It seems that people are taking security more seriously now than ever before and technology has made it convenient and possible for us to protect our homes, data, bank accounts, and much more with a single click of a button, but what about your business?
You may be thinking well… my business has never required me to send private information, so I don’t need to worry about it. Unfortunately, regardless of what business you are in both yours, your clients, and employee’s data could be in jeopardy if sent by way of standard email. Even just sending a person’s full name or phone number, can get you in trouble or even fined by the United States Department of Health and Human Services (HHS).
So, let’s examine the process that occurs when sending both standard email messages and secure email messages, in three simple steps:
The Standard Email Process
Step 1: You compose your email message, attach your important documents, address the message to your recipient, and then click “SEND”. You might assume that as long as your recipient deletes the message after they’ve read it, that your private information is no longer on the internet, but you’d be wrong.
Step 2: Your standard email message travels unprotected across the cloud, bouncing off multiple servers, creating duplicate copies of your message on each server while in route to your recipient. These servers make up a multitude of vulnerabilities: unprotected web & company servers, unsecured email accounts, and exposed Wi-Fi connections… All of which can be accessed by third-party hackers.
Step 3: Finally, your email message reaches your recipient’s inbox. Was the content compromised? Has your private message been splashed across multiple user inboxes, blogs, and forums? Well, you just won’t know until it’s too late. Standard email is similar to an open-face postcard sent through the mail; anyone can read what’s written on it. So, why compose standard email messages with your private info on it?
The Secure Email Process
Step 1: You compose your email message, attach your important documents, address the message to your recipient, and you click “SEND SECURE”. Boom! Your secure encrypted email message is created and sent on the secure database that the entire secure email platform exists on, but never leaves the secure server.
Step 2: The secure server populates a notification email sent to your recipient informing them that they’ve just received a secure email inside their secure inbox. The recipient then clicks on the link inside of the notification email to visit the secure portal. If this is a recipient’s first time receiving a secure email message, they’ll only be asked to create a password to access the secure message they’ve just received.
Step 3: After logging in to the Secure Portal, the recipient can access their secure inbox and open the secure message that you’ve just sent them from any mobile device, tablet, or computer. Recipients have the ability to read, reply securely, and download any included secure attachments. The secure platform also utilizes a TYPE 2 SOC audited data center that keeps all messages protected in storage and transit. This ultimately eliminates the points of vulnerability that a standard message could encounter.
Easy enough, right? Utilizing a third-party secure email provider protects you from cyber-crime and its counterparts. The havoc a hacker can cause when sending sensitive data through a standard email application is simply not worth it! Stay one step ahead of the game with NeoCertified.
Cybercrime has cost companies and organizations millions, so it’s important to understand what it is, how to acknowledge it, and how to avoid it. Cybercrime is any form of attack, scam, hack, theft, breach, or piracy that takes place on the internet or through some sort of computer network or mobile device.
Cybercrime Types of Hacks
Some common modern practices of hacking may include phishing, virus and trojan software, keylogger, DDoS (Distributed Denial of Service) bait, and switch, business email compromise. Another factor could and unfortunately be YOUR employees… It is estimated that 59% of employees steal proprietary corporate data after they’ve been terminated or resigned.
Email phishing, malware, and Trojan attacks specifically affect employers and employees of all types of businesses daily. Once infected, the hacker may gain access to account records, contact information, and may even be allowed temporary user access.
A business email compromise is a relatively new scam that affects C-level positions. The number of these scams is growing rapidly and has increased by 270% since 2015. This scam has cost companies more than $1 billion in just three years.
Laws Requiring Secure Email
All businesses that send email messages containing Personally Identifiable Information (PII) or Electronic Protected Health Information (ePHI) must send them securely. Each industry has its own set of specific federal regulations. Many hybrid industries, such as the insurance industry, must comply with several regulations.
