Sending Cleartext IM and Email Is *NOT* Secure Even If Your Doc Says It Is…Part 1

I got some interesting comments and questions, and lots of good direct feedback, about my blog post on sending cleartext patient information last week, “HIPAA: Beware Doctors Who Claim They Don’t Have To Follow Safeguard and Privacy Requirements” so I wanted to take this opportunity to discuss the topic a little more.

The bottom-line take-away from that post was that sending sensitive information (such as patient information, credit cards, financials, etc.) in clear text through the Internet (or any other open network) puts that information at risk.
It does not matter whether or not the professional (doctor/lawyer/accountant/whatever) the patient or customer is communicating with has any laws (HIPAA/GLBA/FTC Act/whatever) that govern how they must protect the data/information. The customer/patient clear text sensitive data is vulnerable to being exploited by many different threats regardless of the existence of laws.
Just because a professional does not have (or believes s/he does not have) a law that requires him/her to protect customer/patient information does not mean that s/he does not need to protect customer/patient data!
Here are just a few of the threats to clear text information that is sent via IM and email messages, and related issues:
1) Messages stored on the senders’ and recipients’ mail servers may be vulnerable based upon the security (or lack of) within that mail system.
Just because the professional claims s/he has a secure system does not protect the information in the message if the patients’/customers’ systems are not secured. Many people use IM and email accounts that have messages stored on the provider’s (e.g, AOL, Microsoft, Google, etc.) central server, and the messages are often not stored on the recipient’s local storage drive. This then means that anyone with access to that messaging server, such as the systems administrators, the super users, the account admins, the help desk, any other authorized user, or someone who is doing any type of surveillance under the guise of any of the 34 or so laws modified by the USA PATRIOT Act, can potentially see those messages.
The occurrences of insiders (these folks with the authorized access) getting into email and IM subscribers accounts has been widely reported. I have posted about the inside threat many times, such as here,
here and here. (Do a search on “insider threat” on this blog and you’ll see more.)
You can see more about the significance of the insider threat in many places, such as here, here, and here, just to provide a few examples. If people can access your IM and email messages in storage, they can do bad things with the information in them.
2) A large and growing number of people read their email and send IMs in public places using public and shared computers.
Not only are the messages likely stored locally somewhere on the public computer, but it is common for criminals who want to get other people’s sensitive information to “shoulder surf”…watch the computer screens to capture sensitive information and then go do bad things with it. Anyone using a public computer, after someone has shared sensitive information via email or IM on the computer, will likely be able to see that information if the previous person did not knowingly and explicitly take actions to remove the data.
It is a reality that the average computer user does not realize this. And, if a doctor/lawyer/accountant/whomever tells them, “Don’t worry; your information you share with me via email or IM is safe,” then the patient/customer *will think it is safe…even on their computer*!!
Making such statements is misleading to customers and patients. If an organization or professionals tell their customers or patients that their information will be secured, when in fact it is likely the information will *not* be secured because of the mode and method of transferring and/or storing the information, then the FTC can determine the organization to be practicing unfair and deceptive business practices; they have come to this ruling many times before for other organizations that made such wide security promises and then bad things happened to the information. Just look through the case decisions at the FTC site, to see how many actions were brought against companies that made assurances to customers that they were securing their customers’ data throughout the messaging lifecycle, when in fact there were huge vulnerabilities.
It is important to note the FTC considers misleading customers and patients regarding security an offense even if no incident actually occurred. You can read more about this here.
3) Messages can be intercepted while in transit using relatively simple methods.
Can you tell if an email has been intercepted? Typically not; there is usually no audit trail generated for intercepted messages.
It is similar to someone on the other side of the grocery aisle overhearing you speaking on your phone while you are saying your social security number (SSN). Can that person then take your SSN and do bad things with it that harm you? Of course! However, if they do you will not have any evidence that they obtained your SSN by listening to your phone conversation…you did not see them listening.
In the grocery store this type of overhearing occurs all the time incidentally. The listening-in on the Internet is done purposefully and typically by people looking for information they can exploit or otherwise use to their advantage. This data transfer exploit may be unlikely given the millions of messages being sent at any second, but it is still possible. Don’t let a doctor/lawyer/accountant/whomever tell you that it is not.
4) The doctors/lawyers/accountants/whomever are putting *themselves* at risk by making security assurances to their customers and patients by telling them that sending email and IM is a secure way to send sensitive information.
I am not a lawyer, but in conversations with some Internet-savvy lawyers they indicate that making such claims could possibly be considered an implicit, or even explicit, contract, depending upon how the security assurance is being made. Especially if the professional has a posted privacy policy.
If a professional makes a stated assurance that sensitive data will be secure if transmitted via email, IM or any other way, and then the sensitive data is subsequently exploited, misused, posted publicly, used for fraud or crime, or any other bad thing that could happen, then the possibility exists the professional could have action brought against him or her for breach of contract litigation, or worse. Even if the bad things that happened were on the customer/patient end, if they could show that they believed from the assurances that the sensitive information would be safe when shared with the professional the professional could be found at fault. This would be a great conversation to have with your own lawyer.
More to come…
This is probably a big enough chunk of information to provide at one time, so I will follow up this post with a Part 2 post and provide a few more risk discussions along with providing some links to some very good papers and research on the risks of email and IM (there are many).
For now, though, the issue really is not about HIPAA; we can all debate about the benefits and flaws that exist in that behemoth legislation! Do a search for HIPAA on this blog and you will see I have a large share of gripes with it myself…particularly about the non-enforcement issues.
The point is this: sending cleartext personally identifiable information (PII), or any other information that you find sensitive and would not want others to see, including any health related information, within IM and email messages is leaving your PII and other private information vulnerable to many, many threats.
If a professional tells you that sending your PII and other sensitive information is secure and assures you that no bad things will happen, ask him/her to put it in writing. Make him or her clearly accountable for the security of your PII. It would also be good to ask him/her for a copy of his/her last objective security review and/or risk assessment.

Tags: , , , , , , , , , , , , , ,

Leave a Reply