One of my friends has the following “signature” attached to all his outgoing emails:
The materials in this message are private and may contain Protected Healthcare Information. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
I’ve seen messages like this many, many times, and I feel like they really highlight a major problem with email. This message is like someone putting a sign outside of a window that says “Warning: You are not allowed to look in this window, and if you do, forget what you see immediately.” Does that message do any good at all? It almost makes you want to look in the window more, doesn’t it?
The following is the first post in a series entitled, “Securing your Email.” I’ll start the series by highlighting the dangers of insecure email and why this topic is important. Once I’ve got you convinced that every email you’ve ever read is a fraud, I’ll use the rest of the series to outline many different options you have to address the problems.
In case you are unaware, email is an inherently insecure form of communication. If you don’t know a lot about how web servers and the Internet work, that might not be terribly intuitive, so let’s start off with a pretty good analogy. Let’s pretend there’s no such thing as email. You work from home, and you need to send your boss a fairly important message with some sensitive information in it. It’s brief, so you just grab a pencil and jot your thoughts down on the back of a postcard and stick it out in your mailbox by the curb for the postal carrier to pick up. Pretty soon afterwards the message gets picked up, and it makes its way through various post offices and into your boss’s mailbox a while later.
Ignoring how slow things went, that still probably sounds like a pretty dumb way to send an important message. Unfortunately, it’s a pretty good description of how email works. To get a better picture of why it’s dumb, let’s examine some of the security flaws present in a system like the one described above. First, you left the message in your mailbox unattended. Anyone walking down the street could just open up the box and read what you wrote. Considering the message contains sensitive information, you probably don’t want just anyone to read it. More importantly, if the person had a pencil they could easily erase what you wrote and replace it with something else.
You also place an inherent trust in the postal system. If the message you’re sending truly contains sensitive information, you need to have it available in a form that only the intended recipient can read. Then, even if someone steals your letter, at least you won’t have to worry about private information getting out.
Finally, once your boss receives the message, there is no way for him or her to verify that you actually wrote it. Did the person who opened your mailbox change what you wrote? Did someone from a competing company send your boss false information under your name? The information is highly suspect unless your boss can verify that you were the original author and that the message hasn’t been altered since you sent it.
If you’ve made it this far, you may be asking yourself whether any of this is even relevant to you. Maybe you don’t make it a habit of emailing people sensitive information, but I would bet that you’re mistaken. A lot of seemingly harmless information in the wrong hands could be used to do a lot of damage. Plus,what if a criminal tried to impersonate you for their own gain? Don’t your friends and colleagues deserve to know that you actually wrote the words they’re reading? The same applies to emails you receive from your friends and colleagues. Maybe you don’t think that anyone would ever waste their time reading, copying or altering your private emails. There are a lot of good reasons why criminals would want to do this, however. The most obvious would be to make money at your expense. Plus, some of these security flaws could be used to get you into a lot of trouble at work. Is that something you want to risk?
The rest of the posts in this series will outline both simple and more complicated steps you can take to secure your email. Since my original reason for these posts was to address email security for health care providers, I’ll include a post that demonstrates how the health care community could begin implementing more secure email today. Hopefully this analogy has taught you something about the emails you read every day. Check out the rest of the entries in the days to come, and leave comments if you have questions or think I’m wrong about something!