Is regular email secure enough for HIPAA? What makes MailHippo secure?

No, regular email alone is not secure enough to satisfy HIPAA requirements. Here’s why:

Let’s think of an email as an envelope. The outside of the envelope specifies the delivery details including to whom and how it shall be sent. The inside of the envelope contains the sensitive content.

Email envelope and message content.
Caution

The content of a typical internet email message resides on two or more unsecured servers during its journey from sender to recipient. 

Let’s explore all the steps involved with how an email message is transmitted.

Email client.

The sender uses an email client (such as outlook or a mail app on their smartphone) to create a message. Pressing the SEND button transmits the email and content to a receiving server (typically the sender’s email provider).

Client sending email to senders email server.
During this sending process, the email envelope and its content are sent as plain text via SSL (a secure connection) to Server A (your email provider). That email sits on Server A in plain text unencrypted for a period of time.
Un encrypted email sitting on senders email server.

At some point, typically after a few minutes, Server A will transmit the plain text email to Server B (the recipient’s email provider) via SMTP, (a non-secure plain text email protocol.)

Senders email server sending sensitive email over insecure internet channel.
Un encrypted email message stored on insecure server.

The email then sits un-encrypted on Server B (at the recipient’s email provider) for a period of time. At some point, the recipient will open their email client and the email will be downloaded from Server B via SSL (a secure channel) to the recipient’s email client. At that point, it will be opened and read by the recipient.

Recipients downloads email message from hosting providers mail server.
Caution

To sum this up…the email and its contents sat on at least 2 servers (possibly more) in plain text, un-encrypted. The message was also sent over the internet via an insecure channel multiple times.

Bottom line: once you send an email, you never know what servers will be handing off the message and via what protocols and channels it will be sent. That’s why internet email is NOT secure enough to satisfy HIPAA requirements.

Here’s where MailHippo comes into the picture, to address these security deficiencies.

The MailHippo platform secures the message by extracting the content (the sensitive part inside the envelope) before the email is ever sent.

Before sending MailHippo encrypts the email message contents.

MailHippo stores the message body and attachments (the content) as encrypted records in our Web portal. The outbound message we send is merely a pointer back to the message content residing on our secure platform.

Thumbs Up!

In short, the sensitive content of the email message is never sent via email over the internet… only the message envelope is.

What about email encryption?

MailHippo encrypts email messages in two ways:

1

First, we use encryption during the transmission of messages from and to the MailHippo secure platform. All communications with the MailHippo web portal employ SSL TLS 1.2 or higher level of encryption.

2

Second, all records are stored encrypted on the MailHippo platform.  The message body and all attachments are encrypted using AES 256 bit algorithms.

Finally, MailHippo goes a step further: by encrypting the key ring that stores the keys necessary to decrypt these records.

Thumbs Up!

This means all email messages are encrypted both in transit AND at rest!

Hopefully this sheds some light on just how insecure standalone internet email can be, as well as how the MailHippo platform secures email messages in transit and at rest.

More questions? We’re here to help. Click here to reach out to our MailHippo team. We’re standing by to answer any questions you may have!