SMTP TLS vs Secure Message Pick Up: Which is Better for HIPAA?

November 12th, 2014

There are many methods for sending an email message securely. These generally vary in terms of the degree of security vs how easy they are to set up and use. The two most common email encryption methods include:

  • SMTP TLS: Encrypting the message only while it is transmitted between the sender’s and the recipient’s servers.  See: SMTP TLS: All about secure email delivery over TLS.  Note that SMTP TLS is only supported by some email service providers.
  • Secure Message Pickup:  Sending the recipient an email notice with a link. The recipient clicks on the link and goes to a secure web site to authenticate and access the message. (LuxSci call’s this method “Escrow”). Secure Message Pickup allows one to send a secure message to anyone.

Other methods, such as PGP and S/MIME, are also in wide use. However, these require a lot more setup and collaboration between the sender and recipient. The above two methods are most commonly used for sending messages to people that you have not otherwise communicated with.

So, which is better? How does that answer change when HIPAA compliance is involved?

TLS vs Pick Up Compared

SMTP TLS Secure Message Pick Up
Message Content Transmitted Securely to End User?    
Message Content Encrypted at Rest?  
End User’s Identity Verified?  
Simple: Just like regular email?  
Extra work for the recipient?

In both cases, the message is transported to the recipient securely. In one case, it goes to the recipient’s email servers via TLS. In the other, it goes to the recipient over SSL.

However, Secure Message Pick Up is more secure as the message contents are encrypted all the time (at least until the recipient downloads and saves a copy) and the pick up system can verify the recipient’s identity before allowing access to the message content. With SMTP TLS, the message sits in the recipient’s INBOX unencrypted and accessible to anyone with access to that email folder.

SMTP TLS does have the advantage of being simple. For the recipients, it works just like regular email. They receive the message in their INBOXes and open them without ever needing to know or care that it was encrypted along the way (they can check, if they want).  However, to many people, this extreme simplicity is a disadvantage. Lay people can’t tell that the message was delivered securely and they may thus be worried about the privacy of the contents.

It is really true that SMTP TLS is less secure, as anyone with access to the recipient’s email folders (e.g. their email service provider, their spouse, etc.) can access the message content and those accesses are generally not even logged.

People often choose to use SMTP TLS when possible for its convenience (recipients may be annoyed having to click on a link in order to get their message); or, they choose Secure Message Pickup when added security features are desired.

What does HIPAA Say?

HIPAA requires that ePHI be transmitted securely. It does not require that it be encrypted at rest (though that is often a good idea). HIPAA also requires access control and tracking when people in your organization access ePHI.

Technically, using only SMTP TLS is Ok (barely) under HIPAA when sending to recipients outside of your organization:

  1. The message will be transmitted securely
  2. Once the message is accepted by the recipient’s servers, further securing the message can be considered the recipient’s (or their organization’s) responsibility. Meaning: you do not technically have to be overly concerned about access control and logging beyond the fact that you sent the message to the correct address.

When sending ePHI to someone in your organization, you do have to worry about the recipient.

  1. Your organization must be using a HIPAA-compliant email service
  2. You do have to worry about who can access that email and the tracking of user logins.
  3. TLS is still “OK” as long as your email service provider takes care of the rest.

To “TLS” or not to “TLS”

So, TLS is “Ok” and works for recipients whose email servers support it. But is it “wise”?  This is the subject of much debate.

There are those who use just SMTP TLS whenever they can because that is simplest for the recipient. When things are simpler for your customers, you make more money.

Then, there are those who are concerned some combination of the facts that with TLS:

  1. The recipient can’t (easily) tell the message is secure and thus can’t tell that the sender cares to protect the email.
  2. The data is not encrypted at rest and access to it is not proactively controlled once it lands in the recipient’s INBOX.

The feeling is that if the sender works harder to secure the message content beyond the threshold of doing the “minimum possible” then that shows a higher level of security and engenders more trust from the end user. It also protects the sender much more against any kind of breach or other issue on the recipient’s side coming back to bites the sender in some way.

In the end, it is up to the individual organization where they stand on the security vs usability spectrum. HIPAA does not mandate one or the other. However, if there is a breach and the data was not encrypted at rest, HIPAA does assign much more liability to those involved.

If you ask us for advice, we would recommend:

  1. Using TLS for internal communications and communications with partners and organizations that you know are also HIPAA compliant
  2. Using Escrow (Secure Message Pickup) for messages to everyone else.

If you want to increase your level of security even further, use TLS+S/MIME for internal communications and email to people who support it. This will ensure transport and at-rest encryption and easy access to message content in your regular email programs (which need to be set up for S/MIME and need to be configured with S/MIME keys … LuxSci has ways of offloading much of that work from you, if you are interested).