Why Even Intelligent Health Professionals Don’t Encrypt Their Email.
The fact is they really need the protection that encryption offers — not merely because of potential HHS penalties, but also the $1.5T (yearly) cyber-crime industry that plunders our data due to carelessness. Health providers need to take responsibility for the technology they utilize. If we were to practice medicine as we practice basic security measures, we would still use charms and perform bloodletting. The latter of which we allow criminals to do to us financially, so why isn’t there more accountability in Healthcare IT? Is it indeed carelessness or perhaps something more? Before answering this question, it’s important to understand how (proper) encryption works, followed by some major caveats practitioners should consider. How conventional email encryption works: Succinctly, an individual buys an signing/encryption certificate, which is prepared prior to being installed into an email program. The user must coordinate with each recipient they intend to send encrypted content by sending them an electronically signed message using the newly installed certificate; the recipient adds the sender to their contact list (which stores the sender's public key). From then on, when you send individual emails, determine if the content requires encryption (assuming the recipient can decrypt it). If so, an option is used to encrypt the message. There are also routine maintenance procedures that need to be maintained in order to keep the certificate valid.
If the goal of encryption is for HIPAA compliance and your audience is relatively small (6-10) this may be obtainable if you are diligent with your email practices, beyond that, i.e. communication with patients, is an untenable choice. The coordination process must occur with each recipient in order for encryption to be respected. Unfortunately, you are not in control of their equipment, software, or their technical savviness. The recipient must value the communication and be willing to configure their email program to receive the message. If the recipient gets a new device, or wants to use a different one, or changes the email program — they must perform the coordination process all over. Certificates are also not forever — so when you need to renew your certificate (at a minimum yearly), you’ll need to extend the certificate beforehand, otherwise this process needs to start all over again, and for each recipient. If the certificate expires, all the old encrypted email suddenly becomes untrustworthy. You must protect your private key, or you welcome a host of problems. Leaving a copy of your original or exported private key on your device or notebook is a common practice. Worse yet, being confused about certificates in general and how to handle them leads to foolish mistakes like sending the private key to others, or sending the key in conventional email. Inconsistent outcomes are possible based on circumstance, impatience or lack of training, leading to the sending of unencrypted messages when they ought to be. A situation which is difficult to correct/recover. Unfortunately, a fair number of patients are cavalier, or simply naive, about their privacy; their unencrypted ePHI becomes a liability on your mail server in plain text!
It’s clear to see that conventional email encryption facilitated by medical professionals is almost a full time job. So why don’t don’t more medial professionals go the distance for their patient’s privacy protection — The answer is in the blurred lines between negligence, complexity, and the amount of effort required. It’s fair to say email encryption for the sake of HIAA law could be a full time job! Knowing this, a better question might be:
How do intelligent medical professionals keep their communications HIPAA compliant?
Being confused about certificates, encryption, and other technical requirements of HIPAA law is a common occurrence, and negligence of this law can have serious security implications. At Patient Protect, we’ve created a bullet-proof cloud-based solution to simplify the complexity of secure collaboration. We use a conventional web page interface (using SSL) for the handling of ePHI. Thereby, all ePHI is encrypted in transit. We store ePHI in an encrypted database, and thus all ePHI is encrypted at rest. We also help offices become more compliant by advising and educating you on proper practices.