The primary federal compliance regulations include the following:
SOX / GLBA / HIPAA / HITECH / FINRA / FCRA / TILA-RESPA / FERPA / SEC
Healthcare Industry: HIPAA Compliance
The healthcare industry is predominantly governed by HIPAA and HITECH regulations but may also comply with financial regulations such as FINRA and GLBA. HIPAA specifically dictates that all covered entities, meaning healthcare clearinghouses, healthcare plans, and healthcare providers, must protect (ePHI).
ePHI is similar to PII but also includes that medical record numbers must be protected. ePHI must be kept secure both in transit and in storage. If HIPAA policies aren’t followed, severe penalties from up to $1.5 million per year may be imposed by The Health and Human Services Department (HHS). The business may then be responsible for client reparation costs and fines issues by other organizations.
Here are the 5 specific HIPAA requirements as related to email:
- Access Controls: A covered entity must implement technical policies and procedures limiting access to systems containing ePHI only to personnel with sufficient access rights.
- Audit Controls: A covered entity must implement software that records and examines activity in information systems that contain or use ePHI.
- Integrity: A covered entity must implement policies and procedures to protect ePHI from improper alteration or destruction.
- Person or Entity Authentication: A covered entity must implement procedures to verify a person or entity accessing ePHI is the one claimed.
- Transmission Security: A covered entity must implement technical measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. This includes having integrity controls and encryption.
According to HIPAA, any company that handles medical records is deemed a “Business Associate” and would, therefore need a signed Business Associates Agreement (BAA). When choosing a secure email solution, always make sure the company is willing to provide a BAA.
Also make sure that the secure email solution is HIPAA compliant, meaning that all secure email messages are protected both in transit and in storage, and that HIPPA compliant passwords are required.
It is also recommended that you train (and later re-train) your medical staff or any other staff that handles ePHI or any other types of medical record information.
Financial Industry Compliance
The financial industry’s compliance requirements range from regulation passed by FINRA (Financial Industry Regulatory Authority), the SEC (US Securities & Exchange Commission), GLBA (Gramm-Leach Bliley Act), and SOX (Sarbanes-Oxley Act of 2002).
Financial Institutions that collect personal customer information, including but not limited to names, addresses, phone numbers, etc. must ensure the appropriate security and confidentially.
The term “Financial Institutions” includes all businesses that are significantly engaged in providing financial products or services.
Insurance Industry Compliance
The insurance industry falls under financial and healthcare-related requirements because of the information being collected and transferred digitally. HIPAA’s Security Rule requires “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI… to protect individuals’’ ePHI that is created, received, used, or maintained by a covered entity.
Always make sure the secure email solution you choose is compliant with both financial and healthcare regulations.
Secure Email: The Basics
As mentioned earlier, one of the most common platforms that hackers take advantage of is your standard email application. This means that it’s more imperative than ever before to protect your sensitive email messages. Secure email looks and feels like your standard email platform. The primary difference is that all sent and received messages never leave the secure server where they are created. The messages are secure in transit and at rest because they always remain on the secure server. The only emails leaving the server are the notification emails that your recipients will receive.
Using a secure email solution is the first step that you can take to help better protect your private information and that of your business. A majority of secure email solutions are cloud-based, which means that you won’t have to install or manage any associated hardware or server software to use the solution. All you need to do is log in to the specific secure online portal. Most secure email solutions use nonrepudiation verification, which can be used, if necessary, in a court of law. This allows you to see exactly when the message and any attachments were opened, and by what individual.
Types Of Secure Solutions
There are two common types of Secure Email Solutions, User-Based Secure Email, and Policy-Based Secure Email. The main difference between the two is that User-Based Secure Email pertains more to a person needing a single-user account or a small business whereas Policy-Based Secure Email is managed and defined at a company-wide level instead of a user-based level. You can easily pre-determine which secure email solution is right for you based solely on the specific business you own and operate.
Written by Peter J. Schaub
President & CEO, NeoCertified