria, the true message can be opened and responded to as needed. Future messages could be sent and opened by using the established password.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 4 / 4
                                            • First post
                                              Last post