Is regular email secure enough for HIPAA? What makes MailHippo secure?
No, regular email alone is not secure enough to satisfy HIPAA requirements. Here’s why:
Let’s think of an email as an envelope. The outside of the envelope specifies the delivery details including to whom and how it shall be sent. The inside of the envelope contains the sensitive content.
The content of a typical internet email message resides on two or more unsecured servers during its journey from sender to recipient.
Let’s explore all the steps involved with how an email message is transmitted.
The sender uses an email client (such as outlook or a mail app on their smartphone) to create a message. Pressing the SEND button transmits the email and content to a receiving server (typically the sender’s email provider).
During this sending process, the email envelope and its content are sent as plain text via SSL (a secure connection) to Server A (your email provider). That email sits on Server A in plain text unencrypted for a period of time.
At some point, typically after a few minutes, Server A will transmit the plain text email to Server B (the recipient’s email provider) via SMTP, (a non-secure plain text email protocol.)
The email then sits un-encrypted on Server B (at the recipient’s email provider) for a period of time. At some point, the recipient will open their email client and the email will be downloaded from Server B via SSL (a secure channel) to the recipient’s email client. At that point, it will be opened and read by the recipient.
To sum this up…the email and its contents sat on at least 2 servers (possibly more) in plain text, un-encrypted. The message was also sent over the internet via an insecure channel multiple times.
Bottom line: once you send an email, you never know what servers will be handing off the message and via what protocols and channels it will be sent. That’s why internet email is NOT secure enough to satisfy HIPAA requirements.
Here’s where MailHippo comes into the picture, to address these security deficiencies.
The MailHippo platform secures the message by extracting the content (the sensitive part inside the envelope) before the email is ever sent.
MailHippo stores the message body and attachments (the content) as encrypted records in our Web portal. The outbound message we send is merely a pointer back to the message content residing on our secure platform.
In short, the sensitive content of the email message is never sent via email over the internet… only the message envelope is.
What about email encryption?
MailHippo encrypts email messages in two ways:
First, we use encryption during the transmission of messages from and to the MailHippo secure platform. All communications with the MailHippo web portal employ SSL TLS 1.2 or higher level of encryption.
Second, all records are stored encrypted on the MailHippo platform. The message body and all attachments are encrypted using AES 256 bit algorithms.
Finally, MailHippo goes a step further: by encrypting the key ring that stores the keys necessary to decrypt these records.
This means all email messages are encrypted both in transit AND at rest!
Hopefully this sheds some light on just how insecure standalone internet email can be, as well as how the MailHippo platform secures email messages in transit and at rest.
More questions? We’re here to help. Click here to reach out to our MailHippo team. We’re standing by to answer any questions you may have!