9 April 2009

 Encrypting your email

Encryption of email containing sensitive information is becoming a standard security procedure.  UM policies for email will soon require encryption for email messages with sensitive or confidential content.  

Correspondence between medical campus Exchange email system accounts (@med.miami.edu addresses) is always encrypted.   However, content sent to email addresses outside the campus is not automatically encrypted; you must take action as described below if you want to encrypt such messages.

What content is "sensitive" enough to require encryption?

In general, you should consider any information about the operations of the University to be sensitive, whether it be about clinical, research, educational or administrative activities.  Health, education or financial information that is associated with identifiable persons is considered particularly sensitive, and protected by an alphabet soup of federal and private requirements (e.g., FERPA, GLBA, HIPAA, PCI).

You can read the UM Data Classification Policy for guidance on data sensitivity.   If you’re not sure about what qualifies as sensitive data in your work environment, ask your supervisor.

How do I tell Exchange that I want a message encrypted?

Insert "[secure]" in the subject line, without the quotes, as in the example to the right.   Any recipient with an address external to the medical campus Exchange system will receive an encrypted copy of that message.

Note that this addition to the subject line has no effect for recipients with medical campus Exchange accounts.  Encryption occurs automatically for them (but transparently, so you don’t notice it).

What do recipients have to do to "un-encrypt" my message?

The first time a correspondent receives an encrypted email from the medical campus system, they will have to register their email address with the encryption utility, a process that includes creating an access password.  For subsequent messages, the recipient will have to enter the password to un-encrypt.

Most people find the un-encrypt process easy, but not everyone.  You can send correspondents these instructions if additional information is needed.

How will I know that encryption has occurred?

You will receive an email notification message indicating that an outbound message has been encrypted, and indicating the recipient(s) for whom it has been encrypted.  You will also receive an email notification when any recipient opens an encrypted message.

You can view information about the status of your encrypted messages using the "Manage Messages" section of the SecureMail utility at https://securemail.med.miami.edu/

SecureMail allows you to cut off recipients’ access to any encrypted message at any time, if it is no longer appropriate.  This feature makes it possible to terminate access to any message sent to an incorrect address.

Medical campus emails are encrypted, but do I need to encrypt email that goes to a UM address at another campus?

This is a harder question.   In general, UM addresses are safe destinations because email is encrypted as it travels between campuses and within the major UM email systems.  However, not all UM email systems are encrypted.  Also, many people use @miami.edu email aliases that forward email to external systems.

As a general rule, if the information seems particularly sensitive, encrypt it until you can confirm that the addresses at the other campus are secure.

What about email traveling to other health or education facilities?

In general, any message with sensitive content that is going to an external address should be encrypted.

Can email encryption be made automatic?

We currently rely on the sender’s judgment about the sensitivity of content.  We are testing automated rules that examine the message content and encrypt if a critical level of apparently sensitive information is detected.  

More information