O365 and encrypted mail to other email systems

scottalanmiller

@Dashrender said in O365 and encrypted mail to other email systems:

Yes I understand all the other stated things, but they don't matter, sadly - only the audit matters.

In that case your question should be worded around that specific context. The issue at hand is not security, email or encryption. It's tricking a lawyer who is unethically doing a job far over his head.

scottalanmiller

@TAHIN said in O365 and encrypted mail to other email systems:

This compares to something like Barracuda Mail Encryption. It's shining point isn't really around mail in transit, but mail at rest at the destination.

No, that doesn't hold up. Encryption at rest is yet a third issue. Both of these mechanisms decrypt along the chain. Only the recipient, literally only they, can decide to be encrypted at rest. That's never something that you can force. You can force it on the sender's side, and this isn't doing that here. But you have to trust the recipient to store it in an encrypted fashion and... none will.

TAHIN

@Dashrender see my note above regarding compliance. You can compare it to FAX.
If I send PHI over fax to a fax machine in a remote location, it is the responsibility of the remote party to keep it secure.

scottalanmiller

@TAHIN said in O365 and encrypted mail to other email systems:

That said, there is no requirement, HIPAA or PCI or otherwise, that places the burden of safety of that email in your hands. Once it's over the wire encrypted, it's no longer your problem.

Exactly, offer it to them securely, after that, it is ALL their problem.

Dashrender

@TAHIN said in O365 and encrypted mail to other email systems:

That said, there is no requirement, HIPAA or PCI or otherwise, that places the burden of safety of that email in your hands. Once it's over the wire encrypted, it's no longer your problem. But I do understand it's value; we used Barracuda email encryption whenever we would (be forced to) send PHI to another doctor office.

Interesting - I'll agree that it's not my concern about the PHI after it's received, but you can't ensure that all data being sent to other email servers is being sent over TLS short of disabling your server's ability to send except over TLS. And while I agree that the failure rate would be low, it's no lower than the desire from my management to be able to send 500 MB files over email to people. So the failure rate is there, and will be noticed and problematic.

But then also comes the part when the first time some one is sued because you emailed their PHI to them, and they didn't secure it, and because it was sitting unencrypted in their easy to guess gmail account - the courts will sadly rule against us saying that we're the ones with the money so we should be the ones making sure they secure their shit.. SIGH

coliver

@Dashrender said in O365 and encrypted mail to other email systems:

But then also comes the part when the first time some one is sued because you emailed their PHI to them, and they didn't secure it, and because it was sitting unencrypted in their easy to guess gmail account - the courts will sadly rule against us saying that we're the ones with the money so we should be the ones making sure they secure their shit.. SIGH

Is there precedence for this? I've never heard of this.

Dashrender

@coliver said in O365 and encrypted mail to other email systems:

@Dashrender said in O365 and encrypted mail to other email systems:

But then also comes the part when the first time some one is sued because you emailed their PHI to them, and they didn't secure it, and because it was sitting unencrypted in their easy to guess gmail account - the courts will sadly rule against us saying that we're the ones with the money so we should be the ones making sure they secure their shit.. SIGH

Is there precedence for this? I've never heard of this.

No, not yet... I was simply ranting

Dashrender

@TAHIN said in O365 and encrypted mail to other email systems:

@Dashrender see my note above regarding compliance. You can compare it to FAX.
If I send PHI over fax to a fax machine in a remote location, it is the responsibility of the remote party to keep it secure.

See my reply/rant

TAHIN

@scottalanmiller I might understand the O365 offering wrong then. I thought it was like

1. Sender chooses to encrypt via 3rd party O365 service.
2. Email sends securely over TLS. The recipient receives a link.
3. Recipient clicks link, verifies their identity via a MS account, and can interact with the email in the cloud. The email contents never touch their local email service.

scottalanmiller

@Dashrender said in O365 and encrypted mail to other email systems:

@TAHIN said in O365 and encrypted mail to other email systems:

That said, there is no requirement, HIPAA or PCI or otherwise, that places the burden of safety of that email in your hands. Once it's over the wire encrypted, it's no longer your problem. But I do understand it's value; we used Barracuda email encryption whenever we would (be forced to) send PHI to another doctor office.

Interesting - I'll agree that it's not my concern about the PHI after it's received, but you can't ensure that all data being sent to other email servers is being sent over TLS short of disabling your server's ability to send except over TLS. And while I agree that the failure rate would be low, it's no lower than the desire from my management to be able to send 500 MB files over email to people. So the failure rate is there, and will be noticed and problematic.

