Am I missing something here when it comes to Email Encryption?

[thecomputerguy]

I have a client who was required to setup email encryption for a contract with a major medical company/hospital. The bad news was that her primary email was a gmail account, so I had to get her setup with a brand new email account at a domain she owned.

So I set her up with O365 Business Premium + HIPPA + Encryption all through Godaddy, I wanted an easy one stop shop. They use a company called Proof Point for encryption.

Here's what happens ... You compose a message and in the subject line you have to put [encrypt]. Then once you send the message you get a receipt from Godaddy explaining that the email was sent to Proof Point for encryption. After about 10-15 minutes the recipient gets an email saying they got an encrypted message. They click the button then create a Proof Point account, and they are then redirected to a new Proof Point mail system where they can view the message.

All is good up to this point.

The issue is when the recipient wants to respond. There is a reply button in the PP mail system. They reply, but my client doesn't even get notified that there was a reply to the message. I thought I was missing something so I called Godaddy and the person I spoke with was sure that I was right and something was missing, and that they were told in training that you are supposed to get some sort of reply or notification to your email inbox.

After 40 minutes on the phone that Godaddy tech said that he/they have been trained wrong on the product and it is working as intended.

So the ONLY way to check if you have a response from someone is to stay logged into PP all day long and periodically check to see if you got a response?

WTF? That sounds ridiculous ... is this how email encryption is actually supposed to work?

 

[Frick]

I have found GoDaddy is only good for domain hosting. Their other services fail to deliver almost every time.

Check out AppRiver or https://www.sendinc.com

 

[tmboss]

Don't know much about encryption tools that exist but one flaw in the GoDaddy solution you've choosen is that it is not encrypted at point of origin. Does it travel to Proof Point unencrypted? I've recommended Axcrypt before. I'll listen and learn now.

 

[thecomputerguy]

Don't know much about encryption tools that exist but one flaw in the GoDaddy solution you've choosen is that it is not encrypted at point of origin. Does it travel to Proof Point unencrypted? I've recommended Axcrypt before. I'll listen and learn now.

I don't know for sure but I do know that Proof Point is used very widely across the medical and financial field. I'm pretty sure Office 365 has some layer of SSL or TLS encryption with any message that is sent. I assume the initial message you send with the [encrypt] is to open a thread up through PP to have the conversation that you need to have.

 

[nlinecomputers]

Office 365 E3 supports azure encryption. You set it up and put your trigger in your subject line and the message gets encrypted. The recipient gets a message that they can retrieve via a one time code or by logging into their Microsoft Account. If you reply inside of the message you get an encrypted reply using the same method.

 

[NJW]

If the message isn't encrypted before leaving the author's machine, how can that be considered remotely secure? That includes composing a message on a cloud service – in other words, there must be an email client program involved, including encrypting a draft message with IMAP, and certainly not sending to a third-party to be encrypted.

There's no point having a message encrypted for part of its journey. If Proof Point is a widely used SOP, there's something wrong with the system.

Just my opinion, of course.

 

[thecomputerguy]

I ended up cancelling the service with GoDaddy and going with Cipher Pro through AppRiver ... much more knowledgeable and user friendly....

Thanks all!

 

[Diggs]

Actually, Gmail's standard SSL email is HIPAA compliant I believe (but they may be wanting something extreme for trade secrets?)

 

[YeOldeStonecat]

Office 365 E3 supports azure encryption. You set it up and put your trigger in your subject line and the message gets encrypted. The recipient gets a message that they can retrieve via a one time code or by logging into their Microsoft Account. If you reply inside of the message you get an encrypted reply using the same method.

You can add it to the O365 Biz plans also, simply enable the Azure AD..it's only another 2 bucks a month. Cheaper than many 3rd party encryption programs.
I used to resell AppRivers Cipher Post...it's very feature rich, but sorta a pain to manage. And "heavy" side apps.

 

[nlinecomputers]

If the message isn't encrypted before leaving the author's machine, how can that be considered remotely secure? That includes composing a message on a cloud service – in other words, there must be an email client program involved, including encrypting a draft message with IMAP, and certainly not sending to a third-party to be encrypted.

There's no point having a message encrypted for part of its journey. If Proof Point is a widely used SOP, there's something wrong with the system.

Just my opinion, of course.

SSL, TLS, and HTTPS are all facilitated via encryption. So you are covered there be it Outlook or webmail.

 

[Markverhyden]

I ended up cancelling the service with GoDaddy and going with Cipher Pro through AppRiver ... much more knowledgeable and user friendly....

Thanks all!

This was what I was going to recommend. Have a customer who finally got around to getting HIPAA compliant and are using it. The only downside is if it's outside of outlook, like on a smartphone or OS X, they have to use the app, which does not link to their address book.

SSL does not make an email service HIPAA compliant. To begin with the email provider must be able to sign a BAA. And most will not unless they are reselling O365 hosted Exchange. All SSL does is encrypt the transport, the message is still in plain text when it's at rest on the server side.

 

[NJW]

SSL, TLS, and HTTPS are all facilitated via encryption.

All SSL does is encrypt the transport, the message is still in plain text when it's at rest on the server side.

And passing it to a third-party processor shouldn't even be considered.