Taking the Mystery Out of Encrypted Email to Reach Compliance
14 de janeiro de 2017Compliance
Por Ted Hebert | Director Digital Marketing at GlobalSign
When first hearing of encrypted email years ago, what came to mind were networks of nefarious spies, lurking in the shadows with secret decoder rings and a briefcase full of decryption codes, ready to save or topple a newly digital world, already teetering on the precipice of disaster.
Today, it should bring to mind only sunshine and rainbows in the land of compliance for desktop and mobile email.
Why the dramatic change in thinking? Acceptance and adoption. We now accept and expect that there are “nefarious” types out there who want to get into our corporate and private email systems, networks and devices. And with that acceptance, we are learning to adopt leading technologies and solutions to combat attempted cyber misdeeds and keep networks in check with compliance regulations; effortlessly, systematically and automatically.
S/MIME to the Rescue
Secure/Multipurpose Internet Mail Extensions (S/MIME) protocols, are used today to provide message integrity, authentication, privacy via data encryption and non-repudiation via digital signatures.
Huh? Translation: Digital encryption is the preferred method to securely transmit electronic mail, as it requires a public and private key (and sometimes a certified Digital Signature) to get, move and use that electronic communication. Suffice it to say that, S/MIME (Email Encryption, along with Digital Signatures for good measure) is what helps organization be compliant, as it protects against phishing and data loss across both desktop and mobile devices.
There are many reasons today (unfortunately) that we need full-scale adoption of S/MIME in any small business or global enterprise, top of which is security regulations and privacy requirements in almost every industry. In the US, there is a veritable “alphabet soup” of government and business regulations that mandate the safe transmission and storage of data; from SarbOx (Sarbanes-Oxley Act, passed by U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations), to HIPAA (Health Insurance Portability and Accountability Act, passed by US Congress in 1996 for the protection of workers and families health coverage and personal privacy). Just these two US regulations alone have required millions of IT hours over the past 15+ years to reach only the most basic of technology compliance mandates. GDPR is an example of new regulations in the European community as it relates to privacy and data protection, and they are governed by ENISA (see more below).
S/MIME for HIPAA
Featured this month at GlobalSign, we’ll be talking about S/MIME (Encrypted Email and Digital Signatures) and how easy it is now to adopt this technology throughout your organization. And no matter if your business has HIPAA, GDPR or other regulatory data compliance requirements, this will be important for everyone to know.
“Hey, how do I know if we have HIPAA requirements?” We’re glad you asked. HIPAA regulations apply to “covered entities” and everyone touching Protected Health Information (PHI).
“What’s a covered entity?” you ask? Covered Entities include health plans, health care clearinghouses, and health care providers.
Also inclusive could be any other entity or service provider that they and/or their data come in contact with (see HITECH additions and the OMNIBUS rule for some further light reading!). So basically, law firms, accountants, insurance companies, state and local agencies, and any other entity that comes in contact with another entity or its protected health information is subject to HIPAA regulations. How’s that for scarily comprehensive?
Compliance Regulations in Europe
In Europe there are similar regulatory compliance mandates governed by the European Union Agency for Network and Information Security (ENISA), a center of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security for nearly every industry, including health care.
Think you might fall into that “compliance” mandate list in the US or Europe? Read on.
S/MIME On Your Security To-Do List
If you haven’t already, you will want to scratch encrypted email certificates for desktops and mobile devices off of your security to-do list soon, no matter what country you are in. For many, it became a mandate long ago. For others still putting it off, the time is now.
Check out how easily a Michigan health services provider is automating email certificate management today, from desktop to mobile.
It’s really not complicated and, when automated, is a huge time and cost saver. Today, S/MIME Email Encryption Certificates get millions of networks in regulatory compliance (HIPAA, ENISA, GDPR and more) by helping to seamlessly protect against phishing and data loss across both desktop and mobile devices. Keep in mind that, for best practices, the Email Certificate management platform should be intuitive and friendly to navigate… with automation and provisioning options that make it easy to quickly deploy certificates, with minimal involvement needed from the end users. For a detailed summary of S/MIME benefits and best practices, please see the S/MIME White Paper.
Naturally, you will not become a HIPAA, or other regulatory compliance expert yourself any time soon (although some in the IT profession have, whether they liked it or not), but you do have alternative resources you can rely on to help you ascertain compliance in regards to email and other technology within your infrastructure. In addition to outside compliance consultants you can contact yourself, getting onboard with S/MIME Email Encryption is a great first step that nearly every organization should be doing.
Stay tuned to this blog in the new year for further details on comprehensive and highly scalable PKI management related topics, including managed SSL, implementing digital signatures, and how to ensure your entry into the “Internet of Things” is safe and secure in 2017 and beyond.