To meet the requirements set forth by HIPAA/HITECH, we've implemented rules on our email servers that facilitate the handling and encryption of emails containing sensitive information, both automatically and manually. These rules do the following:
- Watch for emails sent outside of company walls containing potentially sensitive information (such as driver’s license numbers, SSNs, passport numbers, etc.). If this type of information is detected, a “policy tooltip” is shown to the user in Outlook informing them of such. If the email is sent as is, depending on the type of sensitive information contained,
- the recipient will receive an email with a notification and link to the encrypted email,
- or the recipient will receive the email normally, but the sender of the email (internally) will receive an email notifying him/her that the sent email contained potentially sensitive information.
- Watch for emails sent containing the word “secureit” or "confidential" (without quotes) in the subject line. If this is detected anywhere in the subject, the recipient will receive an email with a notification and link to the encrypted email.
It’s important to note that the email delivered into the recipient’s inbox is not the email containing the sensitive information, but is instead a notification and link with instructions on how to access this mail item securely.
Let’s step through it.
1. Author your email.
First, author the email you need to send, just as you normally would. Under normal circumstances, a few moments after sensitive information is entered, your Outlook application (or the Outlook Web App) will realize the sensitivity of this information and show you a banner informing you of this:
If you happen to be aware of sensitive information in your email, but Outlook does not appear to detect it automatically, simply putting the word “secureit” anywhere in the subject line (i.e. appending “[secureit]” to the end of the subject) will indicate that the email should be encrypted, and our mail server will do so.
2. Hit Send.
Once you’re ready, hit send. At this point, our email server will encrypt the message, and deliver to the end recipient an email instructing them how to access the message. At no point is the email, and the potentially sensitive information contained within, stored on the recipient's mail server, nor email application—to view the information, they will need to follow the instructions sent to them in place of your email that guides them into the secure environment provided by Office 365 (below).
3. Sip your coffee.
Your recipients now receive an email informing them of the encrypted email waiting for them, complete with instructions and an HTML attachment on how to access it.
Opening the HTML document shows the above to the user, prompting them with options to prove their identity in order to access the message:
Typically, users will choose the one-time passcode option, which we recommend, as this works with any other email system/provider. Clicking this option show the following to the end user:
At this point, the user checks their inbox, enters the code sent to them in the Passcode field, and clicks send. This ensures that the person opening this encrypted email is the original recipient, as opposed to having it forwarded on to them.
If the code matches what was sent, the recipient is finally shown the email in a familiar, intuitive Outlook Web Access or Outlook.com-like interface:
From this web app, the recipient can reply to the encrypted message, maintaining the encrypted aspect of the exchange. It’s important to note, however, that messages sent back to Bedrock employees will have encryption stripped from them to ease their use, but overall message security is maintained. Once that email is replied to, it is once again encrypted.