You think that the failure rate of a system like this will be lower? Guess who can't open these emails... anyone. Because it's a separately encrypted system. You are going to have so many people pissed off because you are withholding their personal data until they set up accounts with some third party who controls their data. That's going to be a much bigger issue, I guarantee it.

And ensuring secure deliver is zero concern to you. Offering it is all that you care about.

scottalanmiller

@Dashrender said in O365 and encrypted mail to other email systems:

But then also comes the part when the first time some one is sued because you emailed their PHI to them, and they didn't secure it, and because it was sitting unencrypted in their easy to guess gmail account - the courts will sadly rule against us saying that we're the ones with the money so we should be the ones making sure they secure their shit.. SIGH

Then you sue them, not they sue you. They are the ones violating PHI, not you.

If you have this concern, why not force TLS? When do you want to send when TLS is off... that's the real question?

TAHIN

@Dashrender said in O365 and encrypted mail to other email systems:

But then also comes the part when the first time some one is sued because you emailed their PHI to them, and they didn't secure it, and because it was sitting unencrypted in their easy to guess gmail account - the courts will sadly rule against us saying that we're the ones with the money so we should be the ones making sure they secure their shit.. SIGH

In all honesty I don't think that could ever happen. The judge would be putting unlawful burden on an organization and the appeal would last about 3 minutes.

scottalanmiller

@TAHIN said in O365 and encrypted mail to other email systems:

@scottalanmiller I might understand the O365 offering wrong then. I thought it was like

1. Sender chooses to encrypt via 3rd party O365 service.
2. Email sends securely over TLS. The recipient receives a link.
3. Recipient clicks link, verifies their identity via a MS account, and can interact with the email in the cloud. The email contents never touch their local email service.

Yeah... this works great as long as both parties are on O365 and, my understanding is, if they are that there is no additional security here actually and it is all smoke and mirrors because it is all automated by the system leaving the email just as exposed as if we had never done this. In cases where we actually encrypt where TLS didn't exist, the user almost certainly does not have a Microsoft account and instead of sending them their data we've are forcing them to sign up with a third party vendor who is holding their data until they get them as a customer (even if only as a free one.)

scottalanmiller

@TAHIN said in O365 and encrypted mail to other email systems:

@Dashrender said in O365 and encrypted mail to other email systems:

But then also comes the part when the first time some one is sued because you emailed their PHI to them, and they didn't secure it, and because it was sitting unencrypted in their easy to guess gmail account - the courts will sadly rule against us saying that we're the ones with the money so we should be the ones making sure they secure their shit.. SIGH

In all honesty I don't think that could ever happen. The judge would be putting unlawful burden on an organization and the appeal would last about 3 minutes.

Exactly. This isn't a realistic thing to say. If this was, in any way, a concern, you'd have never allowed a fax machine to be plugged in. If you have one plugged in, and I know that you do, then there is no way you can say that you have this concern because using a fax gives people a legitimate claim to a lawsuit... this does not.

Dashrender

@scottalanmiller said in O365 and encrypted mail to other email systems:

@TAHIN said in O365 and encrypted mail to other email systems:

This compares to something like Barracuda Mail Encryption. It's shining point isn't really around mail in transit, but mail at rest at the destination.

No, that doesn't hold up. Encryption at rest is yet a third issue. Both of these mechanisms decrypt along the chain. Only the recipient, literally only they, can decide to be encrypted at rest. That's never something that you can force. You can force it on the sender's side, and this isn't doing that here. But you have to trust the recipient to store it in an encrypted fashion and... none will.

Eh? That's not how I understand how it works - most systems, the way I have seen it work, work as you mentioned - think GPG/PGP, the file is encrypted by me, emailed to them, then they can enter a password to open the file. Opening the file effectively takes it out of email. The original file inside email is still encrypted, unless the end user removes it from email and puts the unencrypted version back into their own system, therefore you'll still have email encrypted at rest.

But even this solution is different from how Zix worked a few years ago. The whole email you send is captured by the ZixGateway. Now there are two options, if the receiver is a Zix user, the whole message is sent through Zix's secure connections to the other email server and delivered unencrypted (including to admins) to the end user. But, if the receiver is not a Zix user, the gateway sends a pickup notice to the receiver which is basically a web link to the gateway appliance, they user is allowed to create a logon for the first time they use the system, then they are presented the message/attachment in a secure webportal. So that's different than than the GPG/PGP model.

