RE: [BULK] [NTSysADM] RE: is email over SSL same as email encryption?

[Jimmy Tran]

Thanks for all the feedback everyone.  Very informative.

Jimmy

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Steven Peck
Sent: Thursday, April 24, 2014 2:33 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [BULK] [NTSysADM] RE: is email over SSL same as email encryption?

We provide a capture portal (Axway) for people to retrieve HIPAA relegated 
stuff.  However, if a company wants we will setup a TLS connection with them.  
We have a very short form they have to fill out indicating they have a HIPAA 
policy regarding handling PHI and have provisions in place to handle data, etc. 
 Once we have that agreement turn it on.

It's a very short form.

HIPAA is a weird beast because there is not much case law built up about it at 
this point and no one wants to be the first cases that set precedence :)

Steven

________________________________
From: al...@eckelberry.com<mailto:al...@eckelberry.com>
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [BULK] [NTSysADM] RE: is email over SSL same as email encryption?
Date: Wed, 23 Apr 2014 23:15:14 -0400
In Jimmy's scenario, message contents (including username and pwd) password 
will be encrypted, but only between the client and the service provider. There 
is no encryption once the messages arrive at the servers, or when they relay 
(although the original user name and pwd is protected).

The data-in-motion and data-at-rest argument mentioned below is worth 
understanding.

At any rate, BlueHost specifically states it is not compliant. 
https://my.bluehost.com/cgi/help/hipaa

I am certainly not a HIPAA expert, but I would probably look at just hosting 
your email on Office 365 or Google Apps, both of which will provide a BAA 
letter (a strong but not complete part of HIPAA compliance).


Alex Eckelberry
www.eckelberry.com<http://www.eckelberry.com/>
www.linkedin.com/in/alexeck<http://www.linkedin.com/in/alexeck>




From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Wednesday, April 23, 2014 12:11 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [BULK] [NTSysADM] RE: is email over SSL same as email encryption?

Not if SMTP is encrypted via SSL or TLS.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Matthew W. Ross
Sent: Wednesday, April 23, 2014 12:01 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [BULK] [NTSysADM] RE: is email over SSL same as email encryption?

I am no security expert, so forgive my ignorance.

I understand that Exchange servers have the ability to encrypt all the "data at 
rest" on the server, and may well be able to encrypt the data sent to a client 
using ActiveSync.

But, isn't it true that an email, once it leaves the sever via SMTP, is 
unencrypted?

--Matt Ross
Ephrata School District
Michael B. Smith <mich...@smithcons.com<mailto:mich...@smithcons.com>> , 
4/23/2014 8:54 AM:
This would be better on the Exchange list.

But two concepts come into play.

Data-at-rest and data-in-motion.

Data-in-motion - in MANY (not even most, just many) modern systems is encrypted 
using SSL or TLS. If the system is Exchange, then Exchange ensures that all 
data in transit is always encrypted.

Data-at-rest is far more complex and requires a certain level of operational 
maturity to implement. Lots of third party compliant email systems do this on 
THEIR servers. But not on yours.

Authenticated data-in-motion and authenticated data-at-rest are what you refer 
to by suggesting "key exchange is required". Typically, this is S/MIME. And 
that's a whole different kettle of fish.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Jimmy Tran
Sent: Wednesday, April 23, 2014 11:31 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: is email over SSL same as email encryption?

After doing some more reading, it looks the sender and recipient needs to 
exchange keys for this to work.

To the members here who have to be HIPPA compliant for email, do you mind 
sharing what you have in place? Do you use a 3rd party to handle this?  How do 
you communicate with users outside your organization and also be compliant?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jimmy Tran
Sent: Wednesday, April 23, 2014 8:19 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] is email over SSL same as email encryption?

I ask this because I have a client who wants to be HIPPA complaint with patient 
communication.  I don't know much about compliance with email except that the 
email needs to be encrypted.  Currently, they use email hosted by bluehost via 
imap and over SSL.  This just means the connection to bluehost is encrypted, 
but by the time it hits the patient's inbox, it is no longer encrypted correct?

TIA,

Jimmy