Mon, 20 Mar 2017 Frequently Asked Questions

Secure Email (PHI, PCI-DSS, PII, and more)
Sample Policy for Transmission of Protected Information
CheckTLS Whitelist IP Addresses and Domain Names

Mon, 20 Mar 2017 HIPAA eMail

QUESTION: Can you tell me in simple terms about HIPAA secure email, and especially how CheckTLS could help me do HIPAA compliant secure email?

You can safely and legally use email to send sensitive information including ePHI (Protected Health Information, or colloquially "HIPAA data"), ePCI (Payment Card Indormation), ePII (Personally Identifiable Information), or any other information that should be kept confidential.

All you have to do is encrypt the data. Encrypting data makes it very very very hard for anyone to read it.

There are four ways to encrypt your email:

  • add a device in-line with your outgoing and/or incoming email server(s)
  • route your email from and to an on-line email service
  • switch your email to an on-line email service
  • use TLS with your existing email

These each have their pros and cons.

In-line devices have to be purchased ($$), configured, installed, maintained, and monitored. If (when?) they fail, you have to route around them until they get fixed.

On-line filters have a monthly fee ($) and have to be configured, and the traffic to/from them has to be protected (encrypted) as well. If (when?) they fail, they are typically fixed before you have to route around them.

Switching your email to a good on-line email service is a very good option. Google "HIPAA email provider" for a list of hundreds of options. On-line email does cost a monthly fee ($), you have to protect (encrypt) your connection to them, and they are not as easy as using Outlook directly on your PC/MAC.

Or you can use your existing email system. It's probably using encryption already, or can be easily told to do so.

Almost every email system today supports TLS email encryption. The US government says email is HIPAA compliant if it does TLS encryption.

So all you have to do is make sure your email system:

  • can do TLS
  • has TLS turned on
  • uses TLS consistently

One quick test can tell you if your email has TLS turned on for receiving email, and one quick test can tell if your email has TLS turned on for sending email.

If you have TLS and it's working, you can meet a HIPAA requirement with a security policy (next FAQ question below) that includes regular email security audits and CheckTLS monitoring of your TLS email.

Similar to financial auditing that uses statistical sampling to verify large numbers of documents (invoices, payments, transactions), you can have a sufficiently high level of confidence in your email security with regular email security verification.

And while it is possible to use CheckTLS for free to meet your HIPAA (or other) email security requirement, it is much easier with a CheckTLS subscription. With a subscription, we can help you setup regular email testing and email monitoring.

Back to Top

Mon, 20 Mar 2017 Sample Policy for Email Transmission of Protected Information

QUESTION: You say I can use CheckTLS to meet HIPAA and other security requirements instead of using email ecryption devices or third party email security services. How do I do that?

If TLS, which is sufficient (see previous FAQ), is working for you, you just need to be sure it keeps working. You can do that by following an email security policy that calls for regular audits of TLS operation and use, and on-going monitoring of TLS operation.

You can start with the following:

Policy for Email Transmission of Protected Information

[define Protected Information here if not defined elsewhere]

Email may be used to transmit Protected Information as long as the communication is protected by Transport Layer Security implemented per NIST Special Publication 800-52: Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80052.pdf?language=es

To assure that Protected Information is communicated securely, YOURCOMPANY verifies that:

  • a new trading partner will receive email compliant with NIST guidelines before communicating any PI
  • the partner continues to receive email compliant with NIST guidelines
  • YOURCOMPANY continues to receive email compliant with NIST guidelines
  • YOURCOMPANY continues to send email compliant with NIST guidelines

NOTE: it is the partner's responsibility to verify that they send email compliant with NIST guidelines

Before communicating any Protected Information with a new trading partner, YOURCOMPANY will assure the partner's email system has a CheckTLS.com Confidence Factor of 90 or above. Confidence Factors are retrieved at http://www.checktls.com/TestReceiver.

YOURCOMPANY maintains a list of all trading partners with which it exchanges PI, and it monitors [weekly] the Confidence Factors of those trading partners. Any change in a partner's Confidence Factor creates a problem ticket in YOURCOMPANY's ticketing system for further action.

YOURCOMPANY monitors [weekly] its own email system Confidence Factor, and any change creates a problem ticket for further action.

YOURCOMPANY monitors [weekly] its own system for SENDING email to verify that TLS is properly configured and operable. Any issues found by this monitoring creates a problem ticket for further action.

YOURCOMPANY's auditors check the accuracy of the list of trading partners and a selection of the periodic monitoring reports, and they verify that any changes were properly reported and remediated.

Back to Top

Mon, 20 Mar 2017 CheckTLS Whitelist

Add the following IP addresses and domain names to any network filters and/or domain Whitelists at your site.

IP Address Range: 216.68.85.112-115 (216.68.85.112/30 or 216.68.85.112/255.255.255.252)
Domain Names: CheckTLS.com and *.CheckTLS.com

Adding our IP address range to any network filters makes sure our tests are able to do the testing you request from our site.Our tests are non-invasive, non-intrusive, and non-obtrusive. They require no changes to your or any other system. They cause no extra processing and should not trip any security alarms.

Adding our domain to any Whitelists also makes sure our tests can do the testing you request, and it also makes sure any results we email to you get through to you and don't end up in a junk folder or thrown away.

Back to Top