Should You Use Encrypted Emails In Your Practice?
There are many jokes around these days like “Fax machines? Who still uses those? And why are you still using fax machines? It’s the 2020s, not the 1990s!
People who don’t use them regularly may not realize it, but there are still many places which still use fax machines today—from legal offices, to governments, and yes—doctors offices.
This is because fax machines are much more secure than electronic networks such as email.
One doctor’s office asks: As healthcare professionals, we routinely send our referring physicians a report of the patient’s progress by fax. One clinic would like us to send the reports to them using their encrypted email link instead of fax.
Can we do that?
Today we’ll look at the pros and cons of switching to encrypted email as a method to securely send personal health information and try to answer this question.
What Are The Issues With Email?
First, we need to look at regular, non-encrypted email.
Grant Dakin, President of Solid Technology Solutions reminds us:
“When it comes to sharing sensitive information via email it should always be assumed that it is insecure. Basic email is generally open text, and to many email servers out there, especially on the public side, are not setup to handle encrypted email protocols.”
Even if your email service provider offers message encryption while a message is traveling between computers, this often does not apply on either end, and the message in the outgoing sent box and incoming inbox are often left unencrypted and vulnerable.
If information is not appropriately sorted once it arrives in the recipient’s inbox, there may still be issues with storing information in your email.
If the sender and the receiver do not appropriately manage their in and out boxes to ensure that it has limited information, appropriate access to only the right persons, and has been securely deleted, you have only addressed part of the problem.
When sending information to another clinic or doctor’s office, you may ask what practices does the other clinic have for storing information?
The same questions are important for patients as well:
- Does the patient have access to a computer where they can download information?
- Are they using a personal computer or an employer’s computer?
- Do they have a secure place to access the information?
These are all things which need to be taken under consideration before you send personal information by email in your healthcare practice.
Why Are Some People Switching to From Faxing?
So, a referring partner who typically sends the consultation report to you by fax now wants to send it to you by encrypted email.
It’s not uncommon for places to want to upgrade their technology.
Fax machines can be large and clunky, and using encrypted email for consultation reports, referral requests, and more can be attractive to streamline operations. Many people feel that fax machines are obsolete. In early March of 2021, the Government of Ontario announced it would phase out its use of all fax machines by the end of the year.
However, there isn’t a common alternate communication standard across healthcare, private, and public users that is as common as the fax machine.
There have also been numerous privacy breaches in healthcare related to improper use of fax machines. For example, in the Ontario Information and Privacy Commissioner’s 2020 Annual Report, the IPC found that, in 2020 about 58 per cent of breaches experienced by health information custodians were caused by misdirected faxes.
How Does Encrypted Email Work?
Encrypted email works using an encryption key.
What is Encryption? Encryption is a method to disguise a message into a secret code. Only the people that have the ‘key’ to the secret code can un-scramble the message so that it can be read.
In order to use them, both the sender and the receiver need to have a key—the sender uses it to encrypt the message before sending it, and the receiver needs a key to decipher the message.
Grant Dakin explains: “Encrypted email services are a third-party service that will securely store the message, typically a secure web page, until a verification process is completed. This is key. The recipient needs to prove their identity to be able to view the message. At minimum, this can be a username / password challenge using a verified recipient owned email address. When possible, it is recommended to have multifactor authentication (MFA) employed. The use of MFA is dictated by compliance requirements, the type of information and your user base.”
This might seem overly complicated if you’re not used to using encryption services, which may not be an issue when sending information to another clinic, especially if they’re the ones who suggested using encrypted email.
When it comes to sending information to patients, especially those who aren’t very tech savvy, you need to consider if encrypted email is the right option.
Things to Consider When Implementing Encrypted Email
If you’re considering implementing encrypted email into your practice, you’ll want to first do a risk assessment, which should include:
- Discussions with IT vendor / Managed Service Provider
- Assess the reputation of the encryption vendor
- Does the encrypted email meet industry compliance requirements?
- Review your existing policies and procedures
- Update those policies and procedures as required
- Approval from Privacy Officer / Custodian / CEO
- Prepare / update your privacy impact assessment (PIA)
- Training for your staff on how to use the encryption software
- Is there a verification process to ensure that the right person is viewing / accessing the information?
- Verify that there are encryption protocols being used (If retrieving from a browser, verify that there is a valid SSL certificate)
For further guidance on choosing an encrypted email service, Grant Dakin offers the following:
“When looking for an encrypted email service, be certain that the service provider can demonstrate compliance. Most third-party providers base their compliance on HIPAA, which is a US based compliance, but it is very much in line with Alberta's Health Information Act (HIA) and our various Privacy Acts. For us, at SolidTech, the most common encrypted email service provider that we deploy would be Microsoft 365, which is HIPAA / HIA compliant, providing it is set up properly.”
Consider also that if you send information via encrypted email, there will probably be a learning curve for the receiver of the information as well. You may want to offer a basic outline to patients who opt to receive email this way about how it all works.
It may seem surprising at how much time it takes to appropriately and correctly implement an email encryption service in your healthcare practice. But if you will “axe the fax” and discontinue the use of a fax machine, you need to complete a risk assessment and plan an alternate solution.
What Else Can I Use, Instead of Encrypted Email?
If you aren’t ready to make the jump to encrypted email systems but want to get away from using fax machines in your practice, there are alternatives to encrypted email to consider.
Some of these include:
- Portals from electronic medical record (EMR) systems
- Sharing networks
- Secure messaging
PrescribeIT® enables prescribers to electronically transmit a prescription directly from an electronic medical record (EMR) to the pharmacy management system (PMS) of a patient’s pharmacy of choice. See the blog post, “Using PrescribeIT To Streamline Your Workflow”.
Any changes to how you send personal information, whether to patients or other clinics can’t just be a unilateral decision on your part.
Just because you’re ready to make a change, it doesn't mean that the recipients are ready to receive it in that way. You must communicate with your partners and patients about your plans and ensure everyone is on board.
Furthermore, it’s always good to have a business continuity plan in case your chosen method ceases to work as expected.
I’m Ready To Implement Encrypted Email—What’s Next?
If you think encrypted email might be the right choice for your practice, you might wonder, “What next?”
Getting started with a change like this may seem overwhelming, but you don’t have to do it alone.