Sending Sensitive Patient Data via E-mail

Foto-StudOnBy Dr. Andreas Detterbeck

The communication between clinicians via E-mail is fast, easy, cheap and widely used. But sending an unencrypted E-mail is as safe as sending a postcard. So, numerous parties have full access to E-mail-correspondence at all time. Violations against the patient privacy could cause dramatic consequences – depending on national laws, some of these solutions may even result in prosecution of the clinician (see HIPAA).

There are many commercial solutions to encrypt your communication, but if you are firm and experienced in using computers – you should at least know how to download and install software – there is no need to rely on any company. You don’t have to worry about high fees or losing your correspondence if your preferred encryption-business crashes. In this blog I want to suggest a few ways how to encrypt your E-mail communication easily and (almost) free of charge:

screenshot

Encryption of E-mail Communication by S/MIME
If I don’t want that my mails can be read by anyone except the receiver of the mail I have to convert the text in some sort of coded or encrypted form. Because it is not easy to invent an encryption of your own and sharing that idea with your communication partner a standardized tool would be very helpful. And this is where the Secure/Multipurpose Internet Mail Extensions (S/MIME) come in: S/MIME offers encryption and signing of E-mails in a standardized and reproducible way. Most current E-mail programs and free Webmail providers support this process.

Subsequent I will give a step by step introduction how to implement S/MIME in your mailing process:

  1. First of all you have to make sure you are using an E-mail program with S/MIME support (Mozilla Thunderbird, Microsoft Outlook and many more)
  2. Next you have to buy or even just create a certificate from a big commercial or non-commercial certification authority (CA). You may find some references here.
  3. Now comes the hardest step – but don’t worry you’re almost done:
    Deposit this personal-certificate in your E-mail program with S/MIME support. This process is very different depending on which program is used. Here are two useful how-to-links for the most common software:

Microsoft Outlook
Mozilla Thunderbird

  1. Users who have completed these steps are then ready to send digitally signed E-mails and receive encrypted messages (You sign a message when you want to prove that the mail comes from you and no modification of the text has been done during the transit).
  2. If users want to send encrypted E-mails of their own – and not only receiving encrypted mails – the receiver needs to have an S/MIME certificate, too.

For security reasons, your user certificate will normally remain valid for one or two years and is available from the CA for a small fee or even free of charge.

Conclusion
Maybe you think this sounds all strange to me and way too much work is required. There has to be an easier, less cumbersome solution.

But we don’t have the easy solution yet.

Of course you can pay a company for securing and encrypting your communication, but what happens if the company is insolvent or they decide to wind down the operations. What happens to your documents? There are providers that will allow you access to your data, but this may not be the case for all providers, so make sure this is the case before you sign up.

For use in daily clinical practice, I definitely recommend E-mail encryption by S/MIME. It is an IT standard since 1995 and a long term support is presumably. At least the corresponding doctors should have any form of secure communication.

Do not forget: The use of cryptography before sending patient data via E-mail is mandatory! If you are not sure how to encrypt your E-mail communication it is better to relinquish sending private patient data via the internet.

This blog-entry is based on:

Electronic transfer of sensitive patient data.
Detterbeck A, Kaiser J, Hirschfelder U.
Int J Comput Dent. 2015;18(1):45-57.
http://www.ncbi.nlm.nih.gov/pubmed/25911828

Leave a Reply

Your email address will not be published.

By submitting this form, you accept the Mollom privacy policy.