Setting up TLS tunnels is not really that hard. You can even configure most MTAs to send TLS-encrypted mail by default, and fail to send without it, or send it if it is a list.
Not nearly as bad as setting up discrete VPN tunnels, for instance. *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...* On Wed, Apr 23, 2014 at 4:46 PM, David Mazzaccaro < [email protected]> wrote: > FYI - it's HIPAA (not HIPPA) > > For email, see this: > > http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2006.html > > > > The *easiest* way to implement a secure email system is to contact a > vendor (Symantec Cloud for example) who will setup a TLS tunnel between > your Exchange server and their service. > > ALL incoming and outgoing email moves through this tunnel. Email is now > encrypted between Exchange and the provider. Also, you setup Exchange so > that it ONLY sends and ONLY receives email over this tunnel. > > This is only the 1st step. > > > > The next step would be to create RULES w/ the provider to specify what > happens when certain conditions are met. > > For example... if Exchange users type "secure" in their subject line, then > the provider will redirect the email to a secure portal (a website) and > notify the recipient that they have a secure email waiting for them in the > portal. > > It is now up to the recipient to create a password, log into the portal, > and retrieve the secure message. > > What happens after that is not your problem. > > You've secured the message during transmission, and verified that only the > intended recipient can retrieve the message. > > > > Now, some people don't like having to log into a portal (website) to > retrieve secure email. > > And in some cases, businesses will establish DIRECT TLS tunnels between > companies, so that the two companies basically have the equivalent of an > Exchange-only VPN connection between the two. > > All Exchange (email) traffic that is destined for companyB from companyA > is direct (TLS tunneled) and never leaves or is exposed to the public > Internet. > > You can imagine the pros of this.... Users don't have to remember to type > "secure" in their subject line (or whatever other rules), and recipients > don't have to log into a portal to get their secure messages. > > Of course you have the added overhead of configuring/maintaining TLS > tunnels to companyA, companyB, company, etc... and this only works if you > send email to a users' corporate email address (not a home email address) > > Which is why most places will choose to use a portal and train users to > use the appropriate rules (secure in the subject line, etc). > > > > HTH > > Good luck! > > > > > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jimmy Tran > *Sent:* Wednesday, April 23, 2014 11:31 AM > *To:* [email protected] > *Subject:* [NTSysADM] RE: is email over SSL same as email encryption? > > > > After doing some more reading, it looks the sender and recipient needs to > exchange keys for this to work. > > > > To the members here who have to be HIPPA compliant for email, do you mind > sharing what you have in place? Do you use a 3rd party to handle this? > How do you communicate with users outside your organization and also be > compliant? > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Jimmy Tran > *Sent:* Wednesday, April 23, 2014 8:19 AM > *To:* [email protected] > *Subject:* [NTSysADM] is email over SSL same as email encryption? > > > > I ask this because I have a client who wants to be HIPPA complaint with > patient communication. I don't know much about compliance with email > except that the email needs to be encrypted. Currently, they use email > hosted by bluehost via imap and over SSL. This just means the connection > to bluehost is encrypted, but by the time it hits the patient's inbox, it > is no longer encrypted correct? > > > > TIA, > > > > Jimmy > > . >
