Is email ever 100% safe for transferring sensitive information?
There is a great deal of confusion regarding encrypted email and what this actually means, particularly if you are considering using email to contact dental patients or perhaps transferring information to other dentists.
There are different elements to consider before making a decision about this which we’ll explain below, but ultimately you will see that unless you have access to a specialist “end-to-end” system such as the NHS email services, or use encryption tools (sender and recipient) then no system is entirely safe.
That said, robust email may still be appropriate for transferring some types of information as long as your risk-assessments and due diligence are in place and suitable.
This is the key to understanding why email is generally not considered to be 100% secure for the most sensitive types of data transfer. But why is this? When email is sent across the Internet, it passes through multiple stations between sender and recipient. Even where the dental email system supports encryption from your PC to the email server, in many cases, the email is then decrypted when it reaches the email server. It could then be encrypted again before it is sent to the recipient’s system, but equally it may not if their email connection is not encrypted. Whilst many are, there is still no guarantee that your recipient is using an encrypted connection and ultimately it is unlikely that you will ever be able to control this fully.
So even if you are doing as much as you can to ensure security, you can’t control the last link in the chain where your messages may be transmitted in readable format. Whilst interception is highly unlikely, it is still possible.
Many emails are decrypted when they reach the email server before being re-encrypted before onward transfer (as long as the downstream connection supports encryption – see above). However, some systems also provide “at rest” encryption where the emails remain encrypted when they are “at rest” on the server before onward sending. This is an additional level of security but it still doesn’t mean that you have full “end-to-end” encryption in place – simply because you still can’t guarantee the downstream links in the overall process. This is important to understand if your IT supplier is trying to switch you to a service which does provide at-rest encryption. Even if it does, it still doesn’t necessarily satisfy the full equation – as they say, a chain is only as strong as its weakest link and at-rest encryption doesn’t necessarily solve that – i.e. the recipient’s connection could still be un-encrypted. So think twice before switching email services.
What can you do to guarantee security?
This is a tricky one and frankly very difficult to solve. There are services which offer full end-to-end encryption, for example sending from one NHS address to another. There are other systems where the sender and user both have to subscribe to the same encryption service and use another method of communication e.g. text, to pass encryption passwords to each other – so not really ideal and far from seamless. However, this may be viable if you have defined contacts which you use regularly e.g. passing information between GDP and referral specialist. However, in this scenario you may be better using a fully secure referral platform – please contact us for details about such systems.
Above I’ve tried to illustrate why the vast majority of email systems cannot be deemed to be 100% secure, simply because you typically cannot control all links of the communication chain. However, it is also worth noting that many dentists do still use email and rely on risk assessment to show that their systems are as secure as practically possible e.g. use of a service which complies with ISO27001 secure data management practices, implementation of encrypted connections which they can control etc. However, whether this remains robust in the face of audit is debatable. Whilst if you follow good practice of this type, it us unlikely that your mail could be compromised, if you are uncertain, you should use another form of communication, particularly if you are transmitting personally identifiable data of a sensitive nature.
If you would like to discuss email systems for dentists or encryption more generally, please get in touch with the Dental Media team on 01332 672548.Google+