Now in reading the MS solution - it seems somehow weird. MS's solution works as a combination of both. The user gets an encrypted package, when they try to open it, it gets sent to an MS server where the user has to authenticate before it's decrypted. What's unknown is if the end result is a fully unencrypted message in the inbox somehow or if this is just a temporary view, kinda like the ZixGateway.

TAHIN

@scottalanmiller said in [O365 and encrypted mail to other email systems](/topic/9231/o365-and-encrypted-mail-to-other-email-the user almost certainly does not have a Microsoft account and instead of sending them their data we've are forcing them to sign up with a third party vendor who is holding their data until they get them as a customer (even if only as a free one.)

Yeah, the fact that it has to be an entire MS account on the part of the recipient would be a dealbreaker for me.

Dashrender

@scottalanmiller said in O365 and encrypted mail to other email systems:

@Dashrender said in O365 and encrypted mail to other email systems:

@TAHIN said in O365 and encrypted mail to other email systems:

That said, there is no requirement, HIPAA or PCI or otherwise, that places the burden of safety of that email in your hands. Once it's over the wire encrypted, it's no longer your problem. But I do understand it's value; we used Barracuda email encryption whenever we would (be forced to) send PHI to another doctor office.

Interesting - I'll agree that it's not my concern about the PHI after it's received, but you can't ensure that all data being sent to other email servers is being sent over TLS short of disabling your server's ability to send except over TLS. And while I agree that the failure rate would be low, it's no lower than the desire from my management to be able to send 500 MB files over email to people. So the failure rate is there, and will be noticed and problematic.

You think that the failure rate of a system like this will be lower? Guess who can't open these emails... anyone. Because it's a separately encrypted system. You are going to have so many people pissed off because you are withholding their personal data until they set up accounts with some third party who controls their data. That's going to be a much bigger issue, I guarantee it.

And ensuring secure deliver is zero concern to you. Offering it is all that you care about.

Again, I'm back to disabling my server from sending to any email server that doesn't have TLS then.

scottalanmiller

@TAHIN said in O365 and encrypted mail to other email systems:

@Dashrender see my note above regarding compliance. You can compare it to FAX.
If I send PHI over fax to a fax machine in a remote location, it is the responsibility of the remote party to keep it secure.

That's not really true. It's their responsibility after they have received it. But until then, it is yours, because you sent it wide open and until the transmission was completed you were the sole arbiter of security. Fax is the least secure, most suable transmission medium I can imagine and I've threatened my own bank with exposing my bank data for accepting faxes before.

Fax has no security and there is no burden on the recipient until so late in the process as to be pointless.

scottalanmiller

@Dashrender said in O365 and encrypted mail to other email systems:

@scottalanmiller said in O365 and encrypted mail to other email systems:

@Dashrender said in O365 and encrypted mail to other email systems:

@TAHIN said in O365 and encrypted mail to other email systems:

That said, there is no requirement, HIPAA or PCI or otherwise, that places the burden of safety of that email in your hands. Once it's over the wire encrypted, it's no longer your problem. But I do understand it's value; we used Barracuda email encryption whenever we would (be forced to) send PHI to another doctor office.

Interesting - I'll agree that it's not my concern about the PHI after it's received, but you can't ensure that all data being sent to other email servers is being sent over TLS short of disabling your server's ability to send except over TLS. And while I agree that the failure rate would be low, it's no lower than the desire from my management to be able to send 500 MB files over email to people. So the failure rate is there, and will be noticed and problematic.

You think that the failure rate of a system like this will be lower? Guess who can't open these emails... anyone. Because it's a separately encrypted system. You are going to have so many people pissed off because you are withholding their personal data until they set up accounts with some third party who controls their data. That's going to be a much bigger issue, I guarantee it.

And ensuring secure deliver is zero concern to you. Offering it is all that you care about.

Again, I'm back to disabling my server from sending to any email server that doesn't have TLS then.

That's because it's the only logical answer.

Dashrender

@TAHIN said in O365 and encrypted mail to other email systems:

@Dashrender said in O365 and encrypted mail to other email systems:

But then also comes the part when the first time some one is sued because you emailed their PHI to them, and they didn't secure it, and because it was sitting unencrypted in their easy to guess gmail account - the courts will sadly rule against us saying that we're the ones with the money so we should be the ones making sure they secure their shit.. SIGH

In all honesty I don't think that could ever happen. The judge would be putting unlawful burden on an organization and the appeal would last about 3 minutes.

I could only hope you're right. But well you know.... 'merica.