Related content

16 July 2009

EMAIL ENCRYPTION, PHASE 2

The Technology Update of 9 April 2009 announced the first phase of email encryption.  That first phase implemented encryption at the direction of the email sender, by putting “[secure]” (without the quotes) in the subject line of a message.  This is called “encryption by request.”

The second phase of email encryption implements “encryption by rule.”  Starting next week, email encryption will automatically occur if email content sent to an address outside UM appears to contain credit card numbers (CCNs), medical record numbers (MRNs) or social security numbers (SSNs).

What is an address “outside UM”?

Any address that does not end in “miami.edu” is considered an outside address.

There are also some email systems within the University, maintained by particular schools or departments, that are not yet part of the encryption process and so are considered “outside.”  At the moment, this includes the email systems of Arts & Sciences, Business, Law and RSMAS.

What about email messages sent “inside” UM?

Correspondence between medical campus Exchange email system accounts (@med.miami.edu addresses) is always encrypted, but transparently to correspondents.  The new encryption process does not affect such intra-campus emails.

Correspondence between the medical campus Exchange email systems and the primary email systems in Coral Gables also travels via an encrypted path at all times.  The new process does not affect such inter-campus correspondence either.  While senders will receive encryption notifications when secured messages go to another campus, recipients on these “inside” systems need do nothing new to decrypt.

How does this system know an outbound message has CCNs, MRNs or SSNs?

The encryption utility examines each outbound message, scanning for patterns of numbers and words that, according to its “rules,” suggest such content.  This is similar to how the spam utility inspects inbound messages for suspicious content.

The automated encryption rules are highly accurate, but cannot be perfect.  Sometimes there will be “false positives” (safe email that is encrypted).  Sometimes there will be “false negatives” (email content that should be encrypted, but which the rules do not catch).

What if I want to be sure an email message is encrypted, to avoid a “false negative”?

Put “[secure]” somewhere in the subject line, without the quotes.  Remember that this addition to the subject line has no effect for recipients with medical campus email addresses or most Gables email accounts.  As noted, encryption occurs automatically, but transparently, for such intra/inter-campus messages.

Consider encryption by rule as a supplement to (but not a replacement for) your own common sense.  If email content is sensitive, and the message is leaving the UM environment, it’s better to err on the side of safety by putting “[secure]” in the subject line to trigger encryption for those outside recipients.

What content is “sensitive” enough to require encryption?

In general, you should consider any information about the operations of the University to be sensitive, whether it be about clinical, research, educational or administrative activities.  Health, education or financial information that is associated with identifiable persons is considered particularly sensitive, and protected by a medley of federal and private requirements (e.g., FERPA, GLBA, HIPAA, PCI).

You can read the UM Data Classification Policy for guidance on data sensitivity.  If you’re not sure about what qualifies as sensitive data in your work environment, ask your supervisor.

What do recipients have to do to “un-encrypt” my message?

The first time correspondents outside UM receive an encrypted email, they will have to register with the encryption utility, a process that includes creating a CaneID.  For subsequent messages, the recipient will have to enter the CaneID and password to un-encrypt.

Most people find the un-encryption process easy, but not everyone.  You can send correspondents these printable instructions (or the link to this video) if additional information is needed.

How will I know that encryption of my email has occurred?

You will receive an email notification indicating that your outbound message has been encrypted, specifying the recipient(s) for whom it has been encrypted.  You will also receive an email notification when any outside recipient opens an encrypted message.

You can view information about the status of your encrypted messages using the “Manage Messages” section of the SecureMail utility at https://securemail.med.miami.edu/.  Use your Medical ID and password to log into this utility.

SecureMail allows you to cut off recipients’ access to any encrypted message at any time if it is no longer appropriate.  This feature also makes it possible to terminate access to any message sent to an incorrect address.

What’s coming next for email encryption?

The encryption utility can build rules based on words from a dictionary that indicate message content might be sensitive, such as a “HIPAA dictionary” of medical terms.  In the next phase of email encryption, we will enable rules based on such dictionary values.

Dictionary-based rules are temperamental.  Small changes can dramatically affect the balance between false positives and false negatives.  So Medical and Coral Gables IT are doing extensive testing to determine the appropriate settings before implementing this next phase.

More information