Yes, it’s true – secure, encrypted messaging isn’t just for rabble rousers and intelligence agencies. In fact, many government regulations require organizations in healthcare, finance and more to use secure messaging methods to encrypt their transmission and protect sensitive or personally identifiable forms of data. This is to limit risk of data breaches and loss, as well as compromise of this data by bad actors, all in the interest of protecting the interests of commerce and customers.
This is particularly of concern to firms in the healthcare, financial and legal industry because of the value of the data they use and the necessity to secure them. The going rate for a social security number is 10 cents, a credit card 25 cents, while electronic health records could go for up to $1000. Consistent with the precept that bad actors are generally looking to make a profit, social security and credit card numbers enable them to commit small scale fraud if the compromised data isn’t yet flagged, but electronic health records can permit false insurance claims and fraud on the scale of tens or hundreds of thousands of dollars.
This is such a big problem that insurance companies are even offering insurance for healthcare data breaches. We would think, in this case, the best insurance may be to actually protect the data in the first place. The same applies for brokerage and high value financial information, legal and court data, and other digital assets in the same industries expected under the law to use secure messaging.
With understanding your options in mind, here are what’s available as methods to securely transmit your data:
Secure Messaging by Fax (Yes, Really)
There is usually a trade-off between usability and security, and analog technologies have benefitted from the sense that though they are more cumbersome, they are also less vulnerable to penetration. In the case of faxing, the PSTN (Public Switched Telephone Network) offer an inherent level of security because transmissions are converted into base64 binary and reassembled at their destination. Hacking such a transmission requires direct manual access to a telephone line, and even if a transmission is intercepted it would not be possible to interpret.
While a basic fax machine is expensive and cumbersome to use – not to mention that younger or less experienced employees may not even understand how to use them – purpose-built digital faxing services exist to make use of this inherent security easier. Certain vendors place physical safeguards, enhanced data encryption and more into secure faxing services, and purport that they are more secure than email (not encrypted email, however).
The price of these may be competitive, but is adding an additional system or process to separate transmissions that need to be kept secure really going to be efficient for your users? It may at times come down to a matter of taste but holding on to an analog system is not the most efficient route to security in a digital world, and it’s likely a little more time consuming to boot.
Secure Messaging by Mobile Apps & Blockchain (Ooh, Trendy)
This is fun because there are a lot of secure messaging apps out there, some based on blockchain, that allow users to communicate with total privacy and discretion (with the exception of state-sponsored backdoors or suspect vendors). Services like WhatsApp and iMessage offer high-grade encryption for communications, along with Signal, Wire, Telegram, Wickr and more.
While these would technically be secure messaging systems, these are NOT recommended for regulatory compliance. Most of the companies that provide these services are either too young and anonymous to be trusted, or sufficiently large and consumer-driven that their reliability for a very specific business practice could be called into question. Also, WhatsApp and iCloud accounts are often compromised. Even though it happens to everybody, do you really want to end up with egg on your face when you have to tell customers you lost your data on the same app you use to text your niece happy birthday?
Secure Messaging by Email (What makes it work?)
Email encryption services are the best way to ensure you comply with encrypted transmission requirements while not creating inefficiency for your users – as well as being able to automatically prevent certain types of data loss through automated encryption on a single, regularly used channel. These services effectively use your email gateway to layer an encrypted messaging system on top of it.
Filters are established at your gateway, and these filters are triggered by certain tags or commands present in an email. However, the presence of protected terms can ALSO be used in this case to maximize the likelihood that encryption is used at the appropriate times. For instance, if you have a data loss prevention filter established (that’s what they’re called) to identify and encrypt social security numbers, health records or other programmatically recognizable terms, messages containing this data will be automatically encrypted.
Administrators in IT or elsewhere can also be notified when this happens, allowing them to know when protected information is leaving the organization, and potentially offering friendly reminders to employees to use encryption proactively when communicating such information.
Altogether, this system is secure because it leverages tools like SMTP over enforced TLS, with destinations using a secure data center, and information accessed via a secure, encrypted portal. This is almost foolproof in terms of preventing data from being intercepted or compromised in transmission, while also making access and review an easier part of any user’s day, since they’re already used to using email.
Some organization are willing to rely on S/MIME, PGP or TLS based encryption to meet their secure transmission requirements, but the former two are less used, and TLS is not guaranteed as it is often opportunistic in most uses of email. This means that if the receiving server won’t accept encrypted messages, TLS won’t be used. If you were to enforce TLS with every email, email would also become less usable.
Beyond the fact that regular emails are not likely to convey the effect of enhanced data protection, secure messaging services for email enforce TLS through the use of proprietary encryption portals, as mentioned above. This means that your recipient will be able to log into a secure platform, with an encrypted connection to a secure server – one that is also in a highly physically protected data center (Vircom’s email encryption service data is held at ISO 27002 standard).
What’s really the best way for businesses to manage and track their use of secure communications?
This article briefly discusses three options for secure messaging systems that could help you achieve regulatory compliance, whether for HIPAA, FINRA or other concerns. In today’s environment of security concerns, compromised accounts and data breaches, email encryption is an effective way of making existing technology work with new practices and requirements. The benefit of open and widely-adopted systems is that they’re flexible, so with solutions like email encryption, you don’t have to hide under a rock or pull out a random app when you simply want to go about your day-to-day business.
Vircom’s email encryption service offers the highest grade of encryption in transmission and at rest, along with flexible data loss prevention policies that allow you to get the most out of email while remaining compliant and secure. Contact us to discover more or provision your account to get started